The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
View on MITRENo mitigation information available for this CWE.
No detection method information available for this CWE.
Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit.
View DetailsKernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't.
View DetailsMemory not properly cleared when read() function call returns fewer bytes than expected.
View DetailsBypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.
View DetailsBypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.
View DetailsGame server doesn't check return values for functions that handle text strings and associated size values.
View DetailsNo relationship information available for this CWE.
CWE-394: Unexpected Status Code or Return Value is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
If exploited, CWE-394 (Unexpected Status Code or Return Value) it can compromise Integrity and Other, leading to outcomes such as Unexpected State and Alter Execution Logic.
CWE-394 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-394, including CVE-2004-1395, CVE-2002-2124, CVE-2005-2553, CVE-2005-1858 and CVE-2000-0536. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-394 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.