CWE-691: Insufficient Control Flow Management
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Last updated
Overview
CWE-691 (Insufficient Control Flow Management) is a pillar-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
31 recorded CVEs are caused by CWE-691 (Insufficient Control Flow Management). The highest-severity and most recent are shown first. 1 new CWE-691 CVE has been recorded so far in 2026 (10 in 2025).
- CVE-2025-25273High · CVSS 8.8 · EPSS 3th2025-08-12
- CVE-2025-22893High · CVSS 8.8 · EPSS 3th2025-08-12
- CVE-2023-20559High · CVSS 8.8 · EPSS 48th2023-03-23
- CVE-2022-20697High · CVSS 8.6 · EPSS 62th2022-04-15
- CVE-2025-20004High · CVSS 8.5 · EPSS 3th2025-05-13
- CVE-2025-35963High · CVSS 8.3 · EPSS 8th2025-11-11
- CVE-2024-21801High · CVSS 8.3 · EPSS 8th2024-08-14
- CVE-2024-33617High · CVSS 8.2 · EPSS 36th2024-11-13
- CVE-2024-37158High · CVSS 8.1 · EPSS 36th2024-06-17
- CVE-2022-48481High · CVSS 7.8 · EPSS 11th2023-04-28
- CVE-2022-46828High · CVSS 7.8 · EPSS 19th2022-12-08
- CVE-2021-4106High · CVSS 7.8 · EPSS 17th2022-02-16
Showing 12 of 31 recorded CWE-691 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-691 vulnerabilitiesCommon consequences
What can happen when CWE-691 is exploited.
Alter Execution Logic
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following function attempts to acquire a lock in order to perform operations on a shared resource.
Vulnerable example
void f(pthread_mutex_t *mutex) {Safe example
int f(pthread_mutex_t *mutex) {In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.
Vulnerable example
if (condition==true)This might not be what the programmer intended. When the condition is critical for security, such as in making a security decision or detecting a critical error, this may produce a vulnerability.
This function prints the contents of a specified file requested by a user.
Vulnerable example
function printFile($username,$filename){This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2024-50653 — e-commerce product does not restrict the number of requests for coupons
- CVE-2019-9805 — Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.
- CVE-2014-1266 — Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). The code's whitespace indentation did not reflect the actual control flow (CWE-1114) and did not explicitly delimit the block (CWE-483), which could have made it more difficult for human code auditors to detect the vulnerability.
- CVE-2011-1027 — Chain: off-by-one error (CWE-193) leads to infinite loop (CWE-835) using invalid hex-encoded characters.
Terminology & mappings
Mapped taxonomies
- WASC: Insufficient Process Validation (40)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-691.
- What is CWE-691?
- The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
- What CVEs are caused by CWE-691?
- 31 recorded CVEs are attributed to CWE-691, including CVE-2025-25273, CVE-2025-22893, CVE-2023-20559.
- What are the consequences of CWE-691?
- Exploiting CWE-691 can lead to: Alter Execution Logic.
- Is CWE-691 actively exploited?
- 31 recorded CVEs are caused by CWE-691; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-691) (opens in a new tab)
- CWE-691 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-691
Get alerted the moment a new CWE-691 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.