CWE-1254: Incorrect Comparison Logic Granularity
The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.
Last updated
Overview
Comparison logic is used to compare a variety of objects including passwords, Message Authentication Codes (MACs), and responses to verification challenges. When comparison logic is implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a comparison failure, an attacker can exploit this implementation to identify when exactly the failure occurred. With multiple attempts, the attacker may be able to guesses the correct password/response to challenge and elevate their privileges.
Real-world CVEs
5 recorded CVEs are caused by CWE-1254 (Incorrect Comparison Logic Granularity). The highest-severity and most recent are shown first. 4 new CWE-1254 CVEs have been recorded so far in 2026 (1 in 2025).
- CVE-2026-34572
CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
High · CVSS 8.8 · EPSS 40th2026-04-01 - CVE-2026-34570
CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
High · CVSS 8.8 · EPSS 40th2026-04-01 - CVE-2026-28929High · CVSS 7.5 · EPSS 33th2026-05-11
- CVE-2013-10031
Plack::Middleware::Session versions before 0.17 for Perl may be vulnerable to HMAC comparison timing attacks
High · CVSS 7.5 · EPSS 17th2025-12-09 - CVE-2026-27007
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation
Medium · CVSS 4.8 · EPSS 5th2026-02-19
Common consequences
What can happen when CWE-1254 is exploited.
Bypass Protection Mechanism
Affects: Confidentiality, Authorization
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1254, grouped by where in the lifecycle they apply.
The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2019-10482 — Smartphone OS uses comparison functions that are not in constant time, allowing side channels
- CVE-2019-10071 — Java-oriented framework compares HMAC signatures using String.equals() instead of a constant-time algorithm, causing timing discrepancies
- CVE-2014-0984 — Password-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1254.
- What is CWE-1254?
- The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.
- What CVEs are caused by CWE-1254?
- 5 recorded CVEs are attributed to CWE-1254, including CVE-2026-34572, CVE-2026-34570, CVE-2026-28929.
- How do you prevent CWE-1254?
- The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.
- What are the consequences of CWE-1254?
- Exploiting CWE-1254 can lead to: Bypass Protection Mechanism.
- Is CWE-1254 actively exploited?
- 5 recorded CVEs are caused by CWE-1254; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1254) (opens in a new tab)
- CWE-1254 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1254
Get alerted the moment a new CWE-1254 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.