CWE-696: Incorrect Behavior Order
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
常见后果
影响范围: Integrity
技术影响: Alter Execution Logic
观察示例
参考: CVE-2019-9805
Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.
参考: CVE-2007-5191
file-system management programs call the setuid and setgid functions in the wrong order and do not check the return values, allowing attackers to gain unintended privileges
参考: CVE-2007-1588
C++ web server program calls Process::setuid before calling Process::setgid, preventing it from dropping privileges, potentially allowing CGI programs to be called with higher privileges than intended
参考: CVE-2022-37734
Chain: lexer in Java-based GraphQL server does not enforce maximum of tokens early enough (CWE-696), allowing excessive CPU consumption (CWE-1176)
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CERT C Secure Coding | POS36-C | Observe correct revocation order while relinquishing privileges | CWE More Abstract |