Variant weakness

Incomplete

CWE-589: Call to Non-ubiquitous API

The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.

Last updated May 1, 2026

0

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used.

Common consequences

What can happen when CWE-589 is exploited.

Quality Degradation

Affects: Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

How to prevent it

Practical mitigations for CWE-589, grouped by where in the lifecycle they apply.

Implementation

Always test your code on any platform on which it is targeted to run on.

Testing

Test your code on the newest and oldest platform on which it is targeted to run on.

Testing

Develop a system to test for API functions that are not portable.

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Terminology & mappings

Mapped taxonomies

The CERT Oracle Secure Coding Standard for Java (2011): Do not use deprecated or obsolete classes or methods (MET02-J)
The CERT Oracle Secure Coding Standard for Java (2011): Maintain serialization compatibility during class evolution (SER00-J)
Software Fault Patterns: Use of an improper API (SFP3)

Attack patterns

CAPEC attack patterns that exploit this weakness.

CAPEC-96: Block Access to Libraries

Frequently asked questions

Common questions about CWE-589.

What is CWE-589?

The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.

How do you prevent CWE-589?

Always test your code on any platform on which it is targeted to run on.

How is CWE-589 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-589?

Exploiting CWE-589 can lead to: Quality Degradation.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-589

Get alerted the moment a new CWE-589 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing