Variant weakness
Log in
The code uses an operator for comparison when the intention was to perform an assignment.
Last updated
In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.
2 recorded CVEs are caused by CWE-482 (Comparing instead of Assigning). The highest-severity and most recent are shown first. 1 new CWE-482 CVE has been recorded so far in 2026.
What can happen when CWE-482 is exploited.
Unexpected State
Affects: Availability, Integrity
The assignment will not take place, which should cause obvious program execution problems.
Typically introduced during these phases of the software lifecycle.
Languages
Practical mitigations for CWE-482, grouped by where in the lifecycle they apply.
Many IDEs and static analysis products will detect this problem.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
An Integrated Development Environment (IDE) or linter can report or highlight this weaknesses.
Illustrative examples from MITRE showing how the weakness appears in code.
The following example demonstrates the weakness.
Vulnerable example
void called(int foo) {The following C/C++ example shows a simple implementation of a stack that includes methods for adding and removing integer values from the stack. The example uses pointers to add and remove integer values to the stack array variable.
Vulnerable example
#define SIZE 50Common questions about CWE-482.
The code uses an operator for comparison when the intention was to perform an assignment.
2 recorded CVEs are attributed to CWE-482, including CVE-2026-26279, CVE-2024-33430.
Many IDEs and static analysis products will detect this problem.
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Exploiting CWE-482 can lead to: Unexpected State.
2 recorded CVEs are caused by CWE-482; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-482 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.