Categories

The software does not handle or incorrectly handles an exceptional condition.

The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

The software does not verify, or incorrectly verifies, the cryptographic signature for data.

The software generates an error message that includes sensitive information about its environment, users, or associated data.

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.