1. Home
  2. CWE Database
  3. CWE-1164
Class · High

CWE-1164: Irrelevant Code

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have...

CWE-1164 · Class Level ·1 CVEs

Description

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

Irrelevant code could include dead code, initialization that is not used, empty blocks, code that could be entirely removed due to optimization, etc.

Potential Impact

Other

Reduce Reliability

Other

Reduce Performance

Demonstrative Examples

The condition for the second if statement is impossible to satisfy. It requires that the variables be non-null. However, on the only path where s can be assigned a non-null value, there is a return statement.
Bad
String s = null;if (b) {s = "Yes";return;}
                     if (s != null) {Dead();}
The following code excerpt assigns to the variable r and then overwrites the value without using it.
Bad
r = getName();r = getNewBuffer(buf);

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2014-1266Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-56

CWE-710: Improper Adherence to Coding Standards

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the...

Frequently Asked Questions

What is CWE-1164?

CWE-1164 (Irrelevant Code) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have...

How can CWE-1164 be exploited?

Attackers can exploit CWE-1164 (Irrelevant Code) to reduce reliability. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1164?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-1164?

CWE-1164 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.