CWE-1338: Improper Protections Against Hardware Overheating
A hardware device is missing or has inadequate protection features to prevent overheating.
Last updated
Overview
Hardware, electrical circuits, and semiconductor silicon have thermal side effects, such that some of the energy consumed by the device gets dissipated as heat and increases the temperature of the device. For example, in semiconductors, higher-operating frequency of silicon results in higher power dissipation and heat. The leakage current in CMOS circuits increases with temperature, and this creates positive feedback that can result in thermal runaway and damage the device permanently. Any device lacking protections such as thermal sensors, adequate platform cooling, or thermal insulation is susceptible to attacks by malicious software that might deliberately operate the device in modes that result in overheating. This can be used as an effective denial of service (DoS) or permanent denial of service (PDoS) attack. Depending on the type of hardware device and its expected usage, such thermal overheating can also cause safety hazards and reliability issues. Note that battery failures can also cause device overheating but the mitigations and examples included in this submission cannot reliably protect against a battery failure. There can be similar weaknesses with lack of protection from attacks based on overvoltage or overcurrent conditions. However, thermal heat is generated by hardware operation and the device should implement protection from overheating.
Common consequences
What can happen when CWE-1338 is exploited.
DoS: Resource Consumption (Other)
Affects: Availability
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1338, grouped by where in the lifecycle they apply.
Temperature maximum and minimum limits should be enforced using thermal sensors both in silicon and at the platform level.
The platform should support cooling solutions such as fans that can be modulated based on device-operation needs to maintain a stable temperature.
How to detect it
Dynamic Analysis with Manual Results Interpretation
Dynamic tests should be performed to stress-test temperature controls.
Effectiveness: High
Architecture or Design Review
Power management controls should be part of Architecture and Design reviews.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Malicious software running on a core can execute instructions that consume maximum power or increase core frequency. Such a power-virus program could execute on the platform for an extended time to overheat the device, resulting in permanent damage.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1338.
- What is CWE-1338?
- A hardware device is missing or has inadequate protection features to prevent overheating.
- How do you prevent CWE-1338?
- Temperature maximum and minimum limits should be enforced using thermal sensors both in silicon and at the platform level.
- How is CWE-1338 detected?
- Dynamic Analysis with Manual Results Interpretation: Dynamic tests should be performed to stress-test temperature controls.
- What are the consequences of CWE-1338?
- Exploiting CWE-1338 can lead to: DoS: Resource Consumption (Other).
References
- MITRE CWE definition (CWE-1338) (opens in a new tab)
- CWE-1338 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1338
Get alerted the moment a new CWE-1338 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.