Log inLog in

Variant weakness

Draft

CWE-277: Insecure Inherited Permissions

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

Last updated May 1, 2026

65

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

CWE-277 (Insecure Inherited Permissions) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

65 recorded CVEs are caused by CWE-277 (Insecure Inherited Permissions). The highest-severity and most recent are shown first. 5 new CWE-277 CVEs have been recorded so far in 2026 (15 in 2025).

CVE-2024-42681

High · CVSS 8.8 · EPSS 54th

2024-08-15

CVE-2024-36542

High · CVSS 8.8 · EPSS 37th

2024-07-25

CVE-2024-6605

Firefox Android missed activation delay to prevent tapjacking

High · CVSS 8.8 · EPSS 25th

2024-07-09

CVE-2023-27842

High · CVSS 8.8 · EPSS 82th

2023-03-21

CVE-2024-34329

High · CVSS 8.4 · EPSS 44th

2024-07-22

CVE-2024-29417

High · CVSS 8.4 · EPSS 9th

2024-05-03

CVE-2024-27834

High · CVSS 8.1 · EPSS 44th

2024-05-13

CVE-2026-30266

High · CVSS 7.8 · EPSS 2th

2026-04-20

CVE-2024-27825

High · CVSS 7.8 · EPSS 9th

2024-05-13

Showing 12 of 65 recorded CWE-277 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-277 vulnerabilities

Common consequences

What can happen when CWE-277 is exploited.

Read Application Data, Modify Application Data

Affects: Confidentiality, Integrity

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

Operation

How to prevent it

Practical mitigations for CWE-277, grouped by where in the lifecycle they apply.

Architecture and Design

Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Architecture and Design

Separation of Privilege

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2005-1841 — User's umask is used when creating temp files.
CVE-2002-1786 — Insecure umask for core dumps [is the umask preserved or assigned?].

Terminology & mappings

Mapped taxonomies

PLOVER: Insecure inherited permissions

Frequently asked questions

Common questions about CWE-277.

What is CWE-277?

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

What CVEs are caused by CWE-277?

65 recorded CVEs are attributed to CWE-277, including CVE-2024-36539, CVE-2024-36540, CVE-2026-7891.

How do you prevent CWE-277?

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

What are the consequences of CWE-277?

Exploiting CWE-277 can lead to: Read Application Data, Modify Application Data.

Is CWE-277 actively exploited?

65 recorded CVEs are caused by CWE-277; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-277

Get alerted the moment a new CWE-277 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-277?

What CVEs are caused by CWE-277?

How do you prevent CWE-277?

What are the consequences of CWE-277?

Is CWE-277 actively exploited?

References

Stay ahead of CWE-277