The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
View on MITRENo mitigation information available for this CWE.
No detection method information available for this CWE.
The following function attempts to acquire a lock in order to perform operations on a shared resource.
However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.
The following function attempts to acquire a lock in order to perform operations on a shared resource.
However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.
In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.
This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability.
This function prints the contents of a specified file requested by a user.
This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.
View Detailschain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
View DetailsChain: off-by-one error (CWE-193) leads to infinite loop (CWE-835) using invalid hex-encoded characters.
View DetailsNo relationship information available for this CWE.
CWE-691: Insufficient Control Flow Management is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
If exploited, CWE-691 (Insufficient Control Flow Management) it can compromise Other, leading to outcomes such as Alter Execution Logic.
CWE-691 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-691, including CVE-2019-9805, CVE-2014-1266 and CVE-2011-1027. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-691 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.