The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.

What CVEs are caused by CWE-1076?

2 recorded CVEs are attributed to CWE-1076, including CVE-2021-1268, CVE-2023-32642.

How is CWE-1076 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-1076?

Exploiting CWE-1076 can lead to: Reduce Maintainability.

Is CWE-1076 actively exploited?

2 recorded CVEs are caused by CWE-1076; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-1076: Insufficient Adherence to Expected Conventions

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

Documentation

CWE-1076: Insufficient Adherence to Expected Conventions

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The usage of symbolic names instead of hard-coded constants is preferred.

Vulnerable example

char buffer[1024];

Safe example

enum { MAX_BUFFER_SIZE = 1024 };

The following code fragment calls finalize() explicitly:

Vulnerable example

java

// time to clean up

How it happens

When it is introduced

CWE-1076: Insufficient Adherence to Expected Conventions

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Frequently asked questions

What is CWE-1076?

What CVEs are caused by CWE-1076?

How is CWE-1076 detected?

What are the consequences of CWE-1076?

Is CWE-1076 actively exploited?

References

Stay ahead of CWE-1076

How it happens

When it is introduced

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Child

Frequently asked questions

What is CWE-1076?

What CVEs are caused by CWE-1076?

How is CWE-1076 detected?

What are the consequences of CWE-1076?

Is CWE-1076 actively exploited?

References

Stay ahead of CWE-1076