Search CME Entries
Search by CME ID, control name, description, CWE ID, or category.
-
Randomizes memory layout of processes, making memory corruption exploits significantly harder by requiring the attacker to guess or leak addresses.
-
Hardware-enforced memory page permissions that prevent execution of code in data regions (stack, heap), blocking classic code injection.
-
Compiler-inserted random guard values on the stack that are checked before function return. Detects and aborts on stack buffer overflow before attacke...
-
Randomizes the kernel base address at each boot, making kernel exploits harder by requiring address leaks to locate kernel functions and data structur...
-
CPU feature preventing the kernel from executing code in userspace pages. Blocks ret2usr attacks where kernel exploit redirects execution to attacker-...
-
CPU feature preventing the kernel from reading/writing userspace memory except through designated copy functions. Hardens kernel against data-only att...
-
Disables dynamic kernel module loading at runtime, preventing insertion of rootkits or malicious kernel code after boot.
-
Hides kernel pointer addresses from unprivileged users, denying the address leaks needed to exploit kernel vulnerabilities when KASLR is active.
-
LSM that restricts kernel features allowing arbitrary code execution or direct hardware access from userspace. Integrity mode blocks module parameters...
-
Prevents loading a new kernel at runtime via kexec, blocking a vector for kernel-level persistence and Secure Boot bypass.
-
Firmware-level verification that only signed bootloaders and kernels execute, preventing boot-level rootkits and unauthorized kernel replacement.
-
Compiler/linker hardening that makes the Global Offset Table read-only after relocation (Full RELRO) and builds position-independent executables (PIE)...
-
Hardware or compiler-enforced control flow integrity that validates indirect branch targets match expected types, blocking ROP/JOP chains. On ARM64, s...
-
Configures per-process resource limits via ulimit/prlimit to prevent algorithmic complexity attacks, infinite loops, and resource exhaustion from cons...
-
Compile-time and runtime detection of buffer overflows in common C library functions (memcpy, strcpy, sprintf, read, etc.). At compile time, the compi...
-
Enable and verify glibc heap allocator safety features that specifically target use-after-free and double-free exploitation. Modern glibc (2.32+) incl...
-
Enable the kernel filesystem link protection sysctls to prevent exploitation of TOCTOU race conditions and symlink following attacks in world-writable...
-
All network access requires authenticated identity verification. No implicit trust from network position. Every request is authenticated and authorize...
-
Per-host network access control using firewalld zones or nftables rules. Restricts which network sources can reach specific services, reducing attack ...
-
Separates network traffic into isolated segments by trust zone, preventing lateral movement between zones (e.g., DMZ, internal, management).
-
Encrypts all network traffic between hosts using IPsec or WireGuard, preventing eavesdropping, injection, and man-in-the-middle attacks on the wire.
-
Configures services to listen only on 127.0.0.1/::1, eliminating remote network attack vector entirely. Remote access must go through a reverse proxy ...
-
Kubernetes NetworkPolicy resources that restrict pod-to-pod and pod-to-external communication. Default-deny ingress/egress with explicit allowlists.
-
Configure DNS resolvers, recursive forwarders, and network firewalls to reject DNS responses that resolve public domain names to private IP addresses ...
-
Mandatory access control system that confines processes to least-privilege security domains. Even if a process is compromised, it cannot access files,...
-
Maps Linux login users to SELinux confined user types instead of unconfined_u. Restricts user-level capabilities like running unconfined applications,...
-
Fine-grained SELinux policy toggles that disable risky inter-domain interactions. Examples: httpd_can_network_connect=off prevents web servers from ma...
-
Path-based mandatory access control that restricts per-application file, network, and capability access. Each application runs under a profile definin...
-
Centrally enforces minimum cryptographic standards across all system components (OpenSSL, GnuTLS, NSS, OpenSSH, Kerberos). FUTURE policy disables TLS ...
-
Enables FIPS-validated cryptographic modules system-wide. Only NIST-approved algorithms are available for all cryptographic operations. Non-compliant ...
-
Restricts all TLS connections to TLS 1.3 minimum, eliminating protocol downgrade attacks and leveraging TLS 1.3's reduced handshake, mandatory forward...
-
Application pins expected TLS certificate fingerprints or public keys, preventing MitM attacks using rogue or compromised certificate authorities.
-
Validates DNS responses using cryptographic signatures, preventing DNS spoofing, cache poisoning, and DNS-based redirection attacks.
-
Rejects installation of unsigned or tampered RPM/DEB packages by validating GPG signatures against trusted keys. Prevents supply chain attacks via pac...
-
Encrypts data volumes and partitions at the block device layer using LUKS2/dm-crypt, ensuring that sensitive data including credentials, tokens, PII, ...
-
Mounts root filesystem as read-only, preventing persistent modification of system binaries, libraries, and configuration. Writable areas are confined ...
-
Mounts /tmp and /dev/shm with noexec option, preventing execution of attacker-dropped binaries or scripts from temporary directories commonly used as ...
-
Mounts partitions like /tmp, /var, /home with nosuid, preventing SUID/SGID binaries from taking effect, blocking a privilege escalation vector.
-
Cryptographic verification of block device integrity using a Merkle tree hash. Every read from the block device is verified against pre-computed hashe...
-
Kernel subsystem that measures file hashes at access time and optionally enforces an integrity policy. EVM extends this with extended attribute protec...
-
Linux Security Module that allows unprivileged processes to restrict their own filesystem access. Process voluntarily drops access to paths it does no...
-
Harden the dynamic linker search path and execution environment to prevent library injection and PATH manipulation attacks. Verify that /etc/ld.so.con...
-
Restricts the set of system calls a process can make to the kernel. Reduces kernel attack surface by blocking syscalls the application doesn't need, p...
-
Applies the default OCI/Docker/Podman seccomp-bpf profile which blocks ~44 dangerous syscalls including kexec_load, mount, reboot, and others. Basis f...
-
Prevents unprivileged users from loading BPF programs into the kernel. BPF programs run in kernel context and vulnerabilities in the BPF verifier have...
-
Prevents unprivileged users from creating user namespaces. User namespaces expose kernel attack surface (mount, network, PID operations) to unprivileg...
-
Application-level kernel emulation (gVisor) or VM-based isolation (Kata Containers) that intercepts syscalls and prevents direct host kernel interacti...
-
Kernel namespace isolation providing separate views of system resources per process group. PID namespace hides host processes, mount namespace isolate...
-
Containers run entirely without root privileges on the host. The container runtime, image pull, and all container processes run as an unprivileged use...
-
Constrains CPU, memory, I/O, and PIDs for process groups using cgroups v2 unified hierarchy. Prevents resource exhaustion attacks and limits blast rad...
-
Removes unnecessary POSIX capabilities from container or process bounding set. Default container profiles drop CAP_SYS_ADMIN, CAP_NET_RAW, CAP_SYS_PTR...
-
Kubernetes Pod Security Standards at Restricted level: requires non-root, drops ALL capabilities, blocks privilege escalation, requires seccomp, block...
-
Sets the no_new_privs process flag, preventing any child process from gaining new privileges via execve (SUID bits, file capabilities, setuid transiti...
-
Configures sudo to allow specific commands only, rather than unrestricted root access. Uses command allowlists, NOPASSWD only for specific safe comman...
-
systemd unit directives that sandbox services: PrivateDevices removes device access, PrivateTmp isolates /tmp, ProtectSystem=strict makes / read-only,...
-
systemd dynamically allocates a unique UID/GID per service instance. No persistent user account exists; each service restart gets a fresh identity, pr...
-
Requires multiple authentication factors (password + TOTP/FIDO2/smart card), preventing credential-only compromise. Even stolen passwords are insuffic...
-
Enforces minimum password complexity (length, character classes, dictionary checks) via pam_pwquality, making brute force and dictionary attacks impra...
-
Locks user accounts after a configurable number of failed authentication attempts, preventing online brute force attacks.
-
Disables password-based SSH login entirely, requiring public key authentication. Eliminates remote brute force against SSH as an attack vector.
-
Automated rotation of secrets, API keys, and passwords on schedule. Limits the window during which compromised credentials remain valid.
-
Centralized ticket-based authentication using Kerberos. Passwords never transmitted over the network; mutual authentication prevents impersonation of ...
-
Comprehensive SSH hardening: disable root login, enforce Protocol 2, restrict ciphers to AEAD (chacha20/aes-gcm), disable X11/agent forwarding, set Ma...
-
Disables and masks unnecessary listening services (rpcbind, avahi-daemon, cups, postfix on non-mail servers). Each removed service eliminates an attac...
-
Kernel network stack hardening via sysctl: enable SYN cookies (TCP SYN flood protection), disable IP forwarding, reject source-routed packets, ignore ...
-
HTTP-layer filtering that inspects requests for injection, XSS, path traversal, and other OWASP Top 10 patterns. Can operate in blocking or detection ...
-
Browser-enforced HTTP header policy that restricts script sources, prevents inline execution, and blocks mixed content. Primary defense against stored...
-
Limits request rate per client IP or authenticated identity. Mitigates brute force attacks, credential stuffing, and application-level denial of servi...
-
Enforce role-based access control within the application by mapping each user to a set of roles, each role to a set of permissions, and verifying the ...
-
Enforce per-object ownership and permission verification on every data access operation. Before returning, modifying, or deleting any resource, the ap...
-
All API endpoints require explicit authorization by default — any endpoint without a declared authorization rule returns 403 Forbidden. The authorizat...
-
Structure application roles around single-responsibility privilege domains, ensuring that capabilities in one domain cannot be leveraged to gain privi...
-
Decompose coarse-grained administrative roles into fine-grained permission sets and assign each administrator the minimum permission scope required fo...
-
Enforce strict HTTP header parsing on all HTTP intermediaries (proxies, load balancers, reverse proxies, web servers) to prevent request smuggling via...
-
Server-side enforcement of anti-CSRF tokens (synchronizer tokens or double-submit cookies) combined with SameSite=Strict or SameSite=Lax cookie attrib...
-
Server-side enforcement of a strict, explicitly enumerated origin allowlist for Cross-Origin Resource Sharing (CORS). The server validates the Origin ...
-
Configure the reverse proxy or load balancer (nginx, Apache httpd, HAProxy) to validate the Origin and Referer headers on state-changing requests (POS...
-
Configure the web server or reverse proxy to enforce the SameSite attribute (Lax or Strict) on all Set-Cookie response headers. When SameSite=Lax is s...
-
Real-time behavioral detection and automated response agent on endpoints. Detects exploit patterns, lateral movement, and persistence mechanisms. Can ...
-
Linux kernel audit framework that logs syscalls, file access, authentication events, and security-relevant operations. Provides forensic trail and can...
-
Kernel-level runtime security using eBPF or kernel modules to detect anomalous behavior: unexpected shell spawns, sensitive file reads, network connec...
-
Detects unauthorized modifications to critical system files by comparing against a known-good baseline database. Scheduled or continuous monitoring of...
-
Kernel AddressSanitizer (KASAN) and Hardware-assisted AddressSanitizer (HWASan) detect memory safety violations at runtime including use-after-free, o...
-
Application-level audit trail that records every modification to user roles, permissions, and authorization policies. Each log entry captures the acto...
-
Continuously monitor application-managed configuration objects — stored in databases, APIs, or runtime registries rather than filesystem files — again...
-
Record every administrative action performed through the application management interface into a structured, tamper-evident audit log, and forward eve...
-
Continuously monitor the effective set of users holding high-privilege application roles and alert when new grants are detected that do not correspond...
-
Automatically downloads and applies security updates on schedule. Reduces the window between vulnerability disclosure and patch application from days/...
-
Applies critical kernel security fixes without system reboot, eliminating the patch-reboot delay that leaves systems vulnerable. Patches are applied t...
-
CI/CD pipeline automatically rebuilds and redeploys container images when base image CVEs are published. Running containers are replaced with patched ...
-
Servers are replaced rather than patched in place. Golden images are built in CI/CD, deployed fresh, and destroyed on replacement. Compromised instanc...
-
Regular automated backups with cryptographic integrity verification and tested restore procedures. Enables point-in-time recovery after ransomware, da...
-
Active-passive or active-active multi-region deployment enabling failover when primary site is compromised or unavailable. Automated failover with def...
-
Application-level path validation that canonicalizes user-supplied paths (resolving symlinks, ../, and relative references) and verifies the resolved ...
-
Restricts deserialization to an explicit allowlist of permitted types, classes, or functions. Prevents attacker-controlled serialized data from instan...
-
Application enforces its own filesystem access boundaries independent of OS-level controls. Uses chroot-like path scoping, virtual filesystem abstract...
-
Application-level validation that restricts outbound requests and file access to an allowlist of permitted destinations, schemes, and paths. Blocks re...
-
Application exclusively uses parameterized queries or prepared statements for all database operations. User input is never concatenated into SQL strin...
-
Application applies context-aware output encoding to all user-controlled data before rendering in HTML, JavaScript, CSS, or URL contexts. Uses framewo...
-
Application avoids invoking shell commands with user-controlled input. Uses direct process execution (subprocess with list args, no shell=True) or pur...
-
Enforces strict Cross-Origin Resource Sharing (CORS) policies and Origin header validation to prevent cross-origin attacks. Configures CORS headers (A...
-
Restricts or disables application-embedded scripting and expression language engines to prevent arbitrary code execution. Covers three postures: (1) d...
-
Server-side validation of uploaded files using content inspection (magic byte verification), extension allowlisting, and size limits before the file i...
-
Validation that user-supplied quantities — sizes, counts, lengths, offsets, indices, and repetition factors — fall within expected bounds before they ...