Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 337

337 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-7601 Open5GS AMF gmm-handler.c denial of service — Open5GS 4.3 Medium2026-05-02
CVE-2026-7587 Open5GS AMF nsmf-handler.c amf_nsmf_pdusession_handle_update_sm_context denial of service — Open5GS 4.3 Medium2026-05-01
CVE-2026-7586 Open5GS AMF nudm-handler.c ogs_id_get_value denial of service — Open5GS 4.3 Medium2026-05-01
CVE-2026-7585 Open5GS AMF nudm-handler.c amf_nudm_sdm_handle_provisioned denial of service — Open5GS 4.3 Medium2026-05-01
CVE-2026-7583 Open5GS BSF context.c bsf_sess_find_by_ipv6prefix denial of service — Open5GS 4.3 Medium2026-05-01
CVE-2026-7536 Open5GS BSF pcfBindings bsf_sess_add_by_ip_address denial of service — Open5GS 5.3 Medium2026-05-01
CVE-2026-7535 Open5GS transfer-update denial of service — Open5GS 4.3 Medium2026-05-01
CVE-2026-7518 Open5GS AMF SBI Endpoint sdmsubscription-notify amf_namf_callback_handle_sdm_data_change_notify denial of service — Open5GS 4.3 Medium2026-05-01
CVE-2025-43935 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 4.4 Medium2026-04-16
CVE-2026-35667 OpenClaw < 2026.3.24 - Improper Process Termination via Unpatched killProcessTree in shell-utils.ts — OpenClaw 6.1 Medium2026-04-10
CVE-2026-5661 Free5GC NGSetupRequest denial of service — Free5GC 5.3 Medium2026-04-06
CVE-2026-5313 Nothings stb GIF Decoder stb_image.h stbi__gif_load_next denial of service — stb 4.3 Medium2026-04-01
CVE-2026-4988 Open5GS CCA Message smf_s6b denial of service — Open5GS 3.7 Low2026-03-27
CVE-2026-4531 Free5GC AMF handler.go HandleRegistrationComplete denial of service — Free5GC 5.3 Medium2026-03-22
CVE-2026-4240 Open5GS CCA smf_s6b_sta_cb denial of service — Open5GS 5.3 Medium2026-03-16
CVE-2025-13901 Schneider Electric多款产品 安全漏洞 — Modicon M241/M251 5.3AIMediumAI2026-03-10
CVE-2026-3816 OWASP DefectDojo SonarQubeParser/MSDefenderParser parser.py input_zip.read denial of service — DefectDojo 4.3 Medium2026-03-09
CVE-2026-29771 Netmaker: Denial of Service via Server Shutdown Endpoint — netmaker 6.5 -2026-03-07
CVE-2026-20050 Cisco Secure Firewall Threat Defense Decryption Policy Denial of Service Vulnerability — Cisco Secure Firewall Threat Defense (FTD) Software 6.8 Medium2026-03-04
CVE-2026-3465 Tuya App/SDK JSON Data Point denial of service — App 3.1 Low2026-03-03
CVE-2026-1876 Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series Ethernet module — MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP 7.5AIHighAI2026-03-03
CVE-2026-1875 Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series EtherNet/IP module — MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP 7.5AIHighAI2026-03-03
CVE-2026-3269 psi-probe PSI Probe Session ExpireSessionsController.java handleRequestInternal denial of service — PSI Probe 4.3 Medium2026-02-26
CVE-2026-3206 Improper management of context cancelations — KrakenD-CE 7.5AIHighAI2026-02-25
CVE-2026-2984 SourceCodester Student Result Management System drop_user.php denial of service — Student Result Management System 6.5 Medium2026-02-23
CVE-2026-2957 qinming99 dst-admin File BackupController.java deleteBackup denial of service — dst-admin 5.4 Medium2026-02-22
CVE-2026-2525 Free5GC PFCP UDP Endpoint denial of service — Free5GC 5.3 Medium2026-02-16
CVE-2026-2524 Open5GS MME mme_s11_handle_create_session_response denial of service — Open5GS 5.3 Medium2026-02-16
CVE-2026-2517 Open5GS SMF types.c ogs_gtp2_parse_tft denial of service — Open5GS 5.3 Medium2026-02-15
CVE-2026-2108 jsbroks COCO Annotator Endpoint long_task denial of service — COCO Annotator 5.3 Medium2026-02-07

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 337 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.