Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

What CVEs are caused by CWE-123?

40 recorded CVEs are attributed to CWE-123, including CVE-2025-22225, CVE-2024-42479, CVE-2025-69809. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-123?

Use a language that provides appropriate memory abstractions.

How is CWE-123 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-123?

Exploiting CWE-123 can lead to: Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, Bypass Protection Mechanism, Other.

Is CWE-123 actively exploited?

Yes. 1 CWE-123 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 40 recorded CVEs.

CWE-123: Write-what-where Condition

Real-world CVEs

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The classic example of a write-what-where condition occurs when the accounting information for memory allocations is overwritten in a particular fashion. Here is an example of potentially vulnerable code:

Vulnerable example

#define BUFSIZE 256

Real-world CVEs

CWE-123: Write-what-where Condition

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Automated Dynamic Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-123?

What CVEs are caused by CWE-123?

How do you prevent CWE-123?

How is CWE-123 detected?

What are the consequences of CWE-123?

Is CWE-123 actively exploited?

References

Stay ahead of CWE-123

Real-world CVEs

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Automated Dynamic Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-123?

What CVEs are caused by CWE-123?

How do you prevent CWE-123?

How is CWE-123 detected?

What are the consequences of CWE-123?

Is CWE-123 actively exploited?

References

Stay ahead of CWE-123