CWE-617: Reachable Assertion
Also known as: assertion failure
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Last updated
Overview
While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.
Real-world CVEs
360 recorded CVEs are caused by CWE-617 (Reachable Assertion). The highest-severity and most recent are shown first. 81 new CWE-617 CVEs have been recorded so far in 2026 (93 in 2025).
- CVE-2026-41584
ZEBRA: rk Identity Point Panic in Transaction Verification
Critical · CVSS 9.2 · EPSS 19th2026-05-08 - CVE-2026-29116High · CVSS 8.7 · EPSS 32th2026-06-10
- CVE-2025-34458
wb2osz/direwolf <= 1.8.1 Reachable Assertion DoS
High · CVSS 8.7 · EPSS 34th2025-12-22 - CVE-2025-41068
Reachable Assertion vulnerability in Open5GS
High · CVSS 8.7 · EPSS 24th2025-10-27 - CVE-2025-41067
Reachable Assertion vulnerability in Open5GS
High · CVSS 8.7 · EPSS 31th2025-10-27 - CVE-2024-34235High · CVSS 8.6 · EPSS 51th2025-01-22
- CVE-2023-37017High · CVSS 8.6 · EPSS 51th2025-01-22
- CVE-2023-37021High · CVSS 8.6 · EPSS 51th2025-01-22
- CVE-2023-37020High · CVSS 8.6 · EPSS 51th2025-01-22
- CVE-2023-37019High · CVSS 8.6 · EPSS 51th2025-01-22
- CVE-2023-37015High · CVSS 8.6 · EPSS 51th2025-01-22
- CVE-2023-37018High · CVSS 8.6 · EPSS 51th2025-01-22
Showing 12 of 360 recorded CWE-617 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-617 vulnerabilitiesCommon consequences
What can happen when CWE-617 is exploited.
DoS: Crash, Exit, or Restart
Affects: Availability
An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker's own session.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-617, grouped by where in the lifecycle they apply.
Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
Perform input validation on user data.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the excerpt below, an AssertionError (an unchecked exception) is thrown if the user hasn't entered an email address in an HTML form.
Vulnerable example
String email = request.getParameter("email_address");Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2024-8768 — API server for LLM library can crash when provided an empty prompt, which triggers a reachable assertion
- CVE-2023-49286 — Chain: function in web caching proxy does not correctly check a return value (CWE-253) leading to a reachable assertion (CWE-617)
- CVE-2006-6767 — FTP server allows remote attackers to cause a denial of service (daemon abort) via crafted commands which trigger an assertion failure.
- CVE-2006-6811 — Chat client allows remote attackers to cause a denial of service (crash) via a long message string when connecting to a server, which causes an assertion failure.
- CVE-2006-5779 — Product allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure.
- CVE-2006-4095 — Product allows remote attackers to cause a denial of service (crash) via certain queries, which cause an assertion failure.
- CVE-2006-4574 — Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.
- CVE-2004-0270 — Anti-virus product has assert error when line length is non-numeric.
Terminology & mappings
Alternate terms
- assertion failure
Mapped taxonomies
- The CERT Oracle Secure Coding Standard for Java (2011): Never use assertions to validate method arguments (MET01-J)
- Software Fault Patterns: Use of an improper API (SFP3)
Frequently asked questions
Common questions about CWE-617.
- What is CWE-617?
- The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
- What CVEs are caused by CWE-617?
- 360 recorded CVEs are attributed to CWE-617, including CVE-2026-41584, CVE-2026-29116, CVE-2025-34458.
- How do you prevent CWE-617?
- Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
- How is CWE-617 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-617?
- Exploiting CWE-617 can lead to: DoS: Crash, Exit, or Restart.
- Is CWE-617 actively exploited?
- 360 recorded CVEs are caused by CWE-617; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-617) (opens in a new tab)
- CWE-617 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-617
Get alerted the moment a new CWE-617 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.