CWE · MITRE source
CWE-391Unchecked Error Condition
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 1 mapping(s) from 1 framework(s): OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A10:2025 Mishandling of Exceptional Conditions.
NIST 800-53 r5 controls that address this weakness (5)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IR-1 | Policy and Procedures | IR | Policy enforces checking and handling of error conditions as part of incident response processes. |
IR-3 | Incident Response Testing | IR | Testing IR effectiveness identifies and drives fixes for unchecked error conditions that fail to initiate incident handling. |
IR-4 | Incident Handling | IR | Formal incident handling procedures enforce checking and acting on error conditions that could indicate security incidents. |
AU-5 | Response to Audit Logging Process Failures | AU | Ensures audit logging process failures are checked and trigger defined responses instead of remaining unchecked. |
PM-31 | Continuous Monitoring Strategy | PM | Mandates ongoing correlation, analysis, and response to monitoring results, reducing unchecked error conditions from control assessments. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-12176 | 7.0 | 9.8 | 0.0425 | 2018-01-24 |
CVE-2017-12177 | 7.0 | 9.8 | 0.0445 | 2018-01-24 |
CVE-2017-12178 | 7.0 | 9.8 | 0.0425 | 2018-01-24 |
CVE-2017-12179 | 7.0 | 9.8 | 0.0445 | 2018-01-24 |
CVE-2017-12180 | 7.0 | 9.8 | 0.0431 | 2018-01-24 |
CVE-2017-12181 | 7.0 | 9.8 | 0.0431 | 2018-01-24 |
CVE-2017-12182 | 7.0 | 9.8 | 0.0431 | 2018-01-24 |
CVE-2017-12183 | 7.0 | 9.8 | 0.0431 | 2018-01-24 |
CVE-2017-12184 | 7.0 | 9.8 | 0.0425 | 2018-01-24 |
CVE-2017-12185 | 7.0 | 9.8 | 0.0425 | 2018-01-24 |
CVE-2017-12186 | 7.0 | 9.8 | 0.0438 | 2018-01-24 |
CVE-2017-12187 | 7.0 | 9.8 | 0.0341 | 2018-01-24 |
CVE-2024-52316 | 7.0 | 9.8 | 0.0629 | 2024-11-18 |
CVE-2025-71325 | 7.0 | 9.8 | 0.0047 | 2026-06-17 |
CVE-2017-7496 | 5.5 | 7.0 | 0.0026 | 2017-06-26 |
CVE-2016-10526 | 5.5 | 8.6 | 0.0164 | 2018-05-31 |
CVE-2019-14853 | 5.5 | 7.5 | 0.0250 | 2019-11-26 |
CVE-2018-1091 | 3.5 | 5.5 | 0.0042 | 2018-03-27 |
CVE-2020-14383 | 3.5 | 6.5 | 0.0218 | 2020-12-02 |
CVE-2022-22160 | 3.5 | 6.5 | 0.0036 | 2022-01-19 |
CVE-2023-0572 | 3.5 | 5.3 | 0.0067 | 2023-01-29 |
CVE-2023-32871 | 3.5 | 5.3 | 0.0008 | 2024-05-06 |
CVE-2024-23326 | 3.5 | 5.9 | 0.0036 | 2024-06-04 |
CVE-2022-20849 | 3.5 | 6.1 | 0.0027 | 2024-11-15 |