CWE-754: Improper Check for Unusual or Exceptional Conditions

ClassIncompleteExploit Likelihood: Medium

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

View on MITRE
Back to CWE Lookup

Extended Description

The programmer may assume that certain events or conditions will never occur or do not need to be worried about, such as low memory conditions, lack of access to resources due to restrictive permissions, or misbehaving clients or components. However, attackers may intentionally trigger these unusual conditions, thus violating the programmer's assumptions, possibly introducing instability, incorrect behavior, or a vulnerability. Note that this entry is not exclusively about the use of exceptions and exception handling, which are mechanisms for both checking and handling unusual or unexpected conditions.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-754: Improper Check for Unusual or Exceptional Conditions?+

CWE-754: Improper Check for Unusual or Exceptional Conditions is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. The programmer may assume that certain events or conditions will never occur or do not need to be worried about, such as low memory conditions, lack of access to resources due to restrictive permissions, or misbehaving clients or components. However, attackers may intentionally trigger these unusual conditions, thus violating the programmer's assumptions, possibly introducing instability, incorrect behavior, or a vulnerability. Note that this entry is not exclusively about the use of exceptions and exception handling, which are mechanisms for both checking and handling unusual or unexpected conditions.

What are the security consequences of Improper Check for Unusual or Exceptional Conditions?+

If exploited, CWE-754 (Improper Check for Unusual or Exceptional Conditions) it can compromise Integrity and Availability, leading to outcomes such as DoS: Crash, Exit, or Restart and Unexpected State.

How do you prevent or mitigate Improper Check for Unusual or Exceptional Conditions?+

Recommended mitigations for CWE-754 include: Check the results of all functions that return a value and verify that the value is expected. If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248). Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.

How is Improper Check for Unusual or Exceptional Conditions detected?+

CWE-754 can be detected using Automated Static Analysis. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Improper Check for Unusual or Exceptional Conditions?+

CWE-754 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Check for Unusual or Exceptional Conditions?+

MITRE documents real CVEs mapped to CWE-754, including CVE-2023-49286, CVE-2007-3798, CVE-2006-4447 and CVE-2006-2916. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-754 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More