Base weakness

Draft

CWE-241: Improper Handling of Unexpected Data Type

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

Last updated May 1, 2026

29

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-241 (Improper Handling of Unexpected Data Type) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

29 recorded CVEs are caused by CWE-241 (Improper Handling of Unexpected Data Type). The highest-severity and most recent are shown first. 1 new CWE-241 CVE has been recorded so far in 2026 (6 in 2025).

CVE-2025-63548

High · CVSS 7.5 · EPSS 36th

2026-05-01

CVE-2023-30591

High · CVSS 7.5 · EPSS 83th

2023-09-29

CVE-2021-39131

High · CVSS 7.5 · EPSS 69th

2021-08-17

CVE-2025-2268

HP LaserJet MFP M232-M237 Printer Series - Potential Denial of Service

Medium · CVSS 6.9 · EPSS 61th

2025-03-14

CVE-2025-1004

Certain HP LaserJet Pro Printers – Potential Denial of Service

Medium · CVSS 6.9 · EPSS 42th

2025-02-06

CVE-2024-0151

Medium · CVSS 6.5 · EPSS 33th

2024-04-24

CVE-2022-39065

Medium · CVSS 6.5 · EPSS 26th

2022-10-14

CVE-2021-0242

Junos OS: EX4300: FPC crash upon receipt of specific frames on an interface without L2PT or dot1x configured

Medium · CVSS 6.5 · EPSS 23th

2021-04-22

CVE-2022-22219

Medium · CVSS 5.9 · EPSS 66th

2022-10-18

Showing 12 of 29 recorded CWE-241 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-241 vulnerabilities

Common consequences

What can happen when CWE-241 is exploited.

Varies by Context, Unexpected State

Affects: Integrity, Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to prevent it

Practical mitigations for CWE-241, grouped by where in the lifecycle they apply.

Implementation

Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Implementation

Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-1999-1156 — FTP server crash via PORT command with non-numeric character.
CVE-2004-0270 — Anti-virus product has assert error when line length is non-numeric.

Terminology & mappings

Mapped taxonomies

PLOVER: Wrong Data Type
CERT C Secure Coding: Do not assume that fgets() or fgetws() returns a nonempty string when successful (FIO37-C) — CWE More Abstract fit

Attack patterns

CAPEC attack patterns that exploit this weakness.

CAPEC-48: Passing Local Filenames to Functions That Expect a URL

Frequently asked questions

Common questions about CWE-241.

What is CWE-241?

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

What CVEs are caused by CWE-241?

29 recorded CVEs are attributed to CWE-241, including CVE-2021-40116, CVE-2022-29181, CVE-2022-39064.

How do you prevent CWE-241?

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

What are the consequences of CWE-241?

Exploiting CWE-241 can lead to: Varies by Context, Unexpected State.

Is CWE-241 actively exploited?

29 recorded CVEs are caused by CWE-241; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-241

Get alerted the moment a new CWE-241 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-241?

What CVEs are caused by CWE-241?

How do you prevent CWE-241?

What are the consequences of CWE-241?

Is CWE-241 actively exploited?

References

Stay ahead of CWE-241