What CVEs are caused by CWE-822?

195 recorded CVEs are attributed to CWE-822, including CVE-2023-29360, CVE-2025-24990, CVE-2024-35250. 5 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How is CWE-822 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-822?

Exploiting CWE-822 can lead to: Read Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Modify Memory.

Is CWE-822 actively exploited?

Yes. 5 CWE-822 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 195 recorded CVEs.

CVE-2025-24990

CISA KEV

Windows Agere Modem Driver Elevation of Privilege Vulnerability

CWE-822: Untrusted Pointer Dereference

Base weakness

Incomplete

CWE-822: Untrusted Pointer Dereference

The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

Last updated May 1, 2026

195

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

An attacker can supply a pointer for memory locations that the product is not expecting. If the pointer is dereferenced for a write operation, the attack might allow modification of critical state variables, cause a crash, or execute code. If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash, or set a variable to an unexpected value (since the value will be read from an unexpected memory location). There are several variants of this weakness, including but not necessarily limited to: The untrusted value is directly invoked as a function call. In OS kernels or drivers where there is a boundary between "userland" and privileged memory spaces, an untrusted pointer might enter through an API or system call (see CWE-781 for one such example). Inadvertently accepting the value from an untrusted control sphere when it did not have to be accepted as input at all. This might occur when the code was originally developed to be run by a single user in a non-networked environment, and the code is then ported to or otherwise exposed to a networked environment.

Real-world CVEs

195 recorded CVEs are caused by CWE-822 (Untrusted Pointer Dereference), including 5 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 36 new CWE-822 CVEs have been recorded so far in 2026 (53 in 2025).

CVE-2023-29360
CISA KEV
Microsoft Streaming Service Elevation of Privilege Vulnerability
High · CVSS 8.6 · EPSS 97th
2023-06-13

CWE-822: Untrusted Pointer Dereference

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Automated Static Analysis

Automated Dynamic Analysis

Illustrative examples

Attack patterns

Frequently asked questions

What is CWE-822?

What CVEs are caused by CWE-822?

How is CWE-822 detected?

What are the consequences of CWE-822?

Is CWE-822 actively exploited?

References

Stay ahead of CWE-822

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Automated Static Analysis

Automated Dynamic Analysis

Illustrative examples

Related weaknesses

Parent

Can precede

Related

Attack patterns

Frequently asked questions

What is CWE-822?

What CVEs are caused by CWE-822?

How is CWE-822 detected?

What are the consequences of CWE-822?

Is CWE-822 actively exploited?

References

Stay ahead of CWE-822