CWE Coverage Map
Reverse lookup: find which CME controls mitigate a given CWE weakness class. 87 distinct CWEs covered across 104 CME entries.
CWE-20
View on MITRE →
CWE-22
View on MITRE →
CWE-73
View on MITRE →
CWE-78
View on MITRE →
CWE-79
View on MITRE →
CWE-89
View on MITRE →
CWE-94
View on MITRE →
CWE-119
View on MITRE →
- CME-101 ASLR (Address Space Layout Randomization) Harden
- CME-102 NX/XD Bit (Non-Executable Memory) Harden
- CME-104 KASLR (Kernel Address Space Layout Randomization) Harden
- CME-105 SMEP (Supervisor Mode Execution Prevention) Harden
- CME-106 SMAP (Supervisor Mode Access Prevention) Harden
- CME-108 kptr_restrict (Kernel Pointer Restriction) Harden
- CME-112 RELRO and PIE (Full) Harden
- CME-113 Control Flow Integrity (CFI / Shadow Call Stack) Harden
- CME-116 FORTIFY_SOURCE (Buffer Overflow Detection) Harden
- CME-601 Kernel-Level Syscall Filtering (seccomp) Harden
- CME-602 seccomp-bpf Profile (Container Default) Harden
- CME-603 Unprivileged BPF Disabled Harden
- CME-604 Unprivileged User Namespaces Disabled Harden
- CME-701 Sandboxing / gVisor Runtime Isolate
- CME-1102 Live Kernel Patching (kpatch/livepatch) Evict
CWE-120
View on MITRE →
- CME-101 ASLR (Address Space Layout Randomization) Harden
- CME-103 Stack Canaries (Stack Protector) Harden
- CME-112 RELRO and PIE (Full) Harden
- CME-113 Control Flow Integrity (CFI / Shadow Call Stack) Harden
- CME-116 FORTIFY_SOURCE (Buffer Overflow Detection) Harden
- CME-1005 Runtime Memory Error Detection (KASAN/HWASan) Detect
CWE-121
View on MITRE →
CWE-122
View on MITRE →
CWE-125
View on MITRE →
CWE-131
View on MITRE →
CWE-190
View on MITRE →
CWE-193
View on MITRE →
CWE-200
View on MITRE →
CWE-223
View on MITRE →
CWE-250
View on MITRE →
- CME-703 Rootless Containers Isolate
- CME-705 Dropped Linux Capabilities Isolate
- CME-707 NoNewPrivileges Isolate
- CME-708 Least Privilege sudo Configuration Isolate
- CME-901 SSH Hardening (Comprehensive) Harden
- CME-911 Fine-Grained Administrative Permission Scoping Isolate
CWE-266
View on MITRE →
- CME-907 Application-Layer RBAC Enforcement Harden
- CME-910 Role Separation / Duty Segregation Isolate
- CME-911 Fine-Grained Administrative Permission Scoping Isolate
- CME-1007 Application Configuration Drift Detection (IaC Enforcement) Detect
- CME-1008 Application Admin Event Logging (SIEM Integration) Detect
- CME-1009 Privilege Assignment Monitoring (Role Grant Alerting) Detect
CWE-268
View on MITRE →
CWE-269
View on MITRE →
- CME-104 KASLR (Kernel Address Space Layout Randomization) Harden
- CME-105 SMEP (Supervisor Mode Execution Prevention) Harden
- CME-106 SMAP (Supervisor Mode Access Prevention) Harden
- CME-109 Kernel Lockdown Mode Harden
- CME-110 KEXEC Restriction Harden
- CME-111 Secure Boot (UEFI) Harden
- CME-301 SELinux (Enforcing Mode) Harden
- CME-302 SELinux Confined User Mapping Harden
- CME-304 AppArmor (Enforcing Profile) Harden
- CME-503 nosuid on Non-Root Partitions Harden
- CME-506 Landlock LSM (Filesystem Sandboxing) Isolate
- CME-602 seccomp-bpf Profile (Container Default) Harden
- CME-603 Unprivileged BPF Disabled Harden
- CME-604 Unprivileged User Namespaces Disabled Harden
- CME-701 Sandboxing / gVisor Runtime Isolate
- CME-702 Linux Namespaces (User, PID, Network, Mount) Isolate
- CME-703 Rootless Containers Isolate
- CME-705 Dropped Linux Capabilities Isolate
- CME-706 Pod Security Standards (Restricted) Isolate
- CME-707 NoNewPrivileges Isolate
- CME-708 Least Privilege sudo Configuration Isolate
- CME-709 systemd Service Sandboxing (PrivateDevices, PrivateTmp, ProtectSystem) Isolate
- CME-710 DynamicUser (systemd) Isolate
- CME-910 Role Separation / Duty Segregation Isolate
- CME-911 Fine-Grained Administrative Permission Scoping Isolate
- CME-1008 Application Admin Event Logging (SIEM Integration) Detect
- CME-1009 Privilege Assignment Monitoring (Role Grant Alerting) Detect
CWE-284
View on MITRE →
- CME-109 Kernel Lockdown Mode Harden
- CME-201 Zero Trust Gateway / Identity-Aware Proxy Isolate
- CME-202 Host-Based Firewall (firewalld/nftables) Isolate
- CME-203 Network Segmentation (VLANs/Subnets) Isolate
- CME-205 Service Binding to Localhost Isolate
- CME-206 Network Policy (Kubernetes) Isolate
- CME-301 SELinux (Enforcing Mode) Harden
- CME-302 SELinux Confined User Mapping Harden
- CME-303 SELinux Booleans (Restrictive) Harden
- CME-304 AppArmor (Enforcing Profile) Harden
- CME-501 Read-Only Root Filesystem Isolate
- CME-506 Landlock LSM (Filesystem Sandboxing) Isolate
- CME-706 Pod Security Standards (Restricted) Isolate
- CME-709 systemd Service Sandboxing (PrivateDevices, PrivateTmp, ProtectSystem) Isolate
- CME-902 Disable Unused Network Services Harden
- CME-903 Kernel Network Hardening (sysctl) Harden
- CME-908 Object-Level Authorization Checks (IDOR Prevention) Harden
- CME-1007 Application Configuration Drift Detection (IaC Enforcement) Detect
- CME-1008 Application Admin Event Logging (SIEM Integration) Detect
- CME-1009 Privilege Assignment Monitoring (Role Grant Alerting) Detect
- CME-1303 Application-Level Filesystem Access Confinement Isolate
CWE-285
View on MITRE →
CWE-287
View on MITRE →
CWE-295
View on MITRE →
- CME-404 Certificate Pinning Harden
CWE-300
View on MITRE →
CWE-306
View on MITRE →
CWE-307
View on MITRE →
CWE-311
View on MITRE →
CWE-312
View on MITRE →
CWE-316
View on MITRE →
CWE-319
View on MITRE →
CWE-326
View on MITRE →
- CME-401 System-wide Crypto Policy (FUTURE) Harden
- CME-402 FIPS 140-3 Mode Harden
CWE-327
View on MITRE →
- CME-401 System-wide Crypto Policy (FUTURE) Harden
- CME-402 FIPS 140-3 Mode Harden
- CME-403 TLS 1.3 Enforcement Harden
CWE-328
View on MITRE →
- CME-402 FIPS 140-3 Mode Harden
CWE-345
View on MITRE →
CWE-346
View on MITRE →
CWE-350
View on MITRE →
- CME-207 DNS Rebinding Protection Harden
- CME-405 DNSSEC Validation Harden
- CME-903 Kernel Network Hardening (sysctl) Harden
CWE-352
View on MITRE →
CWE-400
View on MITRE →
CWE-415
View on MITRE →
CWE-416
View on MITRE →
- CME-101 ASLR (Address Space Layout Randomization) Harden
- CME-102 NX/XD Bit (Non-Executable Memory) Harden
- CME-112 RELRO and PIE (Full) Harden
- CME-113 Control Flow Integrity (CFI / Shadow Call Stack) Harden
- CME-117 Heap Allocator Hardening (glibc Safe-Linking and Metadata Protection) Harden
- CME-1005 Runtime Memory Error Detection (KASAN/HWASan) Detect
CWE-426
View on MITRE →
CWE-427
View on MITRE →
CWE-434
View on MITRE →
CWE-476
View on MITRE →
CWE-494
View on MITRE →
CWE-502
View on MITRE →
CWE-521
View on MITRE →
CWE-646
View on MITRE →
CWE-668
View on MITRE →
- CME-203 Network Segmentation (VLANs/Subnets) Isolate
- CME-205 Service Binding to Localhost Isolate
- CME-206 Network Policy (Kubernetes) Isolate
- CME-902 Disable Unused Network Services Harden
CWE-732
View on MITRE →
- CME-301 SELinux (Enforcing Mode) Harden
CWE-757
View on MITRE →
- CME-401 System-wide Crypto Policy (FUTURE) Harden
- CME-403 TLS 1.3 Enforcement Harden
CWE-770
View on MITRE →
CWE-778
View on MITRE →
CWE-787
View on MITRE →
CWE-798
View on MITRE →
CWE-825
View on MITRE →
CWE-829
View on MITRE →
CWE-834
View on MITRE →
CWE-835
View on MITRE →
CWE-862
View on MITRE →
CWE-863
View on MITRE →
CWE-915
View on MITRE →
CWE-917
View on MITRE →
CWE-918
View on MITRE →
CWE-940
View on MITRE →
CWE-942
View on MITRE →
CWE-1220
View on MITRE →
CWE-1275
View on MITRE →
CWE-1284
View on MITRE →
CWE-1285
View on MITRE →
CWE-1321
View on MITRE →