CWE 4.1 is now available!!

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CWE 4.1 is now available!!


Dear CWE Community,


I hope you are all in good health and spirits. I am thrilled to say that the new minor release for CWE 4.1 is now available on our website – This would not have been possible without many content suggestions from several industry stakeholders including Veracode, Trend Micro, Intel, Tortuga Logic, and Wells Fargo. Thank you all so much for contributing your time and effort to improve CWE for the wider community.


detailed report is available that lists specific changes between Version 4.0 and Version 4.1, but below I have outlined some of the key changes.


1) Twenty-seven (27) new Hardware Design Weaknesses:

  • CWE-1254: Incorrect Comparison Logic Granularity
  • CWE-1256: Hardware Features Enable Physical Attacks from Software
  • CWE-1257: Improper Access Control Applied to Mirrored or Aliased Memory Regions
  • CWE-1258: Sensitive Information Uncleared During Debug Flows
  • CWE-1259: Improper Protection of Security Identifiers
  • CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges
  • CWE-1261: Improper Handling of Single Event Upsets
  • CWE-1262: Register Interface Allows Software Access to Sensitive Data or Security Settings
  • CWE-1263: Insufficient Physical Protection Mechanism
  • CWE-1264: Hardware Logic with Insecure De-Synchronization between Control and Data Channels
  • CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device
  • CWE-1267: Policy Uses Obsolete Encoding
  • CWE-1268: Control Policy in Hardware Design Contains Agents not in Write Policy
  • CWE-1269: Product Released in Non-Release Configuration
  • CWE-1270: Incorrect Generation of Security Identifiers
  • CWE-1271: Missing Known Value on Reset for Registers Holding Security Settings
  • CWE-1272: Debug/Power State Transitions Leak Information
  • CWE-1273: Device Unlock Credential Sharing
  • CWE-1274: Insufficient Protections on the Volatile Memory Containing Boot Code
  • CWE-1276: Hardware Block Incorrectly Connected to Larger System
  • CWE-1277: Firmware Not Updateable
  • CWE-1278: Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
  • CWE-1279: Cryptographic Primitives used without Successful Self-Test
  • CWE-1280: Access Control Check Implemented After Asset is Accessed
  • CWE-1281: Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)
  • CWE-1282: Immutable Data Stored in Writable Memory
  • CWE-1283: Mutable Attestation or Measurement Reporting Data


2) Two (2) new Software Development Weaknesses:

  • CWE-1265: Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
  • CWE-1275: Sensitive Cookie with Improper “SameSite” Attribute


3) Refactored CWE-20: Improper Input Validation to add six (6) new children for different kinds of validation characteristics:

  • CWE-1284: Improper Validation of Specified Quantity in Input
  • CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input
  • CWE-1286: Improper Validation of Syntactic Correctness of Input
  • CWE-1287: Improper Validation of Specified Type of Input
  • CWE-1288: Improper Validation of Consistency within Input
  • CWE-1289: Improper Validation of Unsafe Equivalence in Input


The Description for CWE-20 was also updated to clarify that input validation is just one technique used to ensure that inputs are shown in CWE-707: Improper Neutralization.


4) Updated 214 existing entries to add relationships for the 35 new weaknesses added in CWE Version 4.1.



There are 875 weaknesses and a total of 1,287 entries on the CWE List.

Changes for the new version include the following:

New Views Added:


Views Deprecated:


New Entries Added:


Entries Deprecated:


Entries with Major Changes:


Entries with only Minor Changes:


Entries Unchanged:



Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter

As always, thank you so much for your continued support!






Alec J. Summers

Cyber Solutions Division

Group Leader, Software Assurance

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426


MITRE - Solving Problems for a Safer World