CWE-176: Improper Handling of Unicode Encoding
The product does not properly handle when an input contains Unicode encoding.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
Windows provides the MultiByteToWideChar(), WideCharToMultiByte(), UnicodeToBytes(), and BytesToUnicode() functions to convert between arbitrary multibyte (usually ANSI) character strings and Unicode (wide character) strings. The size arguments to these functions are specified in different units, (one in bytes, the other in characters) making their use prone to error.
In a multibyte character string, each character occupies a varying number of bytes, and therefore the size of such strings is most easily specified as a total number of bytes. In Unicode, however, characters are always a fixed size, and string lengths are typically given by the number of characters they contain. Mistakenly specifying the wrong units in a size argument can lead to a buffer overflow.
Observed CVE Examples (3)
Server allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain Unicode encoded characters.
View DetailsServer allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode.
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-176: Improper Handling of Unicode Encoding?+
CWE-176: Improper Handling of Unicode Encoding is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly handle when an input contains Unicode encoding.
What are the security consequences of Improper Handling of Unicode Encoding?+
If exploited, CWE-176 (Improper Handling of Unicode Encoding) it can compromise Integrity, leading to outcomes such as Unexpected State.
Which programming languages are affected by Improper Handling of Unicode Encoding?+
CWE-176 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Improper Handling of Unicode Encoding?+
MITRE documents real CVEs mapped to CWE-176, including CVE-2000-0884, CVE-2001-0709 and CVE-2001-0669. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-176 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.