LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-684

CWE-684

Incorrect Provision of Specified Functionality

Class

What it is

The code does not function according to its published specifications, potentially leading to incorrect usage.

When providing functionality to an external party, it is important that the product behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to an exploitable state.

Impact

OtherQuality Degradation

Mitigations

  • [Implementation] Ensure that your code strictly conforms to specifications.

Real-world CVE examples

  • CVE-2002-1446 — Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
  • CVE-2001-1559 — Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
  • CVE-2003-0187 — Program uses large timeouts on unconfirmed connections resulting from inconsistency in linked lists implementations.
  • CVE-1999-1446 — UI inconsistency; visited URLs list not cleared when "Clear History" option is selected.

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top