CWE-248: Uncaught Exception

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following example attempts to resolve a hostname.

Vulnerable example

java

protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {

A DNS lookup failure will cause the Servlet to throw an exception.

The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().

EnterCriticalSection() can raise an exception, potentially causing the program to crash. Under operating systems prior to Windows 2000, the EnterCriticalSection() function can raise an exception in low memory situations. If the exception is not caught, the program will crash, potentially enabling a denial of service attack.

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-248?

What CVEs are caused by CWE-248?

How is CWE-248 detected?

What are the consequences of CWE-248?

Is CWE-248 actively exploited?

References

Stay ahead of CWE-248

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-248?

What CVEs are caused by CWE-248?

How is CWE-248 detected?

What are the consequences of CWE-248?

Is CWE-248 actively exploited?

References

Stay ahead of CWE-248