A certificate expiration is not validated or is incorrectly validated.

What CVEs are caused by CWE-298?

6 recorded CVEs are attributed to CWE-298, including CVE-2025-67108, CVE-2025-67109, CVE-2025-61736.

How do you prevent CWE-298?

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

What are the consequences of CWE-298?

Exploiting CWE-298 can lead to: Other.

Is CWE-298 actively exploited?

6 recorded CVEs are caused by CWE-298; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-298: Improper Validation of Certificate Expiration

CVE-2023-42446

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.

Vulnerable example

if (cert = SSL_get_peer(certificate(ssl)) {

If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.

CWE-298: Improper Validation of Certificate Expiration

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-298?

What CVEs are caused by CWE-298?

How do you prevent CWE-298?

What are the consequences of CWE-298?

Is CWE-298 actively exploited?

References

Stay ahead of CWE-298

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-298?

What CVEs are caused by CWE-298?

How do you prevent CWE-298?

What are the consequences of CWE-298?

Is CWE-298 actively exploited?

References

Stay ahead of CWE-298