CWE-587: Assignment of a Fixed Address to a Pointer
The product sets a pointer to a specific address other than NULL or 0.
View on MITREExtended Description
Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
If one executes code at a known location, an attacker might be able to inject code there beforehand.
Scope
Impact
If the code is ported to another platform or environment, the pointer is likely to be invalid and cause a crash.
Scope
Impact
The data at a known pointer location can be easily read or influenced by an attacker.
Mitigation Strategies
Phase
Description
Never set a pointer to a fixed address.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.
The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution.
CWE Relationships
Frequently Asked Questions
What is CWE-587: Assignment of a Fixed Address to a Pointer?+
CWE-587: Assignment of a Fixed Address to a Pointer is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product sets a pointer to a specific address other than NULL or 0. Using a fixed address is not portable, because that address will probably not be valid in all environments or platforms.
What are the security consequences of Assignment of a Fixed Address to a Pointer?+
If exploited, CWE-587 (Assignment of a Fixed Address to a Pointer) it can compromise Integrity, Confidentiality and Availability, leading to outcomes such as Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart, Reduce Maintainability, Reduce Reliability, Read Memory and Modify Memory.
How do you prevent or mitigate Assignment of a Fixed Address to a Pointer?+
Recommended mitigations for CWE-587 include: Never set a pointer to a fixed address.
Which programming languages are affected by Assignment of a Fixed Address to a Pointer?+
CWE-587 commonly affects C, C++, C# and Assembly. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-587 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.