Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 337

337 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-23717 PingID Windows Login prior to 2.8 denial of service condition — PingID Windows Login 5.0 Medium2022-06-30
CVE-2017-20024 Solare Solar-Log denial of service — Solar-Log 5.3 Medium2022-06-09
CVE-2022-25762 Response mix-up with WebSocket concurrent send and close — Apache Tomcat 9.4 -2022-05-13
CVE-2022-1289 tildearrow Furnace Incomplete Fix CVE-2022-1211 denial of service — Furnace 4.3 Medium2022-04-10
CVE-2017-20015 WEKA INTEREST Security Scanner LAN Viewer denial of service — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2017-20014 WEKA INTEREST Security Scanner Webspider denial of service — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2017-20013 WEKA INTEREST Security Scanner Stresstest Configuration denial of service — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2017-20012 WEKA INTEREST Security Scanner Stresstest Scheme denial of service — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2017-20011 WEKA INTEREST Security Scanner HTTP denial of service — INTEREST Security Scanner 2.8 Low2022-03-28
CVE-2010-10001 Shemes GrabIt NZB Date Parser denial of service — GrabIt 5.3 Medium2022-03-28
CVE-2015-10002 Kiddoware Kids Place Home Button Protection denial of service — Kids Place 5.3 Medium2022-03-28
CVE-2022-23010 F5 BIG-IQ 安全漏洞 — BIG-IP 7.5 -2022-01-25
CVE-2021-21003 Denial of Service Vulnerability in Phoenix Contact FL SWITCH SMCS series products — FL SWITCH 5.3 Medium2021-06-25
CVE-2021-27458 JTEKT TOYOPUC-Plus 安全漏洞 — JTEKT Corporation TOYOPUC products 7.5 -2021-04-19
CVE-2013-1055 Potential DoS through abuse of rate limit in libunity-webapps for Firefox — unity-firefox-extension 4.3 Medium2021-04-07
CVE-2013-1054 Possible remote DOS in WebApps — unity-firefox-extension 4.3 Medium2021-04-07
CVE-2020-27283 Red Lion Controls Crimson 安全漏洞 — Crimson 3.1 5.3 -2021-01-06
CVE-2020-26070 Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability — Cisco IOS XR Software 8.6 High2020-11-12
CVE-2020-3555 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SIP Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 6.8 Medium2020-10-21
CVE-2020-16233 CodeMeter 安全漏洞 — CodeMeter 9.1 -2020-09-16
CVE-2020-16100 Gallagher Command Centre Server 安全漏洞 — Command Centre 7.5 High2020-09-15
CVE-2020-3338 Cisco NX-OS Software IPv6 Protocol Independent Multicast Denial of Service Vulnerability — Cisco NX-OS Software 5.2(1) 7.5 -2020-08-27
CVE-2020-5416 CF clusters with NGINX in front of them may be vulnerable to DoS — Routing 7.5 -2020-08-21
CVE-2020-14307 Red Hat Wildfly资源管理错误漏洞 — wildfly 6.5 Medium2020-07-24
CVE-2019-5636 Beckhoff TwinCAT Discovery Service Denial of Service — TwinCAT 2 5.3 Medium2019-11-21
CVE-2019-0049 Junos OS: RPD process crashes when BGP peer restarts — Junos OS 7.5 -2019-07-11
CVE-2019-0052 SRX Series: srxpfe process crash while JSF/UTM module parses specific HTTP packets — Junos OS 7.5 -2019-07-11
CVE-2019-1705 Cisco Adaptive Security Appliance Software VPN Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 5.9 -2019-05-03
CVE-2019-1706 Cisco Adaptive Security Appliance Software IPsec Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 8.6 -2019-05-03
CVE-2019-1708 Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software MOBIKE Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 8.6 -2019-05-03

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 337 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.