The code uses an operator for comparison when the intention was to perform an assignment.
View on MITREIn many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.
The assignment will not take place, which should cause obvious program execution problems.
Many IDEs and static analysis products will detect this problem.
No detection method information available for this CWE.
The following example demonstrates the weakness.
void called(int foo) {foo==1;if (foo==1) System.out.println("foo\n");}int main() { called(2);return 0; }The following C/C++ example shows a simple implementation of a stack that includes methods for adding and removing integer values from the stack. The example uses pointers to add and remove integer values to the stack array variable.
The push method includes an expression to assign the integer value to the location in the stack pointed to by the pointer variable.
#define SIZE 50int *tos, *p1, stack[SIZE]; void push(int i) { p1++;if(p1==(tos+SIZE)) { // Print stack overflow error message and exit }*p1 == i; } int pop(void) { if(p1==tos) { // Print stack underflow error message and exit }p1--;return *(p1+1); } int main(int argc, char *argv[]) { // initialize tos and p1 to point to the top of stack tos = stack;p1 = stack; // code to add and remove items from stack ...return 0; }CWE-482: Comparing instead of Assigning is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The code uses an operator for comparison when the intention was to perform an assignment. In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.
If exploited, CWE-482 (Comparing instead of Assigning) it can compromise Availability and Integrity, leading to outcomes such as Unexpected State.
Recommended mitigations for CWE-482 include: Many IDEs and static analysis products will detect this problem.
CWE-482 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-482 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.