Base weakness
Incomplete
Log in
The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.
Last updated
In highly distributed environments, or on systems with distinct physical components that operate independently, there is often a need for each component to store and update its own local copy of key data such as state or cache, so that all components have the same "view" of the overall system and operate in a coordinated fashion. For example, users of a social media service or a massively multiplayer online game might be using their own personal computers while also interacting with different physical hosts in a globally distributed service, but all participants must be able to have the same "view" of the world. Alternately, a processor's Memory Management Unit (MMU) might have "shadow" MMUs to distribute its workload, and all shadow MMUs are expected to have the same accessible ranges of memory. In such environments, it becomes critical for the product to ensure that this "shared state" is consistently modified across all distributed systems. If state is not consistently maintained across all systems, then critical transactions might take place out of order, or some users might not get the same data as other users. When this inconsistency affects correctness of operations, it can introduce vulnerabilities in mechanisms that depend on consistent state.
5 recorded CVEs are caused by CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State). The highest-severity and most recent are shown first. 0 new CWE-1250 CVEs have been recorded so far in 2026 (2 in 2025).
What can happen when CWE-1250 is exploited.
Unexpected State
Affects: Other
One or more of the components/sub-systems could assume that the state is different than it actually is.
Typically introduced during these phases of the software lifecycle.
Technologies
Illustrative examples from MITRE showing how the weakness appears in code.
Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.
Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario.
Common questions about CWE-1250.
The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.
5 recorded CVEs are attributed to CWE-1250, including CVE-2025-30189, CVE-2023-22405, CVE-2022-22234.
Exploiting CWE-1250 can lead to: Unexpected State.
5 recorded CVEs are caused by CWE-1250; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-1250 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.