Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 337

337 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-3816 Axiomatic Bento4 mp4decrypt memory leak — Bento4 4.3 Medium2022-11-01
CVE-2022-3817 Axiomatic Bento4 mp4mux memory leak — Bento4 4.3 Medium2022-11-01
CVE-2022-3663 Axiomatic Bento4 MP4fragment Ap4StsdAtom.cpp AP4_StsdAtom null pointer dereference — Bento4 5.3 Medium2022-10-26
CVE-2022-3668 Axiomatic Bento4 mp4edit CreateAtomFromStream memory leak — Bento4 5.3 Medium2022-10-26
CVE-2022-3669 Axiomatic Bento4 mp4edit Create memory leak — Bento4 5.3 Medium2022-10-26
CVE-2022-3624 Linux Kernel IPsec bond_alb.c rlb_arp_xmit memory leak — Kernel 3.5 Low2022-10-21
CVE-2022-3630 Linux Kernel IPsec cookie.c memory leak — Kernel 3.1 Low2022-10-21
CVE-2022-3637 Linux Kernel BlueZ jlink.c jlink_init denial of service — Kernel 2.6 Low2022-10-21
CVE-2022-3646 Linux Kernel BPF segment.c nilfs_attach_log_writer memory leak — Kernel 3.1 Low2022-10-21
CVE-2022-3647 Redis Crash Report debug.c sigsegvHandler denial of service — Redis 3.1 Low2022-10-21
CVE-2022-3619 Linux Kernel Bluetooth l2cap_core.c l2cap_recv_acldata memory leak — Kernel 3.5 Low2022-10-20
CVE-2022-3621 Linux Kernel nilfs2 inode.c nilfs_bmap_lookup_at_level null pointer dereference — Kernel 4.3 Medium2022-10-20
CVE-2022-3606 Linux Kernel BPF libbpf.c find_prog_by_sec_insn null pointer dereference — Kernel 3.5 Low2022-10-19
CVE-2022-3594 Linux Kernel BPF r8152.c intr_callback logging of excessive data — Kernel 5.3 Medium2022-10-18
CVE-2022-3533 Linux Kernel BPF usdt.c parse_usdt_arg memory leak — Kernel 3.5 Low2022-10-17
CVE-2022-3543 Linux Kernel BPF af_unix.c unix_release_sock memory leak — Kernel 3.5 Low2022-10-17
CVE-2022-3544 Linux Kernel Netfilter sysfs.c damon_sysfs_add_target memory leak — Kernel 3.5 Low2022-10-17
CVE-2022-3551 X.org Server xkb.c ProcXkbGetKbdByName memory leak — Server 3.5 Low2022-10-17
CVE-2022-3553 X.org Server xquartz X11Controller.m denial of service — Server 3.5 Low2022-10-17
CVE-2022-3563 Linux Kernel BlueZ mgmt-tester.c read_50_controller_cap_complete null pointer dereference — Kernel 3.5 Low2022-10-17
CVE-2022-3524 Linux Kernel IPv6 ipv6_renew_options memory leak — Kernel 4.3 Medium2022-10-16
CVE-2022-3526 Linux Kernel skb macvlan.c macvlan_handle_frame memory leak — Kernel 5.3 Medium2022-10-16
CVE-2022-3354 Open5GS UDP Packet ogs-tlv-msg.c denial of service — Open5GS 3.5 Low2022-09-28
CVE-2022-3299 Open5GS AMF client.c denial of service — Open5GS 4.3 Medium2022-09-26
CVE-2022-2776 SourceCodester Gym Management System delete_user.php denial of service — Gym Management System 5.4 Medium2022-08-11
CVE-2022-35272 BIG-IP HTTP MRF vulnerability CVE-2022-35272 — BIG-IP 7.5 High2022-08-04
CVE-2022-35240 BIG-IP Message Routing MQTT vulnerability CVE-2022-35240 — BIG-IP 7.5 High2022-08-04
CVE-2022-31182 Cache poisoning via maliciously-formed request in Discourse — discourse 5.3 Medium2022-08-01
CVE-2022-2591 TEM FLEX-1085 reboot denial of service — FLEX-1085 7.5 High2022-07-31
CVE-2022-2191 Eclipse Jetty 安全漏洞 — Eclipse Jetty 7.5 High2022-07-07

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 337 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.