CWE-768 Variant Incomplete Low likelihood

Incorrect Short Circuit Evaluation

This vulnerability occurs when a program's conditional statement uses short-circuit evaluation (where later parts of an AND/OR check are skipped if the outcome is already determined), and the…

Definition

What is CWE-768?

This vulnerability occurs when a program's conditional statement uses short-circuit evaluation (where later parts of an AND/OR check are skipped if the outcome is already determined), and the skipped portions contain code that changes the program's state. Because these side effects—like updating a variable, checking a permission, or logging an event—are never executed, the application can enter an unexpected and potentially insecure state.
Short-circuit evaluation is a standard programming feature, but relying on it for critical side effects creates hidden logic flaws. Attackers can probe for these inconsistencies—like a skipped authentication check or a missed bounds validation—to exploit the program later. Since code reviews and tests often follow the expected execution path, these skipped code blocks become blind spots, turning a language feature into a security weakness. This practice also makes code harder to maintain and reason about. Future developers might modify the conditional logic without realizing that the order of expressions is security-sensitive, inadvertently reintroducing or creating new vulnerabilities. Treating conditional statements as mere checks, rather than sequences of operations, undermines both security and long-term code health.
Real-world impact

Real-world CVEs caused by CWE-768

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

  1. 1

    Identify a code path that handles untrusted input without validation.

  2. 2

    Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.

  3. 3

    Deliver the payload through a normal request and observe the application's reaction.

  4. 4

    Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable C

The following function attempts to take a size value from a user and allocate an array of that size (we ignore bounds checking for simplicity). The function tries to initialize each spot with the value of its index, that is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However, since the programmer uses the prefix decrement operator, when the conditional is evaluated with i == 1, the decrement will result in a 0 value for the first part of the predicate, causing the second portion to be bypassed via short-circuit evaluation. This means we cannot be sure of what value will be in A[0] when we return the array to the user.

Vulnerable C 
#define PRIV_ADMIN 0
  #define PRIV_REGULAR 1
  typedef struct{
  	int privileges;
  	int id;
  } user_t;
  user_t *Add_Regular_Users(int num_users){
  	user_t* users = (user_t*)calloc(num_users, sizeof(user_t));
  	int i = num_users;
  	while( --i && (users[i].privileges = PRIV_REGULAR) ){
  		users[i].id = i;
  	}
  	return users;
  }
  int main(){
  	user_t* test;
  	int i;
  	test = Add_Regular_Users(25);
  	for(i = 0; i < 25; i++) printf("user %d has privilege level %d\n", test[i].id, test[i].privileges);
  }
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-768

  • Implementation Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way.
Detection signals

How to detect CWE-768

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-768 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-768?

This vulnerability occurs when a program's conditional statement uses short-circuit evaluation (where later parts of an AND/OR check are skipped if the outcome is already determined), and the skipped portions contain code that changes the program's state. Because these side effects—like updating a variable, checking a permission, or logging an event—are never executed, the application can enter an unexpected and potentially insecure state.

How serious is CWE-768?

MITRE rates the likelihood of exploit as Low — exploitation is uncommon, but the weakness should still be fixed when discovered.

What languages or platforms are affected by CWE-768?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-768?

Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way.

How does Plexicus detect and fix CWE-768?

Plexicus's SAST engine matches the data-flow signature for CWE-768 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-768?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/768.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-768

CWE-691 Parent

Insufficient Control Flow Management

This vulnerability occurs when a program's execution flow isn't properly managed, allowing attackers to bypass critical checks, trigger…

CWE-1265 Sibling

Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls

This vulnerability occurs when a non-reentrant function is called, and during its execution, another call is triggered that unexpectedly…

CWE-1281 Sibling

Sequence of Processor Instructions Leads to Unexpected Behavior

Certain sequences of valid and invalid processor instructions can cause the CPU to lock up or behave unpredictably, often requiring a hard…

CWE-362 Sibling

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

A race condition occurs when multiple processes or threads access a shared resource simultaneously without proper coordination, creating a…

CWE-430 Sibling

Deployment of Wrong Handler

This vulnerability occurs when a system incorrectly assigns or routes an object to the wrong processing component.

CWE-431 Sibling

Missing Handler

This vulnerability occurs when a software component lacks the necessary code to properly handle an error or unexpected event.

CWE-662 Sibling

Improper Synchronization

This vulnerability occurs when a multi-threaded or multi-process application allows shared resources to be accessed by multiple threads or…

CWE-670 Sibling

Always-Incorrect Control Flow Implementation

This weakness occurs when a section of code is structured in a way that always executes incorrectly, regardless of input or conditions.…

CWE-696 Sibling

Incorrect Behavior Order

This weakness occurs when a system executes multiple dependent actions in the wrong sequence, leading to unexpected and potentially…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.