CWE · MITRE source
CWE-272Least Privilege Violation
The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: partial · 5 mapping(s) from 5 framework(s): CAPEC 1 (partial) · STIG ubuntu 24 04 1 (partial) · STIG windows 10 1 (partial) · STIG windows server 2022 1 (partial) · ATT&CK 1 (partial)
NIST 800-53 r5 controls that address this weakness (12)AI
Showing the 10 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-1 | Policy and Procedures | AC | Review and update requirements help detect and correct least privilege violations in practice. |
AC-13 | Supervision and Review — Access Control | AC | Access reviews verify and enforce adherence to least privilege by identifying excess permissions. |
AC-2 | Account Management | AC | Requiring specification of intended system usage and access authorizations, plus periodic reviews, supports enforcement of least privilege. |
PS-7 | External Personnel Security | PS | Enforces least-privilege principles for externals via role/responsibility definitions, transfer/termination notifications, and ongoing compliance checks. |
PS-8 | Personnel Sanctions | PS | Directly addresses least-privilege violations by providing a deterrent and notification mechanism when policies are not followed. |
PS-9 | Position Descriptions | PS | Incorporating least-privilege expectations into every position description makes violations of the principle harder to occur by default. |
CM-7 | Least Functionality | CM | Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused. |
PL-4 | Rules of Behavior | PL | The control mandates acknowledgment of least-privilege expectations, making violations by authorized users less likely. |
PM-29 | Risk Management Program Leadership Roles | PM | Risk Executive role ensures least privilege is applied uniformly rather than left to individual system owners or projects. |
SA-14 | Criticality Analysis | SA | Criticality analysis supplies the information needed to enforce least privilege on the most important system elements, making violations of that principle less likely to exist in high-value targets. |
Show 2 more broadly-applicable controls
AC-5 | Separation of Duties | AC | Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities. |
AC-6 | Least Privilege | AC | Enforces the least privilege principle to avoid violations of minimal necessary access. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-24830 UPD | 7.0 | 9.9 | 0.0072 | 2024-02-08 |
CVE-2024-25106 UPD | 7.0 | 9.1 | 0.0049 | 2024-02-08 |
CVE-2021-26726 | 5.5 | 8.8 | 0.0111 | 2022-02-16 |
CVE-2023-28047 | 5.5 | 7.3 | 0.0017 | 2023-04-20 |
CVE-2023-32451 | 5.5 | 7.3 | 0.0015 | 2024-02-06 |
CVE-2024-0638 | 5.5 | 8.2 | 0.0019 | 2024-03-22 |
CVE-2024-28824 UPD | 5.5 | 8.8 | 0.0018 | 2024-03-22 |
CVE-2024-35204 | 5.5 | 8.4 | 0.0024 | 2024-05-14 |
CVE-2024-27165 | 5.5 | 7.8 | 0.0023 | 2024-06-14 |
CVE-2024-28829 | 5.5 | 7.8 | 0.0018 | 2024-08-20 |
CVE-2024-55954 | 5.5 | 8.7 | 0.0049 | 2025-01-16 |
CVE-2025-47809 UPD | 5.5 | 8.2 | 0.0014 | 2025-05-16 |
CVE-2025-49144 UPD | 5.5 | 7.3 | 0.0042 | 2025-06-23 |
CVE-2025-1384 UPD | 5.5 | 7.0 | 0.0022 | 2025-07-14 |
CVE-2025-7722 UPD | 5.5 | 8.8 | 0.0038 | 2025-07-23 |
CVE-2025-8181 UPD | 5.5 | 7.2 | 0.0091 | 2025-07-26 |
CVE-2025-8757 UPD | 5.5 | 7.0 | 0.0014 | 2025-08-09 |
CVE-2025-8758 UPD | 5.5 | 7.0 | 0.0015 | 2025-08-09 |
CVE-2025-59106 | 5.5 | 8.8 | 0.0068 | 2026-01-26 |
CVE-2025-9711 | 5.5 | 7.8 | 0.0013 | 2026-02-03 |
CVE-2026-35535 UPD | 5.5 | 7.4 | 0.0017 | 2026-04-03 |
CVE-2026-39459 UPD | 5.5 | 7.2 | 0.0026 | 2026-05-13 |
CVE-2023-28046 | 3.5 | 6.6 | 0.0014 | 2023-04-06 |
CVE-2024-0798 | 3.5 | 6.5 | 0.0057 | 2024-02-26 |
CVE-2025-68267 | 3.5 | 6.5 | 0.0018 | 2025-12-16 |