Description
The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
An attacker can supply a pointer for memory locations that the product is not expecting. If the pointer is dereferenced for a write operation, the attack might allow modification of critical state variables, cause a crash, or execute code. If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash, or set a variable to an unexpected value (since the value will be read from an unexpected memory location). There are several variants of this weakness, including but not necessarily limited to:
Potential Impact
Confidentiality
Read Memory
Availability
DoS: Crash, Exit, or Restart
Integrity, Confidentiality, Availability
Execute Unauthorized Code or Commands, Modify Memory
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
- Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2007-5655 | message-passing framework interprets values in packets as pointers, causing a crash. |
| CVE-2010-2299 | labeled as a "type confusion" issue, also referred to as a "stale pointer." However, the bug ID says "contents are simply interpreted as a pointer... renderer ordinarily doesn't supply this pointer di |
| CVE-2009-1719 | Untrusted dereference using undocumented constructor. |
| CVE-2009-1250 | An error code is incorrectly checked and interpreted as a pointer, leading to a crash. |
| CVE-2009-0311 | An untrusted value is obtained from a packet and directly called as a function pointer, leading to code execution. |
| CVE-2010-1818 | Undocumented attribute in multimedia software allows "unmarshaling" of an untrusted pointer. |
| CVE-2010-3189 | ActiveX control for security software accepts a parameter that is assumed to be an initialized pointer. |
| CVE-2010-1253 | Spreadsheet software treats certain record values that lead to "user-controlled pointer" (might be untrusted offset, not untrusted pointer). |
Related Weaknesses
Frequently Asked Questions
What is CWE-822?
CWE-822 (Untrusted Pointer Dereference) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
How can CWE-822 be exploited?
Attackers can exploit CWE-822 (Untrusted Pointer Dereference) to read memory. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-822?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-822?
CWE-822 is classified as a Base-level weakness (Medium abstraction). It has been observed in 8 real-world CVEs.