CWE · MITRE source
CWE-829Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (29)AI
Showing the 15 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-1 | Policy and Procedures | SA | Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres. |
SA-12 | Supply Chain Protection | SA | Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres. |
SA-13 | Trustworthiness | SA | Limits inclusion of functionality from untrusted sources through supply-chain and component trustworthiness evaluation before integration. |
SR-1 | Policy and Procedures | SR | Supply chain policy and procedures require vetting of external components and suppliers, directly reducing the likelihood of incorporating functionality from untrusted sources. |
SR-10 | Inspection of Systems or Components | SR | Inspection can detect malicious functionality that was included from an untrusted sphere through tampering or supply-chain attack. |
SR-11 | Component Authenticity | SR | Anti-counterfeit procedures directly block inclusion of components originating from untrusted supply-chain actors. |
SC-18 | Mobile Code | SC | Defining acceptable mobile code technologies and authorizing their use prevents inclusion of functionality from untrusted control spheres. |
SC-29 | Heterogeneity | SC | Diversity of sources and implementations limits the blast radius when functionality is drawn from untrusted control spheres. |
SC-35 | External Malicious Code Identification | SC | External identification of malicious code makes inclusion of functionality from untrusted network sources substantially harder to perform undetected. |
CM-10 | Software Usage Restrictions | CM | Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres. |
CM-11 | User-installed Software | CM | Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres. |
CM-8 | System Component Inventory | CM | The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews. |
MA-3 | Maintenance Tools | MA | Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources. |
MP-7 | Media Use | MP | Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources. |
PM-30 | Supply Chain Risk Management Strategy | PM | Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres. |
Show 14 more broadly-applicable controls
SA-19 | Component Authenticity | SA | Mandates acquisition only from trusted suppliers and verified authentic sources, reducing inclusion of functionality from untrusted control spheres. |
SA-20 | Customized Development of Critical Components | SA | Reimplementing critical components avoids pulling in functionality from untrusted external control spheres. |
SA-4 | Acquisition Process | SA | Allocation of supply-chain risk management responsibilities and vetting of the development/operational environment reduce inclusion of functionality from untrusted control spheres. |
SA-6 | Software Usage Restrictions | SA | Software usage restrictions limit inclusion of code obtained from untrusted or non-contracted control spheres. |
SA-7 | User-installed Software | SA | Prevents inclusion of code or functionality obtained from an untrusted user or external source. |
SA-9 | External System Services | SA | Defining oversight, roles, and compliance monitoring for external services directly mitigates risks of including functionality from an untrusted control sphere. |
SR-2 | Supply Chain Risk Management Plan | SR | The control directly mandates assessment and mitigation of risks from external suppliers, reducing inclusion of functionality from untrusted control spheres. |
SR-3 | Supply Chain Controls and Processes | SR | Requiring vetted sources and controls for system components prevents inclusion of functionality obtained from untrusted control spheres. |
SR-4 | Provenance | SR | Documenting component provenance ensures functionality is only included from verified, trusted control spheres rather than untrusted ones. |
SR-5 | Acquisition Strategies, Tools, and Methods | SR | Procurement methods and contract requirements can mandate use of vetted, controlled sources instead of arbitrary third-party or untrusted control spheres. |
SR-6 | Supplier Assessments and Reviews | SR | Supplier assessments directly reduce the likelihood of incorporating functionality from untrusted third-party control spheres. |
SR-8 | Notification Agreements | SR | Agreements establish channels for suppliers to report integrity or compromise issues in included third-party functionality, shrinking the window for exploitation. |
SC-44 | Detonation Chambers | SC | Isolated execution prevents functionality from an untrusted sphere from affecting the real environment, allowing safe behavioral inspection. |
SI-3 | Malicious Code Protection | SI | Detects and prevents inclusion of malicious functionality downloaded from untrusted control spheres. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2018-17246 | 7.6 | 9.8 | 0.9378 | 2018-12-20 |
CVE-2020-16152 | 7.1 | 9.8 | 0.8490 | 2021-11-14 |
CVE-2018-7422 | 6.9 | 7.5 | 0.9041 | 2018-03-19 |
CVE-2025-32463 KEV | 6.7 | 9.3 | 0.4697 | 2025-06-30 |
CVE-2021-41569 | 5.9 | 7.5 | 0.7377 | 2021-11-19 |
CVE-2022-25486 | 5.7 | 7.8 | 0.6883 | 2022-03-15 |
CVE-2023-2249 | 4.6 | 8.8 | 0.4816 | 2023-06-09 |
CVE-2024-8252 | 4.4 | 8.8 | 0.4415 | 2024-08-30 |
CVE-2025-34074 | 4.4 | 0.0 | 0.7402 | 2025-07-02 |
CVE-2022-37191 | 4.1 | 6.5 | 0.4637 | 2022-09-13 |
CVE-2022-29845 | 4.0 | 6.5 | 0.4439 | 2022-05-11 |
CVE-2004-0285 | 3.8 | 9.8 | 0.3000 | 2004-11-23 |
CVE-2022-25485 | 3.8 | 7.8 | 0.3763 | 2022-03-15 |
CVE-2021-21804 | 3.6 | 9.8 | 0.2781 | 2021-07-16 |
CVE-2020-3794 | 3.2 | 9.8 | 0.2111 | 2020-03-25 |
CVE-2025-27607 | 3.1 | 8.8 | 0.2176 | 2025-03-07 |
CVE-2022-34121 | 3.0 | 7.5 | 0.2541 | 2022-07-27 |
CVE-2010-2076 | 2.7 | 9.8 | 0.1195 | 2010-08-19 |
CVE-2024-48336 | 2.7 | 8.4 | 0.1659 | 2024-11-04 |
CVE-2026-0770 | 2.7 | 9.8 | 0.1186 | 2026-01-23 |
CVE-2021-42133 | 2.5 | 8.1 | 0.1440 | 2021-12-07 |
CVE-2018-8351 | 2.4 | 6.5 | 0.1875 | 2018-08-15 |
CVE-2004-0030 | 2.3 | 9.8 | 0.0538 | 2004-01-20 |
CVE-2019-13589 | 2.3 | 9.8 | 0.0612 | 2019-07-14 |
CVE-2023-6971 | 2.2 | 8.1 | 0.0906 | 2023-12-23 |