CWE-670: Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Last updated
Overview
This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.
Real-world CVEs
97 recorded CVEs are caused by CWE-670 (Always-Incorrect Control Flow Implementation). The highest-severity and most recent are shown first. 28 new CWE-670 CVEs have been recorded so far in 2026 (9 in 2025).
- CVE-2025-43359Critical · CVSS 9.8 · EPSS 55th2025-09-15
- CVE-2023-23623
Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled in Electron
Critical · CVSS 9.8 · EPSS 47th2023-09-06 - CVE-2022-25745Critical · CVSS 9.8 · EPSS 34th2023-04-04
- CVE-2022-2993Critical · CVSS 9.8 · EPSS 43th2022-12-12
- CVE-2022-21679Critical · CVSS 9.8 · EPSS 61th2022-01-19
- CVE-2021-41153Critical · CVSS 9.8 · EPSS 59th2021-10-18
- CVE-2020-1914Critical · CVSS 9.8 · EPSS 83th2020-10-08
- CVE-2025-24800
Critical vulnerability in `ismp-grandpa` <v15.0.1
Critical · CVSS 9.3 · EPSS 22th2025-01-28 - CVE-2026-55276
Apache Tomcat: Logged effective web.xml is incomplete
Critical · CVSS 9.1 · EPSS 29th2026-06-29 - CVE-2025-29312Critical · CVSS 9.1 · EPSS 37th2025-03-24
- CVE-2024-32971Critical · CVSS 9.1 · EPSS 50th2024-05-02
- CVE-2023-20558High · CVSS 8.8 · EPSS 48th2023-03-23
Showing 12 of 97 recorded CWE-670 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-670 vulnerabilitiesCommon consequences
What can happen when CWE-670 is exploited.
Other, Alter Execution Logic
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code queries a server and displays its status when a request comes from an authorized IP address.
Vulnerable example
...
$requestingIP = $_SERVER['REMOTE_ADDR'];This code redirects unauthorized users, but continues to execute code after calling http_redirect(). This means even unauthorized users may be able to access the contents of the page or perform a DoS attack on the server being queried. Also, note that this code is vulnerable to an IP address spoofing attack (CWE-212).
In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.
Vulnerable example
if (condition==true)This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability.
In both of these examples, a message is printed based on the month passed into the function:
Vulnerable example
public void printMessage(int month){Vulnerable example
void printMessage(int month){Both examples do not use a break statement after each case, which leads to unintended fall-through behavior. For example, calling "printMessage(10)" will result in the text "OctoberNovemberDecember is a great month" being printed.
In the excerpt below, an AssertionError (an unchecked exception) is thrown if the user hasn't entered an email address in an HTML form.
Vulnerable example
String email = request.getParameter("email_address");Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-3011 — virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code
Frequently asked questions
Common questions about CWE-670.
- What is CWE-670?
- The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
- What CVEs are caused by CWE-670?
- 97 recorded CVEs are attributed to CWE-670, including CVE-2025-43359, CVE-2023-23623, CVE-2022-25745.
- What are the consequences of CWE-670?
- Exploiting CWE-670 can lead to: Other, Alter Execution Logic.
- Is CWE-670 actively exploited?
- 97 recorded CVEs are caused by CWE-670; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-670) (opens in a new tab)
- CWE-670 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-670
Get alerted the moment a new CWE-670 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.