CWE-755: Improper Handling of Exceptional Conditions
The product does not handle or incorrectly handles an exceptional condition.
Last updated
Overview
CWE-755 (Improper Handling of Exceptional Conditions) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
204 recorded CVEs are caused by CWE-755 (Improper Handling of Exceptional Conditions), including 3 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 19 new CWE-755 CVEs have been recorded so far in 2026 (25 in 2025).
- CVE-2017-5638CISA KEVCritical · CVSS 10.0 · EPSS 100th2017-03-11
- CVE-2020-7247CISA KEVCritical · CVSS 9.3 · EPSS 100th2020-01-29
- CVE-2021-38003CISA KEVHigh · CVSS 8.7 · EPSS 98th2021-11-23
- CVE-2024-7521Critical · CVSS 9.8 · EPSS 45th2024-08-06
- CVE-2023-6267
Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.
Critical · CVSS 9.8 · EPSS 50th2024-01-25 - CVE-2021-42141Critical · CVSS 9.8 · EPSS 64th2024-01-22
- CVE-2023-28631Critical · CVSS 9.8 · EPSS 66th2023-03-28
- CVE-2022-23121Critical · CVSS 9.8 · EPSS 94th2023-03-28
- CVE-2023-27595Critical · CVSS 9.8 · EPSS 50th2023-03-17
- CVE-2021-4105
Unauthenticated Remote Code Execution on COSLAT Firewall
Critical · CVSS 9.8 · EPSS 55th2023-02-24 - CVE-2022-48329Critical · CVSS 9.8 · EPSS 57th2023-02-20
- CVE-2023-25561Critical · CVSS 9.8 · EPSS 31th2023-02-10
Showing 12 of 204 recorded CWE-755 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-755 vulnerabilitiesCommon consequences
What can happen when CWE-755 is exploited.
Other
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following example attempts to resolve a hostname.
Vulnerable example
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {A DNS lookup failure will cause the Servlet to throw an exception.
The following example attempts to allocate memory for a character. After the call to malloc, an if statement is used to check whether the malloc function failed.
Vulnerable example
foo=malloc(sizeof(char)); //the next line checks to see if malloc failedSafe example
foo=malloc(sizeof(char)); //the next line checks to see if malloc failedThe following code mistakenly catches a NullPointerException.
Vulnerable example
try {Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2023-41151 — SDK for OPC Unified Architecture (OPC UA) server has uncaught exception when a socket is blocked for writing but the server tries to send an error
- CVE-2021-3011 — virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code
- CVE-2008-4302 — Chain: OS kernel does not properly handle a failure of a function call (CWE-755), leading to an unlock of a resource that was not locked (CWE-832), with resultant crash.
Frequently asked questions
Common questions about CWE-755.
- What is CWE-755?
- The product does not handle or incorrectly handles an exceptional condition.
- What CVEs are caused by CWE-755?
- 204 recorded CVEs are attributed to CWE-755, including CVE-2017-5638, CVE-2020-7247, CVE-2021-38003. 3 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How is CWE-755 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-755?
- Exploiting CWE-755 can lead to: Other.
- Is CWE-755 actively exploited?
- Yes. 3 CWE-755 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 204 recorded CVEs.
References
- MITRE CWE definition (CWE-755) (opens in a new tab)
- CWE-755 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-755
Get alerted the moment a new CWE-755 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.