CWE-248: Uncaught Exception
An exception is thrown from a function, but it is not caught.
Last updated
Overview
When an exception is not caught, it may cause the program to crash or expose sensitive information.
Real-world CVEs
211 recorded CVEs are caused by CWE-248 (Uncaught Exception). The highest-severity and most recent are shown first. 56 new CWE-248 CVEs have been recorded so far in 2026 (60 in 2025).
- CVE-2025-12423
Denial of Service - Protocol Manipulation
Critical · CVSS 10.0 · EPSS 22th2025-10-28 - CVE-2018-11466Critical · CVSS 9.8 · EPSS 89th2018-12-12
- CVE-2024-42037Critical · CVSS 9.3 · EPSS 3th2024-08-08
- CVE-2025-53620
Crashing any Qwik Server
Critical · CVSS 9.2 · EPSS 22th2025-07-09 - CVE-2025-0657
ALC WebCTRL Carrier i-Vu and Gen5 Controllers Array Index out-of-range
High · CVSS 8.8 · EPSS 22th2025-11-27 - CVE-2023-0790High · CVSS 8.8 · EPSS 50th2023-02-12
- CVE-2026-9509
Uncaught exception vulnerability in Suprema's BioStar
High · CVSS 8.7 · EPSS 27th2026-05-29 - CVE-2026-34752
Haraka affected by DoS via `__proto__` email header
High · CVSS 8.7 · EPSS 35th2026-04-02 - CVE-2026-33191
free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error
High · CVSS 8.7 · EPSS 28th2026-03-20 - CVE-2026-32314
Yamux remote Panic via malformed Data frame with SYN set and len = 262145
High · CVSS 8.7 · EPSS 36th2026-03-13 - CVE-2026-31812
Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing
High · CVSS 8.7 · EPSS 39th2026-03-10 - CVE-2026-1507
Uncaught Exception vulnerability in AVEVA PI Data Archive
High · CVSS 8.7 · EPSS 20th2026-02-10
Showing 12 of 211 recorded CWE-248 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-248 vulnerabilitiesCommon consequences
What can happen when CWE-248 is exploited.
DoS: Crash, Exit, or Restart, Read Application Data
Affects: Availability, Confidentiality
An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following example attempts to resolve a hostname.
Vulnerable example
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {A DNS lookup failure will cause the Servlet to throw an exception.
The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().
EnterCriticalSection() can raise an exception, potentially causing the program to crash. Under operating systems prior to Windows 2000, the EnterCriticalSection() function can raise an exception in low memory situations. If the exception is not caught, the program will crash, potentially enabling a denial of service attack.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2023-41151 — SDK for OPC Unified Architecture (OPC UA) server has uncaught exception when a socket is blocked for writing but the server tries to send an error
- CVE-2023-21087 — Java code in a smartphone OS can encounter a "boot loop" due to an uncaught exception
Terminology & mappings
Mapped taxonomies
- 7 Pernicious Kingdoms: Often Misused: Exception Handling
- The CERT Oracle Secure Coding Standard for Java (2011): Do not let checked exceptions escape from a finally block (ERR05-J)
- The CERT Oracle Secure Coding Standard for Java (2011): Do not throw undeclared checked exceptions (ERR06-J)
- SEI CERT Perl Coding Standard: Do not suppress or ignore exceptions (EXP31-PL) — Exact fit
- Software Fault Patterns: Unchecked Status Condition (SFP4)
Frequently asked questions
Common questions about CWE-248.
- What is CWE-248?
- An exception is thrown from a function, but it is not caught.
- What CVEs are caused by CWE-248?
- 211 recorded CVEs are attributed to CWE-248, including CVE-2025-12423, CVE-2018-11466, CVE-2024-42037.
- How is CWE-248 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-248?
- Exploiting CWE-248 can lead to: DoS: Crash, Exit, or Restart, Read Application Data.
- Is CWE-248 actively exploited?
- 211 recorded CVEs are caused by CWE-248; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-248) (opens in a new tab)
- CWE-248 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-248
Get alerted the moment a new CWE-248 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.