CWE-134β€”Use of Externally-Controlled Format String

PUBLISHEDweakness recordHigh
released 2006-07-19 Β· last modified 2025-12-11
CWE-134 - Use of Externally-Controlled Format String - Diagram

Metadata

CWE ID:
CWE-134
Abstraction:
Base
Structure:
Simple
Status:
Draft
Release Date:
2006-07-19
Latest Modification Date:
2025-12-11

Weakness Name

Use of Externally-Controlled Format String

Description

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Common Consequences

Scope:
Confidentiality
Impact:
Read Memory
Notes:
Format string problems allow for information disclosure which can severely simplify exploitation of the program.
Scope:
Integrity, Confidentiality, Availability
Impact:
Modify Memory, Execute Unauthorized Code or Commands
Notes:
Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.

Related Weaknesses

Related Alerts