CWE-170 Base Incomplete Medium likelihood

Improper Null Termination

This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.

Definition

What is CWE-170?

This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.
Improper null termination typically stems from two common coding mistakes. The first is an off-by-one error, where a null character is written just outside the allocated memory boundary, which can corrupt adjacent data or trigger a buffer overflow. The second frequent cause is the incorrect use of functions like `strncpy()`, which does not automatically append a null terminator if the source string is too long, leaving the destination array without a valid end marker. Without this crucial terminator, string-handling functions will continue reading memory until they encounter a null byte by chance, leading to information disclosure, crashes, or unpredictable behavior. Developers should always ensure buffers are sized to hold the content plus the terminator and prefer safer, bounded string functions that guarantee proper termination.
Real-world impact

Real-world CVEs caused by CWE-170

  • CVE-2000-0312

    Attacker does not null-terminate argv[] when invoking another program.

  • CVE-2003-0777

    Interrupted step causes resultant lack of null termination.

  • CVE-2004-1072

    Fault causes resultant lack of null termination, leading to buffer expansion.

  • CVE-2001-1389

    Multiple vulnerabilities related to improper null termination.

  • CVE-2003-0143

    Product does not null terminate a message buffer after snprintf-like call, leading to overflow.

  • CVE-2009-2523

    Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).

How attackers exploit it

Step-by-step attacker path

  1. 1

    The following code reads from cfgfile and copies the input into inputbuf using strcpy(). The code mistakenly assumes that inputbuf will always contain a NULL terminator.

  2. 2

    The code above will behave correctly if the data read from cfgfile is null terminated on disk as expected. But if an attacker is able to modify this input so that it does not contain the expected NULL character, the call to strcpy() will continue copying from memory until it encounters an arbitrary NULL character. This will likely overflow the destination buffer and, if the attacker can control the contents of memory immediately following inputbuf, can leave the application susceptible to a buffer overflow attack.

  3. 3

    In the following code, readlink() expands the name of a symbolic link stored in pathname and puts the absolute path into buf. The length of the resulting value is then calculated using strlen().

  4. 4

    The code above will not always behave correctly as readlink() does not append a NULL byte to buf. Readlink() will stop copying characters once the maximum size of buf has been reached to avoid overflowing the buffer, this will leave the value buf not NULL terminated. In this situation, strlen() will continue traversing memory until it encounters an arbitrary NULL character further on down the stack, resulting in a length value that is much larger than the size of string. Readlink() does return the number of bytes copied, but when this return value is the same as stated buf size (in this case MAXPATH), it is impossible to know whether the pathname is precisely that many bytes long, or whether readlink() has truncated the name to avoid overrunning the buffer. In testing, vulnerabilities like this one might not be caught because the unused contents of buf and the memory immediately following it may be NULL, thereby causing strlen() to appear as if it is behaving correctly.

  5. 5

    While the following example is not exploitable, it provides a good example of how nulls can be omitted or misplaced, even when "safe" functions are used:

Vulnerable code example

Vulnerable C

The following code reads from cfgfile and copies the input into inputbuf using strcpy(). The code mistakenly assumes that inputbuf will always contain a NULL terminator.

Vulnerable C 
#define MAXLEN 1024
  ...
  char *pathbuf[MAXLEN];
  ...
  read(cfgfile,inputbuf,MAXLEN); //does not null terminate
  strcpy(pathbuf,inputbuf); //requires null terminated input
  ...
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-170

  • Requirements Use a language that is not susceptible to these issues. However, be careful of null byte interaction errors (CWE-626) with lower-level constructs that may be written in a language that is susceptible.
  • Implementation Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings.
  • Implementation If performance constraints permit, special code can be added that validates null-termination of string buffers, this is a rather naive and error-prone solution.
  • Implementation Switch to bounded string manipulation functions. Inspect buffer lengths involved in the buffer overrun trace reported with the defect.
  • Implementation Add code that fills buffers with nulls (however, the length of buffers still needs to be inspected, to ensure that the non null-terminated string is not written at the physical end of the buffer).
Detection signals

How to detect CWE-170

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-170 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-170?

This weakness occurs when software fails to properly end a string or array with the required null character or equivalent terminator.

How serious is CWE-170?

MITRE rates the likelihood of exploit as Medium — exploitation is realistic but typically requires specific conditions.

What languages or platforms are affected by CWE-170?

MITRE lists the following affected platforms: C, C++.

How can I prevent CWE-170?

Use a language that is not susceptible to these issues. However, be careful of null byte interaction errors (CWE-626) with lower-level constructs that may be written in a language that is susceptible. Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings.

How does Plexicus detect and fix CWE-170?

Plexicus's SAST engine matches the data-flow signature for CWE-170 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-170?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/170.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-170

CWE-707 Parent

Improper Neutralization

This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external…

CWE-116 Sibling

Improper Encoding or Escaping of Output

This vulnerability occurs when an application builds a structured message—like a query, command, or request—for another component but…

CWE-138 Sibling

Improper Neutralization of Special Elements

This vulnerability occurs when an application accepts external input but fails to properly sanitize special characters or syntax that have…

CWE-1426 Sibling

Improper Validation of Generative AI Output

This vulnerability occurs when an application uses a generative AI model (like an LLM) but fails to properly check the AI's output before…

CWE-172 Sibling

Encoding Error

This vulnerability occurs when software incorrectly transforms data between different formats, leading to corrupted or misinterpreted…

CWE-182 Sibling

Collapse of Data into Unsafe Value

This vulnerability occurs when an application's data filtering or transformation process incorrectly merges or simplifies information,…

CWE-20 Sibling

Improper Input Validation

This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and…

CWE-228 Sibling

Improper Handling of Syntactically Invalid Structure

This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure,…

CWE-240 Sibling

Improper Handling of Inconsistent Structural Elements

This vulnerability occurs when a system fails to properly manage situations where related data structures or elements should match but are…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.