CWE-822: Untrusted Pointer Dereference
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
常见后果
影响范围: Confidentiality
技术影响: Read Memory
说明: If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: If the untrusted pointer references a memory location that is not accessible to the product, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands Modify Memory
说明: If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
观察示例
参考: CVE-2007-5655
message-passing framework interprets values in packets as pointers, causing a crash.
参考: CVE-2010-2299
labeled as a "type confusion" issue, also referred to as a "stale pointer." However, the bug ID says "contents are simply interpreted as a pointer... renderer ordinarily doesn't supply this pointer directly". The "handle" in the untrusted area is replaced in one function, but not another - thus also, effectively, exposure to wrong sphere (CWE-668).
参考: CVE-2009-1719
Untrusted dereference using undocumented constructor.
参考: CVE-2009-1250
An error code is incorrectly checked and interpreted as a pointer, leading to a crash.
参考: CVE-2009-0311
An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution.
参考: CVE-2010-1818
Undocumented attribute in multimedia software allows "unmarshaling" of an untrusted pointer.
参考: CVE-2010-3189
ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer.
参考: CVE-2010-1253
Spreadsheet software treats certain record values that lead to "user-controlled pointer" (might be untrusted offset, not untrusted pointer).