CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-1240
Use of a Cryptographic Primitive with a Risky Implementation
CWE-1241
Use of Predictable Algorithm in Random Number Generator
CWE-1242
Inclusion of Undocumented Features or Chicken Bits
CWE-1243
Sensitive Non-Volatile Information Not Protected During Debug
CWE-1244
Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1245
Improper Finite State Machines (FSMs) in Hardware Logic
CWE-1246
Improper Write Handling in Limited-write Non-Volatile Memories
CWE-1247
Improper Protection Against Voltage and Clock Glitches
CWE-1248
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
CWE-1249
Application-Level Admin Tool with Inconsistent View of Underlying Operating System
CWE-1250
Improper Preservation of Consistency Between Independent Representations of Shared State
CWE-1251
Mirrored Regions with Different Values
CWE-1252
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
CWE-1253
Incorrect Selection of Fuse Values
CWE-1254
Incorrect Comparison Logic Granularity
CWE-1255
Comparison Logic is Vulnerable to Power Side-Channel Attacks
CWE-1256
Improper Restriction of Software Interfaces to Hardware Features
CWE-1257
Improper Access Control Applied to Mirrored or Aliased Memory Regions
CWE-1258
Exposure of Sensitive System Information Due to Uncleared Debug Information
CWE-1259
Improper Restriction of Security Token Assignment
CWE-1260
Improper Handling of Overlap Between Protected Memory Ranges
CWE-1261
Improper Handling of Single Event Upsets
CWE-1262
Improper Access Control for Register Interface
CWE-1263
Improper Physical Access Control
CWE-1264
Hardware Logic with Insecure De-Synchronization between Control and Data Channels
CWE-1265
Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
CWE-1266
Improper Scrubbing of Sensitive Data from Decommissioned Device
CWE-1267
Policy Uses Obsolete Encoding
CWE-1268
Policy Privileges are not Assigned Consistently Between Control and Data Agents
CWE-1269
Product Released in Non-Release Configuration
CWE-1270
Generation of Incorrect Security Tokens
CWE-1271
Uninitialized Value on Reset for Registers Holding Security Settings
CWE-1272
Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1273
Device Unlock Credential Sharing
CWE-1274
Improper Access Control for Volatile Memory Containing Boot Code
CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE-1276
Hardware Child Block Incorrectly Connected to Parent System
CWE-1277
Firmware Not Updateable
CWE-1278
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
CWE-1279
Cryptographic Operations are run Before Supporting Units are Ready
CWE-1280
Access Control Check Implemented After Asset is Accessed
CWE-1281
Sequence of Processor Instructions Leads to Unexpected Behavior
CWE-1282
Assumed-Immutable Data is Stored in Writable Memory
CWE-1283
Mutable Attestation or Measurement Reporting Data
CWE-1284
Improper Validation of Specified Quantity in Input
CWE-1285
Improper Validation of Specified Index, Position, or Offset in Input
CWE-1286
Improper Validation of Syntactic Correctness of Input
CWE-1287
Improper Validation of Specified Type of Input
CWE-1288
Improper Validation of Consistency within Input
CWE-1289
Improper Validation of Unsafe Equivalence in Input
