CWE-242: Use of Inherently Dangerous Function

BaseDraftExploit Likelihood: High

The product calls a function that can never be guaranteed to work safely.

View on MITRE
Back to CWE Lookup

Extended Description

Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.

Technical Details

Structure
Simple

Applicable To

Languages
CC++
Platforms

Frequently Asked Questions

What is CWE-242: Use of Inherently Dangerous Function?+

CWE-242: Use of Inherently Dangerous Function is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.

What are the security consequences of Use of Inherently Dangerous Function?+

If exploited, CWE-242 (Use of Inherently Dangerous Function) it can compromise Other, leading to outcomes such as Varies by Context.

How do you prevent or mitigate Use of Inherently Dangerous Function?+

Recommended mitigations for CWE-242 include: Ban the use of dangerous functions. Use their safe equivalent. Use grep or static analysis tools to spot usage of dangerous functions.

Which programming languages are affected by Use of Inherently Dangerous Function?+

CWE-242 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Use of Inherently Dangerous Function?+

MITRE documents real CVEs mapped to CWE-242, including CVE-2007-4004. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-242 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More