CWE-691
DiscouragedInsufficient Control Flow Management
Abstraction: Pillar · Status: Draft
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
54 vulnerabilities reference this CWE, most recent first.
GHSA-VR6P-52VM-764X
Vulnerability from github – Published: 2024-08-14 15:31 – Updated: 2024-08-14 15:31Insufficient control flow management in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2024-21801"
],
"database_specific": {
"cwe_ids": [
"CWE-691"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-14T14:15:16Z",
"severity": "HIGH"
},
"details": "Insufficient control flow management in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable denial of service via local access.",
"id": "GHSA-vr6p-52vm-764x",
"modified": "2024-08-14T15:31:13Z",
"published": "2024-08-14T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21801"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01070.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WJVR-8C9R-FGMC
Vulnerability from github – Published: 2025-03-12 18:32 – Updated: 2025-03-12 21:31An issue was discovered in Open5GS v2.7.2. When a UE switches between two gNBs and sends a handover request at a specific time, it may cause an exception in the AMF's internal state machine, leading to an AMF crash and resulting in a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2025-25774"
],
"database_specific": {
"cwe_ids": [
"CWE-691"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-12T17:15:49Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Open5GS v2.7.2. When a UE switches between two gNBs and sends a handover request at a specific time, it may cause an exception in the AMF\u0027s internal state machine, leading to an AMF crash and resulting in a Denial of Service (DoS).",
"id": "GHSA-wjvr-8c9r-fgmc",
"modified": "2025-03-12T21:31:29Z",
"published": "2025-03-12T18:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25774"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/3671"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/commit/2e68706f1eea029d5172ccad946e78b352c031d0"
},
{
"type": "WEB",
"url": "https://github.com/guoweifk/BugReport/blob/main/Open5GS%20AMF%20Denial%20of%20Service%20via%20GMM%20State%20Handling%20in%20Handover"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWQM-R5FG-M4HG
Vulnerability from github – Published: 2025-07-10 18:31 – Updated: 2025-07-10 18:31Insufficient control flow management in certain Zoom Clients for iOS before version 6.4.5 may allow an unauthenticated user to conduct a disclosure of information via network access.
{
"affected": [],
"aliases": [
"CVE-2025-49463"
],
"database_specific": {
"cwe_ids": [
"CWE-691"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T17:15:47Z",
"severity": "MODERATE"
},
"details": "Insufficient control flow management in certain Zoom Clients for iOS before version 6.4.5 may allow an unauthenticated user to conduct a disclosure of information via network access.",
"id": "GHSA-wwqm-r5fg-m4hg",
"modified": "2025-07-10T18:31:28Z",
"published": "2025-07-10T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49463"
},
{
"type": "WEB",
"url": "https://https://www.zoom.com/en/trust/security-bulletin/zsb-25026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQ5F-8X3J-QV23
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Insufficient control flow management for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.
{
"affected": [],
"aliases": [
"CVE-2025-35963"
],
"database_specific": {
"cwe_ids": [
"CWE-691"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T17:15:51Z",
"severity": "HIGH"
},
"details": "Insufficient control flow management for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.",
"id": "GHSA-xq5f-8x3j-qv23",
"modified": "2025-11-11T18:30:19Z",
"published": "2025-11-11T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35963"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.