CWE-228: Improper Handling of Syntactically Invalid Structure
The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
Last updated
Overview
CWE-228 (Improper Handling of Syntactically Invalid Structure) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
19 recorded CVEs are caused by CWE-228 (Improper Handling of Syntactically Invalid Structure). The highest-severity and most recent are shown first. 6 new CWE-228 CVEs have been recorded so far in 2026 (5 in 2025).
- CVE-2024-55594Critical · CVSS 9.8 · EPSS 39th2025-03-14
- CVE-2023-42784Critical · CVSS 9.8 · EPSS 28th2025-03-11
- CVE-2021-38443Critical · CVSS 9.8 · EPSS 80th2022-05-05
- CVE-2020-27847Critical · CVSS 9.8 · EPSS 75th2021-05-28
- CVE-2026-20125High · CVSS 7.7 · EPSS 20th2026-03-25
- CVE-2026-34232
Firebird: DoS via `op_response` packet from client
High · CVSS 7.5 · EPSS 37th2026-04-17 - CVE-2025-0343High · CVSS 7.5 · EPSS 24th2025-01-15
- CVE-2024-6382High · CVSS 7.5 · EPSS 20th2024-07-02
- CVE-2024-21612High · CVSS 7.5 · EPSS 41th2024-01-12
- CVE-2018-5381High · CVSS 7.5 · EPSS 98th2018-02-19
- CVE-2025-59174High · CVSS 7.1 · EPSS 6th2026-06-05
- CVE-2026-25657
Ericsson Packet Core Gateway (PCG) - Improper Handling of Syntactically Invalid Structure Vulnerability
High · CVSS 7.1 · EPSS 6th2026-06-05
Showing 12 of 19 recorded CWE-228 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-228 vulnerabilitiesCommon consequences
What can happen when CWE-228 is exploited.
Unexpected State, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU)
Affects: Integrity, Availability
If an input is syntactically invalid, then processing the input could place the system in an unexpected state that could lead to a crash, consume available system resources or other unintended behaviors.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This Android application has registered to handle a URL when sent an intent:
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2004-0270 — Anti-virus product has assert error when line length is non-numeric.
Terminology & mappings
Mapped taxonomies
- PLOVER: Structure and Validity Problems
- OWASP Top Ten 2004: Improper Error Handling (A7) — CWE More Specific fit
Frequently asked questions
Common questions about CWE-228.
- What is CWE-228?
- The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
- What CVEs are caused by CWE-228?
- 19 recorded CVEs are attributed to CWE-228, including CVE-2024-55594, CVE-2023-42784, CVE-2021-38443.
- Is CWE-228 part of the OWASP Top 10?
- CWE-228 maps to OWASP Top Ten 2004: Improper Error Handling (A7) in the OWASP security taxonomy.
- How is CWE-228 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-228?
- Exploiting CWE-228 can lead to: Unexpected State, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU).
- Is CWE-228 actively exploited?
- 19 recorded CVEs are caused by CWE-228; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-228) (opens in a new tab)
- CWE-228 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-228
Get alerted the moment a new CWE-228 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.