CWE-321
AllowedUse of Hard-coded Cryptographic Key
Abstraction: Variant · Status: Draft
The product uses a hard-coded, unchangeable cryptographic key.
503 vulnerabilities reference this CWE, most recent first.
GHSA-CR3P-H54G-QJ4W
Vulnerability from github – Published: 2024-02-20 00:30 – Updated: 2024-08-29 21:31Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary.
{
"affected": [],
"aliases": [
"CVE-2022-48625"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T00:15:14Z",
"severity": "HIGH"
},
"details": "Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary.",
"id": "GHSA-cr3p-h54g-qj4w",
"modified": "2024-08-29T21:31:01Z",
"published": "2024-02-20T00:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48625"
},
{
"type": "WEB",
"url": "https://www.yealink.com/en/trust-center/security-advisories/yealink-config-encrypt-tool-hardcoded-encryption-password-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CV37-J7VW-C2GC
Vulnerability from github – Published: 2023-05-08 21:31 – Updated: 2024-04-04 03:52AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used in any other secure communication nor can it be used to compromise the device or any customer data.
{
"affected": [],
"aliases": [
"CVE-2023-21404"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-08T21:15:10Z",
"severity": "MODERATE"
},
"details": "AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used in any other secure communication nor can it be used to compromise the device or any customer data.",
"id": "GHSA-cv37-j7vw-c2gc",
"modified": "2024-04-04T03:52:42Z",
"published": "2023-05-08T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21404"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/07/0a/20/cve-2023-21404-en-US-398426.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CX6M-HWFJ-FVVW
Vulnerability from github – Published: 2022-12-14 00:30 – Updated: 2024-04-04 03:15Delta Industrial Automation DIALink versions 1.4.0.0 and prior are vulnerable to the use of a hard-coded cryptographic key which could allow an attacker to decrypt sensitive data and compromise the machine.
{
"affected": [],
"aliases": [
"CVE-2022-2660"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-13T22:15:00Z",
"severity": "HIGH"
},
"details": "Delta Industrial Automation DIALink versions 1.4.0.0 and prior are vulnerable to the use of a hard-coded cryptographic key which could allow an attacker to decrypt sensitive data and compromise the machine.",
"id": "GHSA-cx6m-hwfj-fvvw",
"modified": "2024-04-04T03:15:50Z",
"published": "2022-12-14T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2660"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F63J-FM2W-2WXH
Vulnerability from github – Published: 2024-04-30 18:30 – Updated: 2024-08-01 15:31SimpleMiningOS through v1259 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: the vendor indicated that they have no plans to fix this, and discourage deployment using public IPv4.
{
"affected": [],
"aliases": [
"CVE-2019-19753"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-30T18:15:19Z",
"severity": "CRITICAL"
},
"details": "SimpleMiningOS through v1259 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: the vendor indicated that they have no plans to fix this, and discourage deployment using public IPv4.",
"id": "GHSA-f63j-fm2w-2wxh",
"modified": "2024-08-01T15:31:43Z",
"published": "2024-04-30T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19753"
},
{
"type": "WEB",
"url": "https://rsaxvc.net/blog/2020/4/10/Widespread_re-use_of_SSH_Host_Keys_in_Ethereum_Mining_Rig_Operating_Systems.html"
},
{
"type": "WEB",
"url": "https://simplemining.net/page/changelog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F6HW-3RGQ-5RHV
Vulnerability from github – Published: 2026-04-29 09:30 – Updated: 2026-04-29 09:30This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys.
Successful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2026-42518"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-29T09:16:25Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys.\n\nSuccessful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system.",
"id": "GHSA-f6hw-3rgq-5rhv",
"modified": "2026-04-29T09:30:25Z",
"published": "2026-04-29T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42518"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0207"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F7MM-6F83-Q4XX
Vulnerability from github – Published: 2024-04-30 18:30 – Updated: 2024-11-07 00:30HiveOS through 0.6-102@191212 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-09-26, the vendor indicated that they would consider fixing this.
{
"affected": [],
"aliases": [
"CVE-2019-19754"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-30T18:15:19Z",
"severity": "MODERATE"
},
"details": "HiveOS through 0.6-102@191212 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: as of 2019-09-26, the vendor indicated that they would consider fixing this.",
"id": "GHSA-f7mm-6f83-q4xx",
"modified": "2024-11-07T00:30:35Z",
"published": "2024-04-30T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19754"
},
{
"type": "WEB",
"url": "https://hiveos.farm/changelog"
},
{
"type": "WEB",
"url": "https://rsaxvc.net/blog/2020/4/10/Widespread_re-use_of_SSH_Host_Keys_in_Ethereum_Mining_Rig_Operating_Systems.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FMX3-XGW6-W7G2
Vulnerability from github – Published: 2025-09-18 21:30 – Updated: 2026-06-04 21:31The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system.
{
"affected": [],
"aliases": [
"CVE-2025-54807"
],
"database_specific": {
"cwe_ids": [
"CWE-321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T21:15:48Z",
"severity": "CRITICAL"
},
"details": "The secret used for validating authentication tokens is hardcoded in \ndevice firmware for affected versions. An attacker who obtains the \nsigning key can bypass authentication, gaining complete access to the \nsystem.",
"id": "GHSA-fmx3-xgw6-w7g2",
"modified": "2026-06-04T21:31:16Z",
"published": "2025-09-18T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54807"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-261-07.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-07"
},
{
"type": "WEB",
"url": "https://www.doverfuelingsolutions.com/mea/en/products-and-solutions/automatic-tank-gauging/consoles/progauge-maglink-lx-4-console.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FMXW-52W5-JC84
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2017-6054"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-26T14:59:00Z",
"severity": "HIGH"
},
"details": "A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information.",
"id": "GHSA-fmxw-52w5-jc84",
"modified": "2022-05-13T01:36:33Z",
"published": "2022-05-13T01:36:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6054"
},
{
"type": "WEB",
"url": "https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-03"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98033"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G2JX-37X6-6438
Vulnerability from github – Published: 2025-12-02 17:55 – Updated: 2025-12-02 21:44Summary
The arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints—including tool enumeration and tool invocation—without credentials.
Anyone following the official quick-start guide is vulnerable unless they manually override ARCADE_WORKER_SECRET.
Details
The documented method for launching an HTTP MCP server (python server.py http) implicitly sets the worker secret to the hardcoded default "dev":
ArcadeSettings.server_secret defaults to "dev" (libs/arcade-mcp-server/arcade_mcp_server/settings.py:129–158)
create_arcade_mcp() passes this value directly to FastAPIWorker without validation (libs/arcade-mcp-server/arcade_mcp_server/worker.py:118–188)
BaseWorker._set_secret() accepts this value and does not enforce rotation (libs/arcade-serve/arcade_serve/core/base.py:42–83)
Because the worker’s signing key is constant and publicly documented, attackers can trivially generate valid HS256 JWTs:
The FastAPI worker auth middleware (arcade_serve/fastapi/auth.py) trusts any JWT signed with the worker secret.
The core auth layer (arcade_serve/core/auth.py) does not distinguish forged tokens from legitimate ones.
The official quick-start instructions (README.md:164–190) demonstrate launching an MCP server without mentioning worker-secret rotation. Users are told how to define tool secrets in .env, but not that the worker’s authentication key must be changed.
As a result, servers deployed following the documented workflow expose all /worker/* endpoints to anyone capable of generating a simple HS256 token using the known key.
This CVE was resolved by https://github.com/ArcadeAI/arcade-mcp/pull/691
PoC
Start the server using the official guide https://docs.arcade.dev/en/home/build-tools/create-a-mcp-server
Verify that unauthenticated access is rejected (expected)
curl -s -D - http://127.0.0.1:8000/worker/tools
# → 403 Forbidden
Forge a valid HS256 token using the hardcoded default secret "dev"
import jwt
print(jwt.encode({'ver': '1', 'aud': 'worker'}, 'dev', algorithm='HS256'))
Use the forged token to bypass authentication
curl -s -D - \
-H "Authorization: Bearer $(cat /tmp/forged_token.txt)" \
http://127.0.0.1:8000/worker/tools
Result: The server responds 200 OK with the full tool catalog and allows invocation of all worker tools.
Server logs show a rejected request immediately followed by a successful forged request, confirming the bypass.
Impact
This is an authentication bypass that results in full remote access to all MCP worker endpoints:
Unauthenticated attackers can enumerate tools
Invoke arbitrary tools remotely
Access any data returned by tools (including secrets loaded into ToolContext)
Execute actions inside internal systems if tools expose operational capabilities
Perform these actions without any brute forcing or guesswork due to the known default signing key
Any user who follows the official setup guide is exposed unless they manually override ARCADE_WORKER_SECRET, which is not documented.
This vulnerability effectively gives complete remote control over the MCP worker API to any attacker aware of the default key.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "arcade-mcp-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66454"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T17:55:44Z",
"nvd_published_at": "2025-12-02T19:15:52Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe arcade-mcp HTTP server uses a hardcoded default worker secret (\"dev\") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints\u2014including tool enumeration and tool invocation\u2014without credentials.\n\nAnyone following the official quick-start guide is vulnerable unless they manually override ARCADE_WORKER_SECRET.\n\n### Details\n\nThe documented method for launching an HTTP MCP server (python server.py http) implicitly sets the worker secret to the hardcoded default \"dev\":\n\nArcadeSettings.server_secret defaults to \"dev\"\n(libs/arcade-mcp-server/arcade_mcp_server/settings.py:129\u2013158)\n\ncreate_arcade_mcp() passes this value directly to FastAPIWorker without validation\n(libs/arcade-mcp-server/arcade_mcp_server/worker.py:118\u2013188)\n\nBaseWorker._set_secret() accepts this value and does not enforce rotation\n(libs/arcade-serve/arcade_serve/core/base.py:42\u201383)\n\nBecause the worker\u2019s signing key is constant and publicly documented, attackers can trivially generate valid HS256 JWTs:\n\nThe FastAPI worker auth middleware (arcade_serve/fastapi/auth.py) trusts any JWT signed with the worker secret.\n\nThe core auth layer (arcade_serve/core/auth.py) does not distinguish forged tokens from legitimate ones.\n\nThe official quick-start instructions (README.md:164\u2013190) demonstrate launching an MCP server without mentioning worker-secret rotation. Users are told how to define tool secrets in .env, but not that the worker\u2019s authentication key must be changed.\n\nAs a result, servers deployed following the documented workflow expose all /worker/* endpoints to anyone capable of generating a simple HS256 token using the known key.\n\nThis CVE was resolved by https://github.com/ArcadeAI/arcade-mcp/pull/691\n\n### PoC\n\nStart the server using the official guide\nhttps://docs.arcade.dev/en/home/build-tools/create-a-mcp-server\n\nVerify that unauthenticated access is rejected (expected)\n```\ncurl -s -D - http://127.0.0.1:8000/worker/tools\n# \u2192 403 Forbidden\n```\n\nForge a valid HS256 token using the hardcoded default secret \"dev\"\n```\nimport jwt\nprint(jwt.encode({\u0027ver\u0027: \u00271\u0027, \u0027aud\u0027: \u0027worker\u0027}, \u0027dev\u0027, algorithm=\u0027HS256\u0027))\n```\n\nUse the forged token to bypass authentication\n```\ncurl -s -D - \\\n -H \"Authorization: Bearer $(cat /tmp/forged_token.txt)\" \\\n http://127.0.0.1:8000/worker/tools\n```\n\nResult:\nThe server responds 200 OK with the full tool catalog and allows invocation of all worker tools.\n\nServer logs show a rejected request immediately followed by a successful forged request, confirming the bypass.\n\n### Impact\n\nThis is an authentication bypass that results in full remote access to all MCP worker endpoints:\n\nUnauthenticated attackers can enumerate tools\n\nInvoke arbitrary tools remotely\n\nAccess any data returned by tools (including secrets loaded into ToolContext)\n\nExecute actions inside internal systems if tools expose operational capabilities\n\nPerform these actions without any brute forcing or guesswork due to the known default signing key\n\nAny user who follows the official setup guide is exposed unless they manually override ARCADE_WORKER_SECRET, which is not documented.\n\nThis vulnerability effectively gives complete remote control over the MCP worker API to any attacker aware of the default key.",
"id": "GHSA-g2jx-37x6-6438",
"modified": "2025-12-02T21:44:00Z",
"published": "2025-12-02T17:55:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ArcadeAI/arcade-mcp/security/advisories/GHSA-g2jx-37x6-6438"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66454"
},
{
"type": "WEB",
"url": "https://github.com/ArcadeAI/arcade-mcp/pull/691"
},
{
"type": "WEB",
"url": "https://github.com/ArcadeAI/arcade-mcp/commit/44660d18ceb220600401303df860a31ca766c817"
},
{
"type": "WEB",
"url": "https://github.com/ArcadeAI/arcade-mcp/commit/7fb097f20fbea35e382a1b78da6fd90609c55a9e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ArcadeAI/arcade-mcp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints"
}
GHSA-G5JR-34R4-RV4W
Vulnerability from github – Published: 2024-01-27 03:30 – Updated: 2024-02-01 06:31Use of encryption key derived from static information in Synaptics Fingerprint Driver allows
an attacker to set up a TLS session with the fingerprint sensor and send restricted commands to the fingerprint sensor. This may allow an attacker, who has physical access to the sensor, to enroll a fingerprint into the template database.
{
"affected": [],
"aliases": [
"CVE-2023-6482"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-27T01:15:08Z",
"severity": "MODERATE"
},
"details": "Use of encryption key derived from static information in Synaptics Fingerprint Driver allows \n\nan attacker to set up a TLS session with the fingerprint sensor and send restricted commands to the fingerprint sensor.\u00a0This may \nallow an attacker, who has physical access to the sensor, to enroll a fingerprint into the \ntemplate database.",
"id": "GHSA-g5jr-34r4-rv4w",
"modified": "2024-02-01T06:31:04Z",
"published": "2024-01-27T03:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6482"
},
{
"type": "WEB",
"url": "https://www.synaptics.com/sites/default/files/2024-01/fingerprint-driver-encryption-key-security-brief-2024-01-26.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.