CWE-1077: Floating Point Comparison with Incorrect Operator
The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.
Last updated
Overview
Numeric calculation using floating point values can generate imprecise results because of rounding errors. As a result, two different calculations might generate numbers that are mathematically equal, but have slightly different bit representations that do not translate to the same mathematically-equal values. As a result, an equality test or other comparison might produce unexpected results.
Real-world CVEs
5 recorded CVEs are caused by CWE-1077 (Floating Point Comparison with Incorrect Operator). The highest-severity and most recent are shown first. 1 new CWE-1077 CVE has been recorded so far in 2026.
- CVE-2025-55658Medium · CVSS 6.5 · EPSS 21th2026-06-09
- CVE-2023-32627Medium · CVSS 6.2 · EPSS 20th2023-07-10
- CVE-2023-26590
Floating point exception in src/aiff.c
Medium · CVSS 6.2 · EPSS 11th2023-07-10 - CVE-2023-4720Medium · CVSS 5.5 · EPSS 21th2023-09-01
- CVE-2022-4293Medium · CVSS 5.5 · EPSS 37th2022-12-05
Common consequences
What can happen when CWE-1077 is exploited.
Reduce Reliability
Affects: Other
This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Terminology & mappings
Mapped taxonomies
- OMG ASCRM (ASCRM-RLB-9)
Frequently asked questions
Common questions about CWE-1077.
- What is CWE-1077?
- The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.
- What CVEs are caused by CWE-1077?
- 5 recorded CVEs are attributed to CWE-1077, including CVE-2025-55658, CVE-2023-32627, CVE-2023-26590.
- How is CWE-1077 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1077?
- Exploiting CWE-1077 can lead to: Reduce Reliability.
- Is CWE-1077 actively exploited?
- 5 recorded CVEs are caused by CWE-1077; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1077) (opens in a new tab)
- CWE-1077 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1077
Get alerted the moment a new CWE-1077 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.