CWE-372: Incomplete Internal State Distinction

The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-372 (Incomplete Internal State Distinction) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

CWE-372: Incomplete Internal State Distinction

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-372?

What CVEs are caused by CWE-372?

What are the consequences of CWE-372?

Is CWE-372 actively exploited?

References

Stay ahead of CWE-372

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-372?

What CVEs are caused by CWE-372?

What are the consequences of CWE-372?

Is CWE-372 actively exploited?

References

Stay ahead of CWE-372