CWE-134βUse of Externally-Controlled Format String
PUBLISHEDweakness recordHigh
released 2006-07-19 Β· last modified 2025-12-11
Metadata
- CWE ID:
- CWE-134
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Draft
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2025-12-11
Weakness Name
Use of Externally-Controlled Format String
Description
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Common Consequences
- Scope:
- Confidentiality
- Impact:
- Read Memory
- Notes:
- Format string problems allow for information disclosure which can severely simplify exploitation of the program.
- Scope:
- Integrity, Confidentiality, Availability
- Impact:
- Modify Memory, Execute Unauthorized Code or Commands
- Notes:
- Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.