Base weakness

Draft

CWE-1254: Incorrect Comparison Logic Granularity

The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.

Last updated May 1, 2026

5

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Comparison logic is used to compare a variety of objects including passwords, Message Authentication Codes (MACs), and responses to verification challenges. When comparison logic is implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a comparison failure, an attacker can exploit this implementation to identify when exactly the failure occurred. With multiple attempts, the attacker may be able to guesses the correct password/response to challenge and elevate their privileges.

Real-world CVEs

5 recorded CVEs are caused by CWE-1254 (Incorrect Comparison Logic Granularity). The highest-severity and most recent are shown first. 4 new CWE-1254 CVEs have been recorded so far in 2026 (1 in 2025).

CVE-2026-28929

High · CVSS 7.5 · EPSS 32th

2026-05-11

CVE-2013-10031

Plack::Middleware::Session versions before 0.17 for Perl may be vulnerable to HMAC comparison timing attacks

High · CVSS 7.5 · EPSS 15th

2025-12-09

CVE-2026-27007

OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation

Medium · CVSS 4.8 · EPSS 5th

2026-02-19

Common consequences

What can happen when CWE-1254 is exploited.

Bypass Protection Mechanism

Affects: Confidentiality, Authorization

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

How to prevent it

Practical mitigations for CWE-1254, grouped by where in the lifecycle they apply.

Implementation

The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2019-10482 — Smartphone OS uses comparison functions that are not in constant time, allowing side channels
CVE-2019-10071 — Java-oriented framework compares HMAC signatures using String.equals() instead of a constant-time algorithm, causing timing discrepancies
CVE-2014-0984 — Password-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.

Attack patterns

CAPEC attack patterns that exploit this weakness.

CAPEC-26: Leveraging Race Conditions

Frequently asked questions

Common questions about CWE-1254.

What is CWE-1254?

The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.

What CVEs are caused by CWE-1254?

5 recorded CVEs are attributed to CWE-1254, including CVE-2026-34572, CVE-2026-34570, CVE-2026-28929.

How do you prevent CWE-1254?

The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.

What are the consequences of CWE-1254?

Exploiting CWE-1254 can lead to: Bypass Protection Mechanism.

Is CWE-1254 actively exploited?

5 recorded CVEs are caused by CWE-1254; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-1254

Get alerted the moment a new CWE-1254 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing