1. Home
  2. CWE Database
  3. CWE-572
Variant · Low-Medium

CWE-572: Call to Thread run() instead of start()

The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

CWE-572 · Variant Level ·1 Mitigations

Description

The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

In most cases a direct call to a Thread object's run() method is a bug. The programmer intended to begin a new thread of control, but accidentally called run() instead of start(), so the run() method will execute in the caller's thread of control.

Potential Impact

Other

Quality Degradation, Varies by Context

Demonstrative Examples

The following excerpt from a Java program mistakenly calls run() instead of start().
Bad
Thread thr = new Thread() {public void run() {...}};
                     thr.run();

Mitigations & Prevention

Implementation

Use the start() method instead of the run() method.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-821: Incorrect Synchronization

The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resou...

Taxonomy Mappings

  • The CERT Oracle Secure Coding Standard for Java (2011): THI00-J — Do not invoke Thread.run()
  • Software Fault Patterns: SFP3 — Use of an improper API

Frequently Asked Questions

What is CWE-572?

CWE-572 (Call to Thread run() instead of start()) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

How can CWE-572 be exploited?

Attackers can exploit CWE-572 (Call to Thread run() instead of start()) to quality degradation, varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-572?

Key mitigations include: Use the start() method instead of the run() method.

What is the severity of CWE-572?

CWE-572 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.