1. Home
  2. CWE Database
  3. CWE-920
Base · Medium

CWE-920: Improper Restriction of Power Consumption

The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation...

CWE-920 · Base Level

Description

The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.

In environments such as embedded or mobile devices, power can be a limited resource such as a battery, which cannot be automatically replenished by the product itself, and the device might not always be directly attached to a reliable power source. If the product uses too much power too quickly, then this could cause the device (and subsequently, the product) to stop functioning until power is restored, or increase the financial burden on the device owner because of increased power costs. Normal operation of an application will consume power. However, in some cases, an attacker could cause the application to consume more power than intended, using components such as:

Potential Impact

Availability

DoS: Resource Consumption (Other), DoS: Crash, Exit, or Restart

CWE-400: Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Taxonomy Mappings

  • ISA/IEC 62443: Part 3-3 — Req SR 6.2
  • ISA/IEC 62443: Part 4-2 — Req CR 6.2
  • ISA/IEC 62443: Part 4-1 — Req SD-4

Frequently Asked Questions

What is CWE-920?

CWE-920 (Improper Restriction of Power Consumption) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation...

How can CWE-920 be exploited?

Attackers can exploit CWE-920 (Improper Restriction of Power Consumption) to dos: resource consumption (other), dos: crash, exit, or restart. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-920?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-920?

CWE-920 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.