1. Home
  2. CWE Database
  3. CWE-585
Variant · Low-Medium

CWE-585: Empty Synchronized Block

The product contains an empty synchronized block.

CWE-585 · Variant Level ·1 Mitigations

Description

The product contains an empty synchronized block.

An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block.

Potential Impact

Other

Other

Demonstrative Examples

The following code attempts to synchronize on an object, but does not execute anything in the synchronized block. This does not actually accomplish anything and may be a sign that a programmer is wrestling with synchronization but has not yet achieved the result they intend.
Bad
synchronized(this) { }
Instead, in a correct usage, the synchronized statement should contain procedures that access or modify data that is exposed to multiple threads. For example, consider a scenario in which several threads are accessing student records at the same time. The method which sets the student ID to a new value will need to make sure that nobody else is accessing this data at the same time and will require synchronization.
Good
public void setID(int ID){synchronized(this){this.ID = ID;}}

Mitigations & Prevention

Implementation

When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the synchronized block is still necessary.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-1071: Empty Code Block

The source code contains a block that does not contain any code, i.e., the block is empty.

Taxonomy Mappings

  • Software Fault Patterns: SFP21 — Multiple locks/unlocks

Frequently Asked Questions

What is CWE-585?

CWE-585 (Empty Synchronized Block) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product contains an empty synchronized block.

How can CWE-585 be exploited?

Attackers can exploit CWE-585 (Empty Synchronized Block) to other. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-585?

Key mitigations include: When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the sy

What is the severity of CWE-585?

CWE-585 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.