Categories

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.

The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

The product implements a cryptographic algorithm using a non-standard or unproven cryptographic primitive.

The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.

The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.