Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 349

349 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-0886 Poikosoft EZ CD Audio Converter Activation denial of service — EZ CD Audio Converter 3.3 Low2024-01-25
CVE-2024-0885 SpyCamLizard HTTP GET Request denial of service — SpyCamLizard 5.3 Medium2024-01-25
CVE-2024-0737 Xlightftpd Xlight FTP Server Login denial of service — Xlight FTP Server 5.3 Medium2024-01-19
CVE-2024-0736 EFS Easy File Sharing FTP Login denial of service — Easy File Sharing FTP 5.3 Medium2024-01-19
CVE-2024-0732 PCMan FTP Server STOR Command denial of service — FTP Server 5.3 Medium2024-01-19
CVE-2024-0731 PCMan FTP Server PUT Command denial of service — FTP Server 5.3 Medium2024-01-19
CVE-2024-0725 ProSSHD denial of service — ProSSHD 5.3 Medium2024-01-19
CVE-2024-0723 freeSSHd denial of service — freeSSHd 5.3 Medium2024-01-19
CVE-2024-0695 EFS Easy Chat Server HTTP GET Request denial of service — Easy Chat Server 4.3 Medium2024-01-18
CVE-2024-0693 EFS Easy File Sharing FTP denial of service — Easy File Sharing FTP 5.3 Medium2024-01-18
CVE-2021-4433 Karjasoft Sami HTTP Server HTTP HEAD Rrequest denial of service — Sami HTTP Server 5.3 Medium2024-01-18
CVE-2021-4432 PCMan FTP Server USER Command denial of service — FTP Server 5.3 Medium2024-01-16
CVE-2024-0548 FreeFloat FTP Server SIZE Command denial of service — FTP Server 5.3 Medium2024-01-15
CVE-2024-0547 Ability FTP Server APPE Command denial of service — Ability FTP Server 5.3 Medium2024-01-15
CVE-2024-0546 EasyFTP LIST Command denial of service — EasyFTP 5.3 Medium2024-01-15
CVE-2024-0419 Jasper httpdx HTTP POST Request denial of service — httpdx 5.3 Medium2024-01-11
CVE-2024-0418 iSharer and upRedSun File Sharing Wizard GET Request denial of service — File Sharing Wizard 5.3 Medium2024-01-11
CVE-2023-7209 Uniway Router Device Reset device_reset.cgi denial of service — Router 7.5 High2024-01-07
CVE-2024-0263 ACME Ultra Mini HTTPd HTTP GET Request denial of service — Ultra Mini HTTPd 5.3 Medium2024-01-07
CVE-2024-0261 Sentex FTPDMIN RNFR Command denial of service — FTPDMIN 5.3 Medium2024-01-07
CVE-2023-4463 Poly CCX 400/CCX 600/Trio 8800/Trio C60 HTTP Header denial of service — CCX 400 5.3 Medium2023-12-29
CVE-2023-20042 Cisco Firepower Threat Defense 跨站脚本漏洞 — Cisco Adaptive Security Appliance (ASA) Software 6.8 Medium2023-11-01
CVE-2023-45802 Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST — Apache HTTP Server 5.9 -2023-10-23
CVE-2023-5462 XINJE XD5E-30R-E Modbus denial of service — XD5E-30R-E 6.5 Medium2023-10-09
CVE-2023-5459 Delta Electronics DVP32ES2 PLC Password Transmission denial of service — DVP32ES2 PLC 6.5 Medium2023-10-09
CVE-2023-5255 Denial of Service for Revocation of Auto Renewed Certificates — Puppet Enterprise 4.4 Medium2023-10-03
CVE-2023-4882 Multiple vulnerabilities in Open5GS — Open5GS 7.5 High2023-10-03
CVE-2023-5324 eeroOS Ethernet Interface denial of service — eeroOS 4.3 Medium2023-10-01
CVE-2023-5259 ForU CMS cms_admin.php denial of service — CMS 2.7 Low2023-09-29
CVE-2022-3407 Motorola smartphone 安全漏洞 — Motorola smartphones 4.9 Medium2023-09-01

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 349 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.