CVEbaza.plSłownik CWECWE-252
Common Weakness Enumeration

CWE-252

Unchecked Return Value

Kategoria: BaseCVE: 207
Opis

Produkt nie sprawdza wartości zwracanej przez metodę lub funkcję, co może uniemożliwić wykrycie nieoczekiwanych stanów i warunków. Brak weryfikacji wartości zwracanej może prowadzić do błędów w działaniu aplikacji.

Description (EN)

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Podatności CVE z CWE-252 (207)
9.8
CVSS
CRITICAL
CVE-2021-38171

adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

pub. 2021-08-21
9.8
CVSS
CRITICAL
CVE-2021-26955

An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because xcb::xproto::GetAtomNameReply::name() calls std::str::from_utf8_unchecked() on unvalidated bytes from an X server.

pub. 2021-02-09
9.8
CVSS
CRITICAL
CVE-1999-0199

manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree's root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a documentation update from 1999.

pub. 2020-10-06
9.8
CVSS
CRITICAL
CVE-2019-15900

An issue was discovered in slicer69 doas before 6.2 on certain platforms other than OpenBSD. On platforms without strtonum(3), sscanf was used without checking for error cases. Instead, the uninitialized variable errstr was checked and in some cases returned success even if sscanf failed. The result was that, instead of reporting that the supplied username or group name did not exist, it would execute the command as root.

pub. 2019-10-18
9.8
CVSS
CRITICAL
CVE-2010-0211

The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not check the return value of a call to the smr_normalize function, which allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a modrdn call with an RDN string containing invalid UTF-8 sequences, which triggers a free of an invalid, uninitialized pointer in the slap_mods_free function, as demonstrated using the Codenomicon LDAPv3 test suite.

pub. 2010-07-28
9.8
CVSS
CRITICAL
CVE-2007-3798

Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value.

pub. 2007-07-16
9.3
CVSS
CRITICAL
CVE-2025-66565

W bibliotece Gofiber Utils w wersjach 2.0.0-rc.3 i wcześniejszych funkcje generowania UUID po cichu przełączają się na przewidywalne wartości, gdy systemowy generator liczb losowych (crypto/rand) zawiedzie. Atakujący może przewidzieć lub odgadnąć generowane identyfikatory, kompromitując bezpieczeństwo aplikacji korzystających z nich w operacjach wymagających kryptograficznej losowości.

pub. 2025-12-09
9.1
CVSS
CRITICAL
CVE-2024-50306

Błąd w Apache Traffic Server polegający na ignorowaniu wartości zwracanej przez funkcję (CWE-252) pozwala procesowi serwera zachować podwyższone uprawnienia po uruchomieniu. Jest to krytyczna podatność, ponieważ serwer działający z niezamierzonymi uprawnieniami stwarza ryzyko naruszenia integralności systemu i jego dostępności bez konieczności uwierzytelnienia.

pub. 2024-11-14
9.1
CVSS
CRITICAL
CVE-2022-25718

Cryptographic issue in WLAN due to improper check on return value while authentication handshake in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

pub. 2022-10-19
9.1
CVSS
CRITICAL
CVE-2022-23806

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

pub. 2022-02-11
8.8
CVSS
HIGH
CVE-2026-22861

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2.

pub. 2026-01-13
8.8
CVSS
HIGH
CVE-2026-22255

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

pub. 2026-01-08
8.8
CVSS
HIGH
CVE-2026-22046

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

pub. 2026-01-07
8.8
CVSS
HIGH
CVE-2026-22047

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `SIccCalcOp::Describe()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

pub. 2026-01-07
8.8
CVSS
HIGH
CVE-2024-38427

In International Color Consortium DemoIccMAX before 85ce74e, a logic flaw in CIccTagXmlProfileSequenceId::ParseXml in IccXML/IccLibXML/IccTagXml.cpp results in unconditionally returning false.

pub. 2024-06-16
8.8
CVSS
HIGH
CVE-2021-26958

An issue was discovered in the xcb crate through 2021-02-04 for Rust. It has a soundness violation because transmutation to the wrong type can happen after xcb::base::cast_event uses std::mem::transmute to return a reference to an arbitrary type.

pub. 2021-02-09
8.8
CVSS
HIGH
CVE-2019-15942

FFmpeg through 4.2 has a "Conditional jump or move depends on uninitialised value" issue in h2645_parse because alloc_rbsp_buffer in libavcodec/h2645_parse.c mishandles rbsp_buffer.

pub. 2019-09-05
8.7
CVSS
HIGH
CVE-2026-40060

When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

pub. 2026-05-13
8.7
CVSS
HIGH
CVE-2026-21920

An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered. This issue affects Junos OS on SRX Series: * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R2. This issue does not affect Junos OS versions before 23.4R1.

pub. 2026-01-15
8.7
CVSS
HIGH
CVE-2025-61935

When a BIG IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

pub. 2025-10-15
Pokazano 20 z 207 podatności
Informacje
ID: CWE-252
Typ: Base
Podatności: 207
MITRE CWE ↗
← Słownik CWE
CWE-252 — Niezweryfikowana wartość zwracana | Słownik CWE | CVEbaza.pl