CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
Last updated
Overview
This can lead to resultant weaknesses when the required properties change, such as when the product is ported to a different platform or if an interaction error (CWE-435) occurs.
Real-world CVEs
19 recorded CVEs are caused by CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior). The highest-severity and most recent are shown first. 15 new CWE-758 CVEs have been recorded so far in 2026 (2 in 2025).
- CVE-2026-4705
Undefined behavior in the WebRTC: Signaling component
Critical · CVSS 9.8 · EPSS 34th2026-03-24 - CVE-2026-4724
Undefined behavior in the Audio/Video component
Critical · CVSS 9.1 · EPSS 24th2026-03-24 - CVE-2026-24407
iccDEV has Undefined Behavior in icSigCalcOp()
High · CVSS 8.8 · EPSS 32th2026-01-24 - CVE-2026-21677
iccDEV has Undefined Behavior in CIccCLUT::Init()
High · CVSS 8.8 · EPSS 23th2026-01-06 - CVE-2023-30624High · CVSS 8.8 · EPSS 36th2023-04-27
- CVE-2026-4718
Undefined behavior in the WebRTC: Signaling component
High · CVSS 8.1 · EPSS 22th2026-03-24 - CVE-2026-21687
iccDEV has Undefined Behavior in CIccTagCurve::CIccTagCurve()
High · CVSS 7.1 · EPSS 15th2026-01-07 - CVE-2026-21686
iccDEV has Undefined Behavior in CIccTagLutAtoB::Validate()
High · CVSS 7.1 · EPSS 15th2026-01-07 - CVE-2026-21685
iccDEV has Undefined Behavior in CIccTagLut16::Read()
High · CVSS 7.1 · EPSS 15th2026-01-07 - CVE-2026-21684
iccDEV has Undefined Behavior in CIccTagSpectralViewingConditions()
High · CVSS 7.1 · EPSS 15th2026-01-07 - CVE-2024-4774Medium · CVSS 6.5 · EPSS 29th2024-05-14
- CVE-2026-34549
iccDEV: UB at IccUtil.cpp
Medium · CVSS 6.2 · EPSS 5th2026-03-31
Showing 12 of 19 recorded CWE-758 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-758 vulnerabilitiesCommon consequences
What can happen when CWE-758 is exploited.
Reduce Maintainability, Unexpected State, Quality Degradation
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Fuzzing
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.
Vulnerable example
// Here we can inject code to execute.
int (*pt2Function) (float, char, char)=0x08040000;The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution.
The following function returns a stack address.
Vulnerable example
char* getName() {Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2006-1902 — Change in C compiler behavior causes resultant buffer overflows in programs that depend on behaviors that were undefined in the C standard.
Terminology & mappings
Mapped taxonomies
- CERT C Secure Coding: Ensure size arguments for variable length arrays are in a valid range (ARR32-C) — CWE More Abstract fit
- CERT C Secure Coding: Detect errors when converting a string to a number (ERR34-C) — Imprecise fit
- CERT C Secure Coding: Do not depend on the order of evaluation for side effects (EXP30-C) — CWE More Abstract fit
- CERT C Secure Coding: Do not read uninitialized memory (EXP33-C) — CWE More Abstract fit
- CERT C Secure Coding: Do not access a closed file (FIO46-C) — CWE More Abstract fit
- CERT C Secure Coding: Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand (INT34-C) — CWE More Abstract fit
- CERT C Secure Coding: Converting a pointer to integer or integer to pointer (INT36-C) — CWE More Abstract fit
- CERT C Secure Coding: Do not access freed memory (MEM30-C) — CWE More Abstract fit
- CERT C Secure Coding: Do not introduce unnecessary platform dependencies (MSC14-C)
- CERT C Secure Coding: Do not depend on undefined behavior (MSC15-C)
- CERT C Secure Coding: Ensure that control never reaches the end of a non-void function (MSC37-C) — CWE More Abstract fit
Frequently asked questions
Common questions about CWE-758.
- What is CWE-758?
- The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
- What CVEs are caused by CWE-758?
- 19 recorded CVEs are attributed to CWE-758, including CVE-2026-4705, CVE-2026-4724, CVE-2026-24407.
- How is CWE-758 detected?
- Fuzzing: Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
- What are the consequences of CWE-758?
- Exploiting CWE-758 can lead to: Reduce Maintainability, Unexpected State, Quality Degradation.
- Is CWE-758 actively exploited?
- 19 recorded CVEs are caused by CWE-758; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-758) (opens in a new tab)
- CWE-758 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-758
Get alerted the moment a new CWE-758 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.