Where could I find a list of CWEs that Mayhem can find?

Good morning. Can you please provide the list of all CWEs that Mayhem is able to find.

We have a list of our supported CWEs in our documentation, under Reference → Support Matrix. For convenience, I’ll repost them below:

Basic Triage

CWEs detected by Basic Triage:

  • 20 : Improper Input Validation
  • 125 : Out-of-bounds Read
  • 369 : Divide By Zero
  • 476 : NULL Pointer Dereference
  • 763 : Release of Invalid Pointer or Reference
  • 787 : Out-of-bounds Write
  • 913 : Improper Control of Dynamically-Managed Code Resources

Advanced Triage

Advanced Triage, when enabled, runs additional analysis to find defects that do not raise a UNIX signal, such as memory leaks or using an uninitialized variable.

In order to support Advanced Triage, a target must be linked against glibc. Targets that link against other libc variants (or no libc at all) are not supported. In addition, Advanced Triage requires a target that has no instrumentation.

CWEs detected by Advanced Triage:

  • 119 : Improper Restriction of Operations within the Bounds of a Memory Buffer
  • 125 : Out-of-bounds Read
  • 131 : Incorrect Calculation of Buffer Size
  • 401 : Failure to Release Memory Before Removing Last Reference (‘Memory Leak’)
  • 457 : Use of Uninitialized Variable
  • 590 : Free of Memory not on the Heap
  • 704 : Incorrect Type Conversion or Cast
  • 787 : Out-of-bounds Write
  • 913 : Improper Control of Dynamically-Managed Code Resources

Sanitizers

Sanitizers (such as ASAN) can be added to a program at compile time. They add checks that allow Mayhem to detect many more kinds of defects including defects that may not result in an immediate crash.

Mayhem works with targets compiled with the ASAN, UBSAN, LSAN, and MSAN sanitizer flags.

CWEs detected by Sanitizers (In addition to Basic Triage):

  • 115 : Misinterpretation of Input
  • 119 : Improper Restriction of Operations within the Bounds of a Memory Buffer
  • 121 : Stack-based Buffer Overflow
  • 122 : Heap-based Buffer Overflow
  • 129 : Improper Validation of Array Index
  • 131 : Incorrect Calculation of Buffer Size
  • 188 : Reliance on Data/Memory Layout
  • 190 : Integer Overflow or Wraparound
  • 197 : Numeric Truncation Error
  • 233 : Improper Handling of Parameters
  • 393 : Return of Wrong Status Code
  • 400 : Uncontrolled Resource Consumption
  • 415 : Double Free
  • 416 : Use After Free
  • 457 : Use of Uninitialized Variable
  • 469 : Use of Pointer Subtraction to Determine Size
  • 561 : Dead Code
  • 562 : Return of Stack Variable Address
  • 590 : Free of Memory not on the Heap
  • 664 : Improper Control of a Resource Through its Lifetime
  • 665 : Improper Initialization
  • 680 : Integer Overflow to Buffer Overflow
  • 690 : Unchecked Return Value to NULL Pointer Dereference
  • 704 : Incorrect Type Conversion or Cast
  • 758 : Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
  • 786 : Access of Memory Location Before Start of Buffer
  • 788 : Access of Memory Location After End of Buffer
  • 789 : Uncontrolled Memory Allocation