The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.

What CVEs are caused by CWE-733?

5 recorded CVEs are attributed to CWE-733, including CVE-2025-13024, CVE-2025-52496, CVE-2020-15294.

How is CWE-733 detected?

Black Box: This specific weakness is impossible to detect using black box methods. While an analyst could examine memory to see that it has not been scrubbed, an analysis of the executable would not be successful. This is because the compiler has already removed the relevant code. Only the source code shows whether the programmer intended to clear the memory or not, so this weakness is indistinguishable from others.

What are the consequences of CWE-733?

Exploiting CWE-733 can lead to: Bypass Protection Mechanism, Alter Execution Logic.

Is CWE-733 actively exploited?

5 recorded CVEs are caused by CWE-733; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-733: Compiler Optimization Removal or Modification of Security-critical Code

CVE-2025-20241

Cisco Nexus 3000 and 9000 Series Switches IS-IS Protocol Denial of Service Vulnerability

CWE-733: Compiler Optimization Removal or Modification of Security-critical Code

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code reads a password from the user, uses the password to connect to a back-end mainframe, and then attempts to scrub the password from memory using memset().

Vulnerable example

char pwd[64];

CWE-733: Compiler Optimization Removal or Modification of Security-critical Code

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Black Box

White Box

Code examples

Illustrative examples

Attack patterns

Frequently asked questions

What is CWE-733?

What CVEs are caused by CWE-733?

How is CWE-733 detected?

What are the consequences of CWE-733?

Is CWE-733 actively exploited?

References

Stay ahead of CWE-733

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Black Box

White Box

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Attack patterns

Frequently asked questions

What is CWE-733?

What CVEs are caused by CWE-733?

How is CWE-733 detected?

What are the consequences of CWE-733?

Is CWE-733 actively exploited?

References

Stay ahead of CWE-733