Comprehensive Categorization: Protection Mechanism Failure

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to protection mechanism failure.


Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations

The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it doe...

Client-Side Enforcement of Server-Side Security

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

Collapse of Data into Unsafe Value

The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

Improper Protection against Electromagnetic Fault Injection (EM-FI)

The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.

Improper Protections Against Hardware Overheating

A hardware device is missing or has inadequate protection features to prevent overheating.

Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other actio...

Incorrect Selection of Fuse Values

The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.

Insufficient Logging

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Insufficient UI Warning of Dangerous Operations

The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.

Missing Immutable Root of Trust in Hardware

A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.

Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques

Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as sca...

Missing Support for Security Features in On-chip Fabrics or Buses

On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.

Multiple Interpretations of UI Input

The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.

Obscured Security-relevant Information by Alternate Name

The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.

Omission of Security-relevant Information

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

Product Released in Non-Release Configuration

The product released to market is released in pre-production or manufacturing configuration.

Product UI does not Warn User of Unsafe Actions

The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into ...

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Public Key Re-Use for Signing both Debug and Production Code

The same public key is used for signing both debug and production code.

Reliance on Untrusted Inputs in a Security Decision

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses ...

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mecha...

Semiconductor Defects in Hardware Logic with Security-Sensitive Implications

The security-sensitive hardware module contains semiconductor defects.

Truncation of Security-relevant Information

The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.


Comprehensive Categorization for Software Assurance Trends

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...

See Also

  1. CVE --> CWE Mapping Guidance - Quick Tips


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.