CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
909 vulnerabilities reference this CWE, most recent first.
GHSA-C2MC-MH9M-R94V
Vulnerability from github – Published: 2024-09-02 06:30 – Updated: 2024-09-03 18:31In wlan, there is a possible denial of service due to incorrect error handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08861558; Issue ID: MSV-1526.
{
"affected": [],
"aliases": [
"CVE-2024-20089"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-02T05:15:15Z",
"severity": "HIGH"
},
"details": "In wlan, there is a possible denial of service due to incorrect error handling. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08861558; Issue ID: MSV-1526.",
"id": "GHSA-c2mc-mh9m-r94v",
"modified": "2024-09-03T18:31:32Z",
"published": "2024-09-02T06:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20089"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/September-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C2Q7-642G-3VWR
Vulnerability from github – Published: 2026-04-21 15:32 – Updated: 2026-04-22 00:31Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
{
"affected": [],
"aliases": [
"CVE-2026-6772"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T13:16:23Z",
"severity": "HIGH"
},
"details": "Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.",
"id": "GHSA-c2q7-642g-3vwr",
"modified": "2026-04-22T00:31:38Z",
"published": "2026-04-21T15:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6772"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2026089"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-31"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-32"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-34"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C2WQ-M25G-5C8W
Vulnerability from github – Published: 2024-06-21 12:31 – Updated: 2024-06-24 21:33In the Linux kernel, the following vulnerability has been resolved:
tracing/probes: fix error check in parse_btf_field()
btf_find_struct_member() might return NULL or an error via the ERR_PTR() macro. However, its caller in parse_btf_field() only checks for the NULL condition. Fix this by using IS_ERR() and returning the error up the stack.
{
"affected": [],
"aliases": [
"CVE-2024-36481"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-21T12:15:11Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/probes: fix error check in parse_btf_field()\n\nbtf_find_struct_member() might return NULL or an error via the\nERR_PTR() macro. However, its caller in parse_btf_field() only checks\nfor the NULL condition. Fix this by using IS_ERR() and returning the\nerror up the stack.",
"id": "GHSA-c2wq-m25g-5c8w",
"modified": "2024-06-24T21:33:19Z",
"published": "2024-06-21T12:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36481"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ed468edfeb54c7202e559eba74c25fac6a0dad0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ad4b202da2c498fefb69e5d87f67b946e7fe1e6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e569eb34970281438e2b48a3ef11c87459fcfbcb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C33M-PX5C-J98P
Vulnerability from github – Published: 2024-12-29 12:30 – Updated: 2025-11-03 21:32In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c
Add error pointer check after calling otx2_mbox_get_rsp().
{
"affected": [],
"aliases": [
"CVE-2024-56728"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-29T12:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c\n\nAdd error pointer check after calling otx2_mbox_get_rsp().",
"id": "GHSA-c33m-px5c-j98p",
"modified": "2025-11-03T21:32:02Z",
"published": "2024-12-29T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56728"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/05a6ce174c0c724e5914e1e5efd826bab8f382b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2db2194727b1f49a5096c1c3981adef1b7638733"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/55c41b97001a09bb490ffa2e667e251d75d15ab1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5ff9de1f2712cbca53da2e37d831eea7ffcb43b6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6cda142cee032b8fe65ee11f78721721c3988feb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c0f64fd73b60aee85f88c270c9d714ead27a7b7a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e26f8eac6bb20b20fdb8f7dc695711ebce4c7c5c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C36C-5H7J-842J
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.
{
"affected": [],
"aliases": [
"CVE-2020-7542"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-11T01:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum \u0026 Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.",
"id": "GHSA-c36c-5h7j-842j",
"modified": "2022-05-24T17:36:08Z",
"published": "2022-05-24T17:36:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7542"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-08"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C3Q2-JC4G-3Q9G
Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2026-06-02 00:31In VerifyNoOverlapInSessions of apexd.cpp, there is a possible way to block security updates through mainline installations due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-48581"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T19:15:43Z",
"severity": "CRITICAL"
},
"details": "In VerifyNoOverlapInSessions of apexd.cpp, there is a possible way to block security updates through mainline installations due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-c3q2-jc4g-3q9g",
"modified": "2026-06-02T00:31:53Z",
"published": "2025-09-04T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48581"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/build/+/cda08bfbf55aed1e4c79efe6a66bb930d19a8a13"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/system/apex/+/13bbfe3ef2953e9805d57d3219cc122e485ba90f"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/system/apex/+/5a33fa4202cb5f06d7f02f3a2b8d13780d7cb3f5"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/2026/2026-06-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-09-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-11-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5J5-Q67X-GPCC
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2026-02-02 18:31An Improper Check for Unusual or Exceptional Conditions vulnerability in Brocade Fabric OS before 9.2.2.a could allow an authenticated, network-based attacker to cause a Denial-of-Service (DoS). The vulnerability is encountered when supportsave is invoked remotely, using ssh command or SANnav inline ssh, and the corresponding ssh session is terminated with Control C (^c ) before supportsave completion. This issue affects Brocade Fabric OS 9.0.0 through 9.2.2
{
"affected": [],
"aliases": [
"CVE-2025-4663"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T18:15:39Z",
"severity": "MODERATE"
},
"details": "An Improper Check for Unusual or \nExceptional Conditions vulnerability in Brocade Fabric OS before 9.2.2.a\n could allow an authenticated, network-based attacker to cause a \nDenial-of-Service (DoS).\nThe\n vulnerability is encountered when supportsave is invoked remotely, \nusing ssh command or SANnav inline ssh, and the corresponding ssh \nsession is terminated with Control C (^c ) before supportsave \ncompletion.\nThis issue affects Brocade Fabric OS 9.0.0 through 9.2.2",
"id": "GHSA-c5j5-q67x-gpcc",
"modified": "2026-02-02T18:31:28Z",
"published": "2025-07-08T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4663"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35815"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C6H8-W7QX-QJ83
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41In loadAnimation of WindowContainer.java, there is a possible way to keep displaying a malicious app while a target app is brought to the foreground. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-145728687
{
"affected": [],
"aliases": [
"CVE-2021-0339"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T17:15:00Z",
"severity": "HIGH"
},
"details": "In loadAnimation of WindowContainer.java, there is a possible way to keep displaying a malicious app while a target app is brought to the foreground. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-145728687",
"id": "GHSA-c6h8-w7qx-qj83",
"modified": "2022-05-24T17:41:45Z",
"published": "2022-05-24T17:41:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0339"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-02-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C7PV-J8XR-MMHJ
Vulnerability from github – Published: 2026-04-23 18:33 – Updated: 2026-04-23 18:33An unauthenticated remote attacker is able to exhaust all available TCP connections in the CODESYS EtherNet/IP adapter stack, preventing legitimate clients from establishing new connections.
{
"affected": [],
"aliases": [
"CVE-2026-35225"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T15:37:23Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker is able to exhaust all available TCP connections in the CODESYS EtherNet/IP adapter stack, preventing legitimate clients from establishing new connections.",
"id": "GHSA-c7pv-j8xr-mmhj",
"modified": "2026-04-23T18:33:03Z",
"published": "2026-04-23T18:33:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35225"
},
{
"type": "WEB",
"url": "https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-04_vde-2026-040.json"
},
{
"type": "WEB",
"url": "https://www.certvde.com/en/advisories/VDE-2026-040"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C7XM-PC9F-6XW4
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-29 15:30Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory. This issue was discovered by Insyde during security review. Fixed in: Kernel 5.1: Version 05.17.23 Kernel 5.2: Version 05.27.23 Kernel 5.3: Version 05.36.23 Kernel 5.4: Version 05.44.23 Kernel 5.5: Version 05.52.23 https://www.insyde.com/security-pledge/SA-2022061
{
"affected": [],
"aliases": [
"CVE-2022-29278"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-15T22:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory. This issue was discovered by Insyde during security review. Fixed in: Kernel 5.1: Version 05.17.23 Kernel 5.2: Version 05.27.23 Kernel 5.3: Version 05.36.23 Kernel 5.4: Version 05.44.23 Kernel 5.5: Version 05.52.23 https://www.insyde.com/security-pledge/SA-2022061",
"id": "GHSA-c7xm-pc9f-6xw4",
"modified": "2022-11-29T15:30:25Z",
"published": "2022-11-16T12:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29278"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge/SA-2022061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.