1. Home
  2. CWE Database
  3. CWE-395
Base · Medium

CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

CWE-395 · Base Level ·1 Mitigations

Description

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

Programmers typically catch NullPointerException under three circumstances: Of these three circumstances, only the last is acceptable.

Potential Impact

Availability

DoS: Resource Consumption (CPU)

Demonstrative Examples

The following code mistakenly catches a NullPointerException.
Bad
try {
				  
					mysteryMethod();
				  
				  } catch (NullPointerException npe) {
                  }

Mitigations & Prevention

Architecture and DesignImplementation

Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application.

Detection Methods

  • Automated Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Manual Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Manual Static Analysis - Source Code SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis - Source Code High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Architecture or Design Review High — According to SOAR [REF-1479], the following detection techniques may be useful:

CWE-705: Incorrect Control Flow Scoping

The product does not properly return control flow to the proper location after it has completed a task or detected an un...

CWE-755: Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Catching NullPointerException
  • The CERT Oracle Secure Coding Standard for Java (2011): ERR08-J — Do not catch NullPointerException or any of its ancestors

Frequently Asked Questions

What is CWE-395?

CWE-395 (Use of NullPointerException Catch to Detect NULL Pointer Dereference) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

How can CWE-395 be exploited?

Attackers can exploit CWE-395 (Use of NullPointerException Catch to Detect NULL Pointer Dereference) to dos: resource consumption (cpu). This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-395?

Key mitigations include: Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application.

What is the severity of CWE-395?

CWE-395 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.