CWE-670: Always-Incorrect Control Flow Implementation

ClassDraft

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

View on MITRE
Back to CWE Lookup

Extended Description

This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-670: Always-Incorrect Control Flow Implementation?+

CWE-670: Always-Incorrect Control Flow Implementation is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.

What are the security consequences of Always-Incorrect Control Flow Implementation?+

If exploited, CWE-670 (Always-Incorrect Control Flow Implementation) it can compromise Other, leading to outcomes such as Other and Alter Execution Logic.

What are real-world examples of Always-Incorrect Control Flow Implementation?+

MITRE documents real CVEs mapped to CWE-670, including CVE-2021-3011. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-670 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-670: Always-Incorrect Control Flow Implementation | CWE Lookup | InventiveHQ