Variant weakness
Draft
Log in
The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
Last updated
In most cases a direct call to a Thread object's run() method is a bug. The programmer intended to begin a new thread of control, but accidentally called run() instead of start(), so the run() method will execute in the caller's thread of control.
What can happen when CWE-572 is exploited.
Quality Degradation, Varies by Context
Affects: Other
Typically introduced during these phases of the software lifecycle.
Languages
Practical mitigations for CWE-572, grouped by where in the lifecycle they apply.
Use the start() method instead of the run() method.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Illustrative examples from MITRE showing how the weakness appears in code.
The following excerpt from a Java program mistakenly calls run() instead of start().
Vulnerable example
Thread thr = new Thread() {Common questions about CWE-572.
The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
Use the start() method instead of the run() method.
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Exploiting CWE-572 can lead to: Quality Degradation, Varies by Context.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-572 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.