CWE-134 - Use of Externally-Controlled Format String
- Abstraction:Base
- Structure:Simple
- Status:Draft
- Release Date:2006-07-19
- Latest Modification Date:2025-04-03
Weakness Name
Use of Externally-Controlled Format String
Description
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Common Consequences
Scope: Confidentiality
Impact: Read Memory
Notes: Format string problems allow for information disclosure which can severely simplify exploitation of the program.
Scope: Integrity, Confidentiality, Availability
Impact: Modify Memory, Execute Unauthorized Code or Commands
Notes: Format string problems can result in the execution of arbitrary code, buffer overflows, denial of service, or incorrect data representation.
Related Weaknesses
CWE-20Improper Input ValidationHigh
Related Alerts
Format String ErrorMedium