Comprehensive Categorization: Resource Control

The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the ...

A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.

A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from t...

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system beha...

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but...

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control mo...

The product's architecture mirrors regions without ensuring that their contents always stay in sync.

Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the appli...

The product releases a resource that is still intended to be used by itself or another actor.

The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.

The product uses or accesses a file descriptor after it has been closed.

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes ...

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original deve...

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...