CWE-390: Detection of Error Condition Without Action
The product detects a specific error, but takes no actions to handle the error.
Last updated
Overview
CWE-390 (Detection of Error Condition Without Action) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
17 recorded CVEs are caused by CWE-390 (Detection of Error Condition Without Action). The highest-severity and most recent are shown first. 4 new CWE-390 CVEs have been recorded so far in 2026 (6 in 2025).
- CVE-2026-52989
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
Critical · CVSS 9.8 · EPSS 27th2026-06-24 - CVE-2021-40391Critical · CVSS 9.8 · EPSS 85th2021-11-19
- CVE-2026-53434
Apache Tomcat: Invalid CRL configuration doesn't trigger failure for FFM Connector
Critical · CVSS 9.1 · EPSS 29th2026-06-29 - CVE-2019-5051High · CVSS 8.8 · EPSS 89th2019-07-03
- CVE-2025-46367High · CVSS 7.8 · EPSS 3th2025-11-13
- CVE-2024-49841High · CVSS 7.8 · EPSS 1th2025-05-06
- CVE-2024-30255High · CVSS 7.5 · EPSS 100th2024-04-04
- CVE-2024-27919
HTTP/2: memory exhaustion due to CONTINUATION frame flood
High · CVSS 7.5 · EPSS 100th2024-04-04 - CVE-2024-12086
Rsync: rsync server leaks arbitrary client files
Medium · CVSS 6.8 · EPSS 75th2025-01-14 - CVE-2025-27039
Detection of Error Condition Without Action in Computer Vision
Medium · CVSS 6.6 · EPSS 0th2025-10-09 - CVE-2025-26465
Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled
Medium · CVSS 6.5 · EPSS 93th2025-02-18 - CVE-2025-25204
`gh attestation verify` returns incorrect exit code during verification if no attestations are present
Medium · CVSS 6.3 · EPSS 31th2025-02-14
Showing 12 of 17 recorded CWE-390 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-390 vulnerabilitiesCommon consequences
What can happen when CWE-390 is exploited.
Varies by Context, Unexpected State, Alter Execution Logic
Affects: Integrity, Other
An attacker could utilize an ignored error condition to place the system in an unexpected state that could lead to the execution of unintended logic and could cause other unintended behavior.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-390, grouped by where in the lifecycle they apply.
Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.
If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program.
Subject the product to extensive testing to discover some of the possible instances of where/how errors or return values are not handled. Consider testing techniques such as ad hoc, equivalence partitioning, robustness and fault tolerance, mutation, and fuzzing.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following example attempts to allocate memory for a character. After the call to malloc, an if statement is used to check whether the malloc function failed.
Vulnerable example
foo=malloc(sizeof(char)); //the next line checks to see if malloc failedSafe example
foo=malloc(sizeof(char)); //the next line checks to see if malloc failedIn the following C++ example the method readFile() will read the file whose name is provided in the input parameter and will return the contents of the file in char string. The method calls open() and read() may result in errors if the file does not exist or does not contain any data to read. These errors will be thrown when the is_open() method and good() method indicate errors opening or reading the file. However, these errors are not handled within the catch statement. Catch statements that do not perform any processing will have unexpected results. In this case an empty char string will be returned, and the file will not be properly closed.
Vulnerable example
char* readfile (char *filename) {Safe example
char* readFile (char *filename) {The catch statement should contain statements that either attempt to fix the problem or notify the user that an error has occurred and continue processing or perform some cleanup and gracefully terminate the program. The following C++ example contains two catch statements. The first of these will catch a specific error thrown within the try block, and the second catch statement will catch all other errors from within the catch block. Both catch statements will notify the user that an error has occurred, close the file, and rethrow to the block that called the readFile() method for further handling or possible termination of the program.
In the following Java example the method readFile will read the file whose name is provided in the input parameter and will return the contents of the file in a String object. The constructor of the FileReader object and the read method call may throw exceptions and therefore must be within a try/catch block. While the catch statement in this example will catch thrown exceptions in order for the method to compile, no processing is performed to handle the thrown exceptions. Catch statements that do not perform any processing will have unexpected results. In this case, this will result in the return of a null String.
Vulnerable example
public String readFile(String filename) {Safe example
public String readFile(String filename) throws FileNotFoundException, IOException, Exception {The catch statement should contain statements that either attempt to fix the problem, notify the user that an exception has been raised and continue processing, or perform some cleanup and gracefully terminate the program. The following Java example contains three catch statements. The first of these will catch the FileNotFoundException that may be thrown by the FileReader constructor called within the try/catch block. The second catch statement will catch the IOException that may be thrown by the read method called within the try/catch block. The third catch statement will catch all other exceptions thrown within the try block. For all catch statements the user is notified that the exception has been thrown and the exception is rethrown to the block that called the readFile() method for further processing or possible termination of the program. Note that with Java it is usually good practice to use the getMessage() method of the exception class to provide more information to the user about the exception raised.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-21820 — A GPU data center manager detects an error due to a malformed request but does not act on it, leading to memory corruption.
Terminology & mappings
Mapped taxonomies
- CLASP: Improper error handling
- The CERT Oracle Secure Coding Standard for Java (2011): Do not suppress or ignore checked exceptions (ERR00-J)
- Software Fault Patterns: Unchecked Status Condition (SFP4)
Frequently asked questions
Common questions about CWE-390.
- What is CWE-390?
- The product detects a specific error, but takes no actions to handle the error.
- What CVEs are caused by CWE-390?
- 17 recorded CVEs are attributed to CWE-390, including CVE-2026-52989, CVE-2021-40391, CVE-2026-53434.
- How do you prevent CWE-390?
- Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.
- How is CWE-390 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-390?
- Exploiting CWE-390 can lead to: Varies by Context, Unexpected State, Alter Execution Logic.
- Is CWE-390 actively exploited?
- 17 recorded CVEs are caused by CWE-390; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-390) (opens in a new tab)
- CWE-390 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-390
Get alerted the moment a new CWE-390 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.