CWE-392: Missing Report of Error Condition
The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.
Observed CVE Examples (5)
Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)
View DetailsFunction returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
View DetailsError checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
View DetailsKernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
View DetailsFunction returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-392: Missing Report of Error Condition?+
CWE-392: Missing Report of Error Condition is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
What are the security consequences of Missing Report of Error Condition?+
If exploited, CWE-392 (Missing Report of Error Condition) it can compromise Integrity and Other, leading to outcomes such as Varies by Context and Unexpected State.
Which programming languages are affected by Missing Report of Error Condition?+
CWE-392 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Missing Report of Error Condition?+
MITRE documents real CVEs mapped to CWE-392, including [REF-1374], CVE-2004-0063, CVE-2002-1446, CVE-2002-0499 and CVE-2005-2459. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-392 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.