CWE-682 - Incorrect Calculation

Description: The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
When product performs a security-critical calculation incorrectly, it might lead to incorrect resource allocations, incorrect privilege assignments, or failed comparisons among other things. Many of the direct results of an incorrect calculation can lead to even larger problems such as failed protection mechanisms or even arbitrary code execution.

Common Consequences: Scope: Availability
Impact: DoS: Crash, Exit, or Restart
Notes: If the incorrect calculation causes the program to move into an unexpected state, it may lead to a crash or impairment of service.
Scope: Integrity, Confidentiality, Availability
Impact: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands
Notes: If the incorrect calculation is used in the context of resource allocation, it could lead to an out-of-bounds operation (CWE-119) leading to a crash or even arbitrary code execution. Alternatively, it may result in an integer overflow (CWE-190) and / or a resource consumption problem (CWE-400).
Scope: Access Control
Impact: Gain Privileges or Assume Identity
Notes: In the context of privilege or permissions assignment, an incorrect calculation can provide an attacker with access to sensitive resources.
Scope: Access Control
Impact: Bypass Protection Mechanism
Notes: If the incorrect calculation leads to an insufficient comparison (CWE-697), it may compromise a protection mechanism such as a validation routine and allow an attacker to bypass the security-critical code.

CWE-682 High