Base weakness
Draft
Log in
The product contains dead code, which can never be executed.
Last updated
Dead code is code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.
8 recorded CVEs are caused by CWE-561 (Dead Code). The highest-severity and most recent are shown first. 1 new CWE-561 CVE has been recorded so far in 2026 (1 in 2025).
What can happen when CWE-561 is exploited.
Quality Degradation
Affects: Other
Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality.
Reduce Maintainability
Affects: Other
Typically introduced during these phases of the software lifecycle.
Practical mitigations for CWE-561, grouped by where in the lifecycle they apply.
Remove dead code before deploying the application.
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: High
Illustrative examples from MITRE showing how the weakness appears in code.
The condition for the second if statement is impossible to satisfy. It requires that the variables be non-null. However, on the only path where s can be assigned a non-null value, there is a return statement.
Vulnerable example
String s = null;In the following class, two private methods call each other, but since neither one is ever invoked from anywhere else, they are both dead code.
Vulnerable example
public class DoubleDead {(In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.)
The field named glue is not used in the following class. The author of the class has accidentally put quotes around the field name, transforming it into a string constant.
Vulnerable example
public class Dead {Real CVEs that MITRE cites as examples of this weakness.
Common questions about CWE-561.
The product contains dead code, which can never be executed.
8 recorded CVEs are attributed to CWE-561, including CVE-2025-34205, CVE-2024-8300, CVE-2024-32634.
Remove dead code before deploying the application.
Architecture or Design Review: According to SOAR [REF-1479], the following detection techniques may be useful:
Exploiting CWE-561 can lead to: Quality Degradation, Reduce Maintainability.
8 recorded CVEs are caused by CWE-561; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-561 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.