Base weakness

Draft

CWE-394: Unexpected Status Code or Return Value

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

Last updated May 1, 2026

13

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-394 (Unexpected Status Code or Return Value) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

13 recorded CVEs are caused by CWE-394 (Unexpected Status Code or Return Value). The highest-severity and most recent are shown first. 1 new CWE-394 CVE has been recorded so far in 2026 (5 in 2025).

CVE-2023-25948

Server Data type confusion - info leak

High · CVSS 7.5 · EPSS 37th

2023-07-13

CVE-2019-0066

High · CVSS 7.5 · EPSS 68th

2019-10-09

CVE-2025-23013

High · CVSS 7.3 · EPSS 31th

2025-01-15

CVE-2024-1713

High · CVSS 7.2 · EPSS 41th

2024-03-14

CVE-2025-48510

High · CVSS 7.1 · EPSS 1th

2025-11-24

CVE-2025-22854

Possible thread exhaustion from processing http responses in PingFederate Google Adapter

Medium · CVSS 6.9 · EPSS 20th

2025-06-15

CVE-2019-20924

Invariant in IndexBoundsBuilder

Medium · CVSS 6.5 · EPSS 66th

2020-11-23

CVE-2018-20802

Medium · CVSS 6.5 · EPSS 66th

2020-11-23

CVE-2023-28975

Junos OS: The kernel will crash when certain USB devices are inserted

Medium · CVSS 4.6 · EPSS 20th

2023-04-17

Showing 12 of 13 recorded CWE-394 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-394 vulnerabilities

Common consequences

What can happen when CWE-394 is exploited.

Unexpected State, Alter Execution Logic

Affects: Integrity, Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2004-1395 — Certain packets (zero byte and other lengths) cause a recvfrom call to produce an unexpected return code that causes a server's listening loop to exit.
CVE-2002-2124 — Unchecked return code from recv() leads to infinite loop.
CVE-2005-2553 — Kernel function does not properly handle when a null is returned by a function call, causing it to call another function that it shouldn't.
CVE-2005-1858 — Memory not properly cleared when read() function call returns fewer bytes than expected.
CVE-2000-0536 — Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.
CVE-2001-0910 — Bypass access restrictions when connecting from IP whose DNS reverse lookup does not return a hostname.
CVE-2004-2371 — Game server doesn't check return values for functions that handle text strings and associated size values.
CVE-2005-1267 — Resultant infinite loop when function call returns -1 value.

Terminology & mappings

Mapped taxonomies

PLOVER: Unexpected Status Code or Return Value
Software Fault Patterns: Unchecked Status Condition (SFP4)
SEI CERT Perl Coding Standard: Do not return undef (EXP00-PL) — Imprecise fit

Frequently asked questions

Common questions about CWE-394.

What is CWE-394?

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

What CVEs are caused by CWE-394?

13 recorded CVEs are attributed to CWE-394, including CVE-2025-12516, CVE-2025-12515, CVE-2026-25085.

How is CWE-394 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-394?

Exploiting CWE-394 can lead to: Unexpected State, Alter Execution Logic.

Is CWE-394 actively exploited?

13 recorded CVEs are caused by CWE-394; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-394

Get alerted the moment a new CWE-394 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing