CWE-403 (Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | C | — | Undetermined | — |
| language | — | Not Language-Specific | Undetermined | — |
| operating_system | — | Unix | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-40042 | 2026-04-13 | Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers … |
| CVE-2025-15114 | 2025-12-30 | Ksenia Security lares (legacy model) Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can ret… |
| CVE-2024-58280 | 2025-12-10 | CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_… |
| CVE-2025-3032 | 2025-04-01 | Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks. This vulnerability was fixed in Firefox 137 and Thunderbird 137. |
| CVE-2024-21626 | 2024-01-31 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Applicable_Platforms, Relationships, Taxonomy_Mappings |
| 2008-11-24 | CWE Content Team | 1.1 | — | updated Affected_Resources, Observed_Examples, Relationships, Taxonomy_Mappings |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Name |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2011-06-27 | CWE Content Team | 2.0 | — | updated Common_Consequences |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Alternate_Terms, Description, Name, Observed_Examples, References |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Affected_Resources, Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Applicable_Platforms |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Functional_Areas |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Detection_Factors, Weakness_Ordinalities |