Log inLog in

Variant weakness

Draft

CWE-230: Improper Handling of Missing Values

Q: What CVEs are caused by CWE-230?

12 recorded CVEs are attributed to CWE-230, including CVE-2024-11024, CVE-2024-10508, CVE-2026-20086.

Q: What are the consequences of CWE-230?

Exploiting CWE-230 can lead to: Unexpected State.

Q: Is CWE-230 actively exploited?

12 recorded CVEs are caused by CWE-230; none are currently in CISA's KEV catalog of actively exploited flaws.

The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

Last updated May 1, 2026

12

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

CWE-230 (Improper Handling of Missing Values) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

12 recorded CVEs are caused by CWE-230 (Improper Handling of Missing Values). The highest-severity and most recent are shown first. 4 new CWE-230 CVEs have been recorded so far in 2026 (1 in 2025).

2026-03-25

CVE-2024-0048

High · CVSS 8.4 · EPSS 6th

2024-03-11

CVE-2024-9781

Improper Handling of Missing Values in Wireshark

High · CVSS 7.8 · EPSS 39th

2024-10-10

CVE-2024-0208

Improper Handling of Missing Values in Wireshark

High · CVSS 7.8 · EPSS 10th

2024-01-03

CVE-2026-25659

Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability

High · CVSS 7.1 · EPSS 5th

2026-06-05

CVE-2026-25658

Ericsson Packet Core Gateway (PCG) - Improper handling of missing values Vulnerability

High · CVSS 7.1 · EPSS 5th

2026-06-05

CVE-2026-1461

Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values

Medium · CVSS 6.5 · EPSS 23th

2026-02-19

CVE-2025-23225

IBM MQ denial of service

Medium · CVSS 6.5 · EPSS 40th

2025-02-28

CVE-2024-6237

389-ds-base: unauthenticated user can trigger a dos by sending a specific extended search request

Medium · CVSS 6.5 · EPSS 78th

2024-07-09

CVE-2023-1697

Medium · CVSS 6.5 · EPSS 51th

2023-04-17

Common consequences

What can happen when CWE-230 is exploited.

Unexpected State

Affects: Integrity

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This Android application has registered to handle a URL when sent an intent:

The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2002-0422 — Blank Host header triggers resultant infoleak.
CVE-2000-1006 — Blank "charset" attribute in MIME header triggers crash.
CVE-2004-1504 — Blank parameter causes external error infoleak.
CVE-2005-2053 — Blank parameter causes external error infoleak.

Terminology & mappings

Mapped taxonomies

PLOVER: Missing Value Error
The CERT Oracle Secure Coding Standard for Java (2011): Do not catch NullPointerException or any of its ancestors (ERR08-J)

Frequently asked questions

Common questions about CWE-230.

What is CWE-230?

The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.

What CVEs are caused by CWE-230?

12 recorded CVEs are attributed to CWE-230, including CVE-2024-11024, CVE-2024-10508, CVE-2026-20086.

What are the consequences of CWE-230?

Exploiting CWE-230 can lead to: Unexpected State.

Is CWE-230 actively exploited?