Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 337

337 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-1974 Free5GC SMF datapath.go ResolveNodeIdToIp denial of service — Free5GC 5.3 Medium2026-02-06
CVE-2026-1684 Free5GC SMF PFCP UDP Endpoint pfcp_reports.go HandleReports denial of service — SMF 5.3 Medium2026-01-30
CVE-2026-1683 Free5GC SMF PFCP handler.go HandlePfcpSessionReportRequest denial of service — SMF 5.3 Medium2026-01-30
CVE-2026-1587 Open5GS SGWC s11-handler.c sgwc_s11_handle_modify_bearer_request denial of service — Open5GS 5.3 Medium2026-01-29
CVE-2026-1586 Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service — Open5GS 5.3 Medium2026-01-29
CVE-2026-1522 Open5GS SGWC s5c-handler.c sgwc_s5c_handle_modify_bearer_response denial of service — Open5GS 5.3 Medium2026-01-28
CVE-2026-1521 Open5GS SGWC s5c-handler.c denial of service — Open5GS 5.3 Medium2026-01-28
CVE-2026-1173 birkir prime GraphQL Array Based Query Batch graphql denial of service — prime 5.3 Medium2026-01-19
CVE-2026-1172 birkir prime GraphQL Directive graphql denial of service — prime 5.3 Medium2026-01-19
CVE-2026-1171 birkir prime GraphQL Field graphql denial of service — prime 5.3 Medium2026-01-19
CVE-2025-15539 Open5GS sgwc s11-handler.c sgwc_s11_handle_downlink_data_notification_ack denial of service — Open5GS 5.3 Medium2026-01-18
CVE-2025-15529 Open5GS s5c-handler.c sgwc_s5c_handle_create_session_response denial of service — Open5GS 5.3 Medium2026-01-16
CVE-2025-15528 Open5GS GTPv2 Bearer Response denial of service — Open5GS 5.3 Medium2026-01-16
CVE-2025-15419 Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service — Open5GS 3.3 Low2026-01-02
CVE-2025-15418 Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service — Open5GS 3.3 Low2026-01-01
CVE-2025-15417 Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service — Open5GS 3.3 Low2026-01-01
CVE-2025-15229 Tenda CH22 DhcpListClient fromDhcpListClient denial of service — CH22 5.3 Medium2025-12-30
CVE-2025-14747 Ningyuanda TC155 RTSP Service denial of service — TC155 4.3 Medium2025-12-16
CVE-2025-14105 TOZED ZLT M30S/ZLT M30S PRO Web proc_post denial of service — ZLT M30S 4.3 Medium2025-12-05
CVE-2025-13564 SourceCodester Pre-School Management System FilehelperController.php removefile denial of service — Pre-School Management System 5.4 Medium2025-11-23
CVE-2025-13524 Amazon Web Services Wickr 安全漏洞 — Wickr 5.7 Medium2025-11-21
CVE-2025-12917 TOZED ZLT T10 Reboot proc_post denial of service — ZLT T10 4.3 Medium2025-11-09
CVE-2025-36006 IBM Db2 denial of service — Db2 6.5 Medium2025-11-07
CVE-2025-61795 Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS — Apache Tomcat 7.5 -2025-10-27
CVE-2025-47148 BIG-IP APM and SSL Orchestrator vulnerability — BIG-IP 6.5 Medium2025-10-15
CVE-2025-11642 Tomofun Furbo 360/Furbo Mini Registration denial of service — Furbo 360 4.0 Medium2025-10-12
CVE-2025-11638 Tomofun Furbo 360/Furbo Mini Bluetooth denial of service — Furbo 360 4.3 Medium2025-10-12
CVE-2025-57882 AutomationDirect CLICK PLUS Improper Resource Shutdown or Release — CLICK PLUS C0-0x CPU firmware 5.9 Medium2025-09-23
CVE-2025-58473 AutomationDirect CLICK PLUS Improper Resource Shutdown or Release — CLICK PLUS C0-0x CPU firmware 5.9 Medium2025-09-23
CVE-2025-10475 SpyShelter IOCTL SpyShelter.sys denial of service — SpyShelter 5.5 Medium2025-09-15

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 337 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.