The product sets a pointer to a specific address other than NULL or 0.
View on MITREUsing a fixed address is not portable, because that address will probably not be valid in all environments or platforms.
If one executes code at a known location, an attacker might be able to inject code there beforehand.
If the code is ported to another platform or environment, the pointer is likely to be invalid and cause a crash.
The data at a known pointer location can be easily read or influenced by an attacker.
Never set a pointer to a fixed address.
No detection method information available for this CWE.
This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.
The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution.
CWE-587: Assignment of a Fixed Address to a Pointer is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product sets a pointer to a specific address other than NULL or 0. Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms.
If exploited, CWE-587 (Assignment of a Fixed Address to a Pointer) it can compromise Integrity, Confidentiality and Availability, leading to outcomes such as Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Reduce Maintainability, Reduce Reliability, Read Memory and Modify Memory.
Recommended mitigations for CWE-587 include: Never set a pointer to a fixed address.
CWE-587 commonly affects C, C++, C# and Assembly. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-587 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.