Base weakness
Incomplete
Log in
The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
Last updated
CWE-1025 (Comparison Using Wrong Factors) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
7 recorded CVEs are caused by CWE-1025 (Comparison Using Wrong Factors). The highest-severity and most recent are shown first. 2 new CWE-1025 CVEs have been recorded so far in 2026 (4 in 2025).
Improper timestamp caching during snapshot rollback in tough
What can happen when CWE-1025 is exploited.
Varies by Context
Affects: Other
This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal.
Typically introduced during these phases of the software lifecycle.
Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
Illustrative examples from MITRE showing how the weakness appears in code.
In the example below, two Java String objects are declared and initialized with the same string values. An if statement is used to determine if the strings are equivalent.
Vulnerable example
String str1 = new String("Hello");Safe example
if (str1.equals(str2)) {However, the if statement will not be executed as the strings are compared using the "==" operator. For Java objects, such as String objects, the "==" operator compares object references, not object values. While the two String objects above contain the same string values, they refer to different object references, so the System.out.println statement will not be executed. To compare object values, the previous code could be modified to use the equals method:
Common questions about CWE-1025.
The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
7 recorded CVEs are attributed to CWE-1025, including CVE-2026-40880, CVE-2025-32464, CVE-2026-40227.
Manual Static Analysis: Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.
Exploiting CWE-1025 can lead to: Varies by Context.
7 recorded CVEs are caused by CWE-1025; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-1025 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.