Think of Common Weakness Enumeration (CWE) as a way to categorize or group software "weakness and vulnerabilities" together. Another way to look at it is a classification system for software design flaws. For example, a design flaw may be classified as a "Development Concept" then "Data Processing Errors" and finally arriving at CWE-116: Improper Encoding or Escaping of Output.

Common Vulnerabilities and Exposures (CVE) on the other hand are used to specifically identify a real-world issue with software. A CVE identifies a weakness that organizations need to evaluate for remediation to prevent bad actors from exploiting it. Typically, a vulnerability scanner will identify a weakness and tag it with its related CVE number. Often vulnerability scanners will also have their own proprietary way of identifying and classifying vulnerabilities. The CVE creates a common framework for vulnerability reference across vendors.

Let's look at CVE-2016-0778. This vulnerability description is:

"The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings."

As you can see it identifies the specific software (OpenSSH) and the versions (5.x - 7.1) that have the issue. If we look a little deeper, this CVE will reference its CWE category: CWE-119 Buffer Errors.

If this helps, please mark it as correct so others can benefit from our conversation.