BaseDraft

CWE-242Use of Inherently Dangerous Function

Category: other

Description

The product calls a function that can never be guaranteed to work safely. Certain functions behave in dangerous ways regardless of how they are used. Functions in this category were often implemented without taking security concerns into account. The gets() function is unsafe because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to gets() and overflow the destination buffer. Similarly, the >> operator is unsafe to use when reading into a statically-allocated character array because it does not perform bounds checking on the size of its input. An attacker can easily send arbitrarily-sized input to the >> operator and overflow the destination buffer.

Common consequences· 1

  • Other — Varies by Context

Potential mitigations· 2

  • [Build and Compilation, Implementation]Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the "banned.h" include file from Microsoft's SDL. [REF-554] [REF-1009] [REF-7]
  • [Testing]Use grep or static analysis tools to spot usage of dangerous functions.

References

  1. https://cwe.mitre.org/data/definitions/242.html

(incoming)2

TypeTargetConfidenceTier
VulnerabilityCVE-2025-49215cve-2025-492150%live
VulnerabilityCVE-2026-6477cve-2026-64770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Use of Potentially Dangerous Function
CWE
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE
Buffer Over-read
CWE
Integer Overflow to Buffer Overflow
CWE
Unchecked Return Value to NULL Pointer Dereference
CWE
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.