CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference

Description

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

Extended Description

Programmers typically catch NullPointerException under three circumstances: The program contains a null pointer dereference. Catching the resulting exception was easier than fixing the underlying problem. The program explicitly throws a NullPointerException to signal an error condition. The code is part of a test harness that supplies unexpected input to the classes under test. Of these three circumstances, only the last is acceptable.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: DoS: Resource Consumption (CPU) — Notes:

Potential Mitigations

Architecture and Design: Do not extensively rely on catching exceptions (especially for validating user input) to handle errors. Handling exceptions can decrease the performance of an application. (N/A)

Applicable Platforms

Java (N/A, Undetermined)

Demonstrative Examples

Intro: The following code mistakenly catches a NullPointerException.

try { mysteryMethod(); } catch (NullPointerException npe) { }

Notes

No notes available.

← Back to CWE list