Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 337

337 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-3730 PyTorch LossCTC.cpp torch.nn.functional.ctc_loss denial of service — PyTorch 3.3 Low2025-04-16
CVE-2025-3535 shuanx BurpAPIFinder BurpApiFinder.db denial of service — BurpAPIFinder 4.3 Medium2025-04-13
CVE-2025-3167 Tenda AC23 API Interface VerAPIMant denial of service — AC23 6.5 Medium2025-04-03
CVE-2025-2958 TRENDnet TEW-818DRU HTTP Request httpd denial of service — TEW-818DRU 6.5 Medium2025-03-30
CVE-2025-2953 PyTorch torch.mkldnn_max_pool2d denial of service — PyTorch 3.3 Low2025-03-30
CVE-2025-2122 Thinkware Car Dashcam F800 Pro Connection denial of service — Car Dashcam F800 Pro 3.1 Low2025-03-09
CVE-2025-1925 Open5GS AMF nsmf-handler.c amf_nsmf_pdusession_handle_update_sm_context denial of service — Open5GS 5.3 Medium2025-03-04
CVE-2025-1893 Open5GS AMF gmm-sm.c gmm_state_authentication denial of service — Open5GS 4.3 Medium2025-03-04
CVE-2025-1846 zj1983 zz File ZfileAction.java deleteLocalFile denial of service — zz 5.4 Medium2025-03-03
CVE-2025-1377 GNU elfutils eu-strip strip.c gelf_getsymshndx denial of service — elfutils 3.3 Low2025-02-17
CVE-2025-1376 GNU elfutils eu-strip elf_strptr.c elf_strptr denial of service — elfutils 2.5 Low2025-02-17
CVE-2025-1207 phjounin TFTPD64 DNS denial of service — TFTPD64 3.1 Low2025-02-12
CVE-2025-24811 Siemens SIMATIC S7-1200 安全漏洞 — SIMATIC S7-1200 CPU 1211C AC/DC/Rly 7.5 High2025-02-11
CVE-2025-22846 BIG-IP SIP Vulnerability — BIG-IP 7.5 High2025-02-05
CVE-2024-23930 Pioneer DMH-WT7600NEX Media Service Improper Handling of Exceptional Conditions — DMH-WT7600NEX 4.3 Medium2025-01-31
CVE-2024-12342 TP-Link VN020 F3v(T) Incomplete SOAP Request WANIPConnection denial of service — VN020 F3v(T) 6.5 Medium2024-12-08
CVE-2024-9787 Contemporary Control System BASrouter BACnet BASRT-B UDP Packet denial of service — BASrouter BACnet BASRT-B 5.3 Medium2024-10-10
CVE-2024-7887 LimeSurvey File Upload index.php denial of service — LimeSurvey 2.7 Low2024-08-17
CVE-2024-38271 Denial of Service in Quick Share — Nearby 4.8AIMediumAI2024-06-26
CVE-2024-4013 Failure to update BT Mesh Replay Protection List — Gecko SDK 5.6 Medium2024-06-06
CVE-2024-5095 Victor Zsviot Camera MQTT Packet denial of service — Zsviot Camera 6.5 Medium2024-05-19
CVE-2024-4791 Contemporary Control System BASrouter BACnet BASRT-B Application Protocol Data Unit denial of service — BASrouter BACnet BASRT-B 7.5 High2024-05-12
CVE-2024-4292 Contemporary Controls BASrouter BACnet BASRT-B Device-Communication-Control Service denial of service — BASrouter BACnet BASRT-B 6.5 Medium2024-04-27
CVE-2024-2760 Bkav Home v7816, build 2403161130 - Kernel Memory Leak — Bkav Home 5.5 Medium2024-04-23
CVE-2024-3764 Tuya SDK MQTT Packet denial of service — SDK 2.7 Low2024-04-14
CVE-2024-2995 NUUO Camera deletefile.php denial of service — Camera 5.4 Medium2024-03-27
CVE-2024-28252 CoreWCF NetFraming based services can leave connections open when they should be closed — CoreWCF 7.5 High2024-03-15
CVE-2024-2180 Zemana AntiLogger v2.74.204.664 - Kernel Memory Leak — AntiLogger 5.5 Medium2024-03-15
CVE-2024-2363 AOL AIM Triton Invite denial of service — AIM Triton 5.3 Medium2024-03-10
CVE-2018-25098 blockmason credit-protocol UCAC CreditProtocol.sol executeUcacTx denial of service — credit-protocol 4.3 Medium2024-02-04

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 337 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.