LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-822

CWE-822

Untrusted Pointer Dereference

Base

What it is

The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

An attacker can supply a pointer for memory locations that the product is not expecting. If the pointer is dereferenced for a write operation, the attack might allow modification of critical state variables, cause a crash, or execute code. If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash, or set a variable to an unexpected value (since the value will be read from an unexpected memory location).There are several variants of this weakness, including but not necessarily limited to:- The untrusted value is directly invoked as a function call.- In OS kernels or drivers where there is a boundary between "userland" and privileged memory spaces, an untrusted pointer might enter through an API or system call (see CWE-781 for one such example).- Inadvertently accepting the value from an untrusted control sphere when

Impact

ConfidentialityRead Memory
AvailabilityDoS: Crash, Exit, or Restart
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands, Modify Memory

Real-world CVE examples

  • CVE-2007-5655 — message-passing framework interprets values in packets as pointers, causing a crash.
  • CVE-2010-2299 — labeled as a "type confusion" issue, also referred to as a "stale pointer." However, the bug ID says "contents are simply interpreted as a pointer... renderer o
  • CVE-2009-1719 — Untrusted dereference using undocumented constructor.
  • CVE-2009-1250 — An error code is incorrectly checked and interpreted as a pointer, leading to a crash.
  • CVE-2009-0311 — An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution.
  • CVE-2010-1818 — Undocumented attribute in multimedia software allows "unmarshaling" of an untrusted pointer.
  • CVE-2010-3189 — ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer.
  • CVE-2010-1253 — Spreadsheet software treats certain record values that lead to "user-controlled pointer" (might be untrusted offset, not untrusted pointer).

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top