CWE WEAKNESSES / CWE-696
CWE-696
Incorrect Behavior Order
Class
What it is
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.
Impact
| Integrity | Alter Execution Logic |
Real-world CVE examples
- CVE-2019-9805 — Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory
- CVE-2007-5191 — file-system management programs call the setuid and setgid functions in the wrong order and do not check the return values, allowing attackers to gain unintende
- CVE-2007-1588 — C++ web server program calls Process::setuid before calling Process::setgid, preventing it from dropping privileges, potentially allowing CGI programs to be cal
- CVE-2022-37734 — Chain: lexer in Java-based GraphQL server does not enforce maximum of tokens early enough (CWE-696), allowing excessive CPU consumption (CWE-1176)
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →