CWE-394: Unexpected Status Code or Return Value
The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Observed CVE Examples (8)
Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit.
View DetailsKernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't.
View DetailsMemory not properly cleared when read() function call returns fewer bytes than expected.
View DetailsBypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.
View DetailsBypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.
View DetailsGame server doesn't check return values for functions that handle text strings and associated size values.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-394: Unexpected Status Code or Return Value?+
CWE-394: Unexpected Status Code or Return Value is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
What are the security consequences of Unexpected Status Code or Return Value?+
If exploited, CWE-394 (Unexpected Status Code or Return Value) it can compromise Integrity and Other, leading to outcomes such as Unexpected State and Alter Execution Logic.
Which programming languages are affected by Unexpected Status Code or Return Value?+
CWE-394 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Unexpected Status Code or Return Value?+
MITRE documents real CVEs mapped to CWE-394, including CVE-2004-1395, CVE-2002-2124, CVE-2005-2553, CVE-2005-1858 and CVE-2000-0536. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-394 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.