Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 337

337 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-8270 Open5GS SMF ogs_nas_parse_qos_rules denial of service — Open5GS 4.3 Medium2026-05-11
CVE-2026-8269 Open5GS SMF smf_nsmf_handle_create_sm_context denial of service — Open5GS 4.3 Medium2026-05-11
CVE-2026-8268 Open5GS SMF OpenAPI_list_create denial of service — Open5GS 4.3 Medium2026-05-11
CVE-2026-8267 Open5GS SMF smf_nsmf_handle_created_data_in_vsmf denial of service — Open5GS 4.3 Medium2026-05-11
CVE-2026-8266 Open5GS SMF gsm-build.c gsm_build_pdu_session_establishment_accept denial of service — Open5GS 4.3 Medium2026-05-11
CVE-2026-8251 Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service — Open5GS 4.3 Medium2026-05-10
CVE-2026-8250 Open5GS SMF n4-build.c smf_n4_build_qos_flow_to_modify_list denial of service — Open5GS 4.3 Medium2026-05-10
CVE-2026-8249 Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service — Open5GS 4.3 Medium2026-05-10
CVE-2026-8248 Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service — Open5GS 4.3 Medium2026-05-10
CVE-2026-8232 Dotouch XproUPF UPF Process libvlib.so vlib_worker_loop denial of service — XproUPF 3.5 Low2026-05-10
CVE-2026-7263 DoS attack via DOMNode::C14N() — PHP 7.5AIHighAI2026-05-10
CVE-2026-8226 Open5GS types.c ogs_pcc_rule_install_flow_from_media denial of service — Open5GS 5.3 Medium2026-05-10
CVE-2026-8225 Open5GS delete Endpoint sm-sm.c pcf_npcf_smpolicycontrol_handle_delete denial of service — Open5GS 5.3 Medium2026-05-10
CVE-2026-8224 Open5GS PCF context.c pcf_sess_set_ipv6prefix denial of service — Open5GS 5.3 Medium2026-05-10
CVE-2026-8223 Open5GS sm-policies Endpoint pcf_sess_sbi_discover_and_send denial of service — Open5GS 5.3 Medium2026-05-10
CVE-2026-8222 Open5GS sm-policies Endpoint nbsf-handler.c pcf_nbsf_management_handle_register denial of service — Open5GS 5.3 Medium2026-05-10
CVE-2026-8123 Open5GS NSSF message.c ogs_sbi_discovery_option_add_snssais denial of service — Open5GS 4.3 Medium2026-05-08
CVE-2026-8122 Open5GS NSSF message.c ogs_sbi_discovery_option_add_service_names denial of service — Open5GS 4.3 Medium2026-05-08
CVE-2026-8121 Open5GS NSSF conv.c ogs_sbi_parse_plmn_list denial of service — Open5GS 4.3 Medium2026-05-08
CVE-2026-8120 Open5GS NSSF nnssf-handler.c denial of service — Open5GS 4.3 Medium2026-05-08
CVE-2026-8119 Open5GS NSSF nghttp2-server.c ogs_sbi_stream_find_by_id denial of service — Open5GS 3.3 Low2026-05-08
CVE-2026-7781 Open5GS amf-3gpp-access Endpoint nudm-handler.c udm_nudm_uecm_handle_amf_registration_update denial of service — Open5GS 4.3 Medium2026-05-04
CVE-2026-7780 Open5GS smf-registrations Endpoint udm-sm.c udm_state_operational denial of service — Open5GS 4.3 Medium2026-05-04
CVE-2026-7779 Open5GS authentication-subscription Endpoint nudr-handler.c udm_nudr_dr_handle_subscription_authentication denial of service — Open5GS 4.3 Medium2026-05-04
CVE-2026-7740 justdan96 tsMuxer vvc.cpp setFPS denial of service — tsMuxer 3.3 Low2026-05-04
CVE-2026-7739 justdan96 tsMuxer hevc.cpp setFPS denial of service — tsMuxer 3.3 Low2026-05-04
CVE-2026-7734 osrg GoBGP SRv6 L3 Service prefix_sid.go SRv6L3ServiceAttribute.DecodeFromBytes denial of service — GoBGP 5.3 Medium2026-05-04
CVE-2026-7708 Open5GS UDR subscription.c ogs_dbi_subscription_data denial of service — Open5GS 4.3 Medium2026-05-03
CVE-2026-7707 Open5GS UDR nudr-handler.c udr_nudr_dr_handle_subscription_context denial of service — Open5GS 4.3 Medium2026-05-03
CVE-2026-7706 Open5GS AMF gmm-handler.c gmm_handle_service_request denial of service — Open5GS 4.3 Medium2026-05-03

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 337 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.