Categories

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

The software does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.