Base weakness

Draft

CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

Last updated May 1, 2026

17

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Programmers typically catch NullPointerException under three circumstances: The program contains a null pointer dereference. Catching the resulting exception was easier than fixing the underlying problem. The program explicitly throws a NullPointerException to signal an error condition. The code is part of a test harness that supplies unexpected input to the classes under test. Of these three circumstances, only the last is acceptable.

Real-world CVEs

17 recorded CVEs are caused by CWE-395 (Use of NullPointerException Catch to Detect NULL Pointer Dereference). The highest-severity and most recent are shown first. 1 new CWE-395 CVE has been recorded so far in 2026 (2 in 2025).

High · CVSS 8.7 · EPSS 15th

2026-01-12

CVE-2023-23904

Medium · CVSS 6.9 · EPSS 15th

2024-09-16

CVE-2024-27658

Medium · CVSS 6.5 · EPSS 12th

2024-02-29

CVE-2024-27659

Medium · CVSS 6.5 · EPSS 12th

2024-02-29

CVE-2024-27661

Medium · CVSS 6.5 · EPSS 12th

2024-02-29

CVE-2024-27662

Medium · CVSS 6.5 · EPSS 12th

2024-02-29

CVE-2022-29508

Medium · CVSS 6.3 · EPSS 18th

2023-05-10

CVE-2024-36275

Medium · CVSS 6.1 · EPSS 2th

2024-11-13

CVE-2022-42879

Medium · CVSS 6.1 · EPSS 18th

2023-11-14

CVE-2023-25071

Medium · CVSS 5.6 · EPSS 22th

2023-11-14

Showing 12 of 17 recorded CWE-395 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-395 vulnerabilities

Common consequences

What can happen when CWE-395 is exploited.

DoS: Resource Consumption (CPU)

Affects: Availability

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

Applies to

Languages

Java

How to prevent it

Practical mitigations for CWE-395, grouped by where in the lifecycle they apply.

Architecture and Design

Implementation

Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application.