Variant weakness

Incomplete

CWE-1077: Floating Point Comparison with Incorrect Operator

The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.

Last updated May 1, 2026

5

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

Numeric calculation using floating point values can generate imprecise results because of rounding errors. As a result, two different calculations might generate numbers that are mathematically equal, but have slightly different bit representations that do not translate to the same mathematically-equal values. As a result, an equality test or other comparison might produce unexpected results.

Real-world CVEs

5 recorded CVEs are caused by CWE-1077 (Floating Point Comparison with Incorrect Operator). The highest-severity and most recent are shown first. 1 new CWE-1077 CVE has been recorded so far in 2026.

CVE-2023-26590

Floating point exception in src/aiff.c

Medium · CVSS 6.2 · EPSS 10th

2023-07-10

CVE-2023-4720

Medium · CVSS 4.0 · EPSS 11th

2023-09-01

Common consequences

What can happen when CWE-1077 is exploited.

Reduce Reliability

Affects: Other

This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Terminology & mappings

Mapped taxonomies

OMG ASCRM (ASCRM-RLB-9)

Frequently asked questions

Common questions about CWE-1077.

What is CWE-1077?

The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.

What CVEs are caused by CWE-1077?

5 recorded CVEs are attributed to CWE-1077, including CVE-2022-4293, CVE-2025-55658, CVE-2023-32627.

How is CWE-1077 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-1077?

Exploiting CWE-1077 can lead to: Reduce Reliability.

Is CWE-1077 actively exploited?

5 recorded CVEs are caused by CWE-1077; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-1077

Get alerted the moment a new CWE-1077 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing