The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

What CVEs are caused by CWE-1023?

7 recorded CVEs are attributed to CWE-1023, including CVE-2026-7473, CVE-2025-62000, CVE-2021-23146. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How is CWE-1023 detected?

Manual Static Analysis: Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

What are the consequences of CWE-1023?

Exploiting CWE-1023 can lead to: Alter Execution Logic, Bypass Protection Mechanism.

Is CWE-1023 actively exploited?

Yes. 1 CWE-1023 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 7 recorded CVEs.

CWE-1023: Incomplete Comparison with Missing Factors

CVE-2021-23146

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Consider an application in which Truck objects are defined to be the same if they have the same make, the same model, and were manufactured in the same year.

Vulnerable example

java

public class Truck {

Here, the equals() method only checks the make and model of the Truck objects, but the year of manufacture is not included.

This example defines a fixed username and password. The AuthenticateUser() function is intended to accept a username and a password from an untrusted user, and check to ensure that it matches the username and password. If the username and password match, AuthenticateUser() is intended to indicate that authentication succeeded.

Vulnerable example

/* Ignore CWE-259 (hard-coded password) and CWE-309 (use of password system for authentication) for this example. */

Attack input

plaintext

CWE-1023: Incomplete Comparison with Missing Factors

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Manual Static Analysis

Code examples

Illustrative examples

Frequently asked questions

What is CWE-1023?

What CVEs are caused by CWE-1023?

How is CWE-1023 detected?

What are the consequences of CWE-1023?

Is CWE-1023 actively exploited?

References

Stay ahead of CWE-1023

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Manual Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Frequently asked questions

What is CWE-1023?

What CVEs are caused by CWE-1023?

How is CWE-1023 detected?

What are the consequences of CWE-1023?

Is CWE-1023 actively exploited?

References

Stay ahead of CWE-1023