Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 337

337 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-3684 SDM600 endpoint vulnerability — SDM600 7.5 High2023-03-28
CVE-2023-1645 IObit Malware Fighter IOCTL IMFCameraProtect.sys 0x8018E008 denial of service — Malware Fighter 5.5 Medium2023-03-26
CVE-2023-1644 IObit Malware Fighter IOCTL IMFCameraProtect.sys 0x8018E010 denial of service — Malware Fighter 5.5 Medium2023-03-26
CVE-2023-1642 IObit Malware Fighter IOCTL ObCallbackProcess.sys 0x222040 denial of service — Malware Fighter 5.5 Medium2023-03-26
CVE-2023-1643 IObit Malware Fighter IOCTL ImfHpRegFilter.sys 0x8001E040 denial of service — Malware Fighter 5.5 Medium2023-03-26
CVE-2023-1641 IObit Malware Fighter IOCTL ObCallbackProcess.sys 0x222018 denial of service — Malware Fighter 5.5 Medium2023-03-26
CVE-2023-1640 IObit Malware Fighter IOCTL ObCallbackProcess.sys 0x222010 denial of service — Malware Fighter 5.5 Medium2023-03-26
CVE-2023-1639 IObit Malware Fighter IOCTL ImfRegistryFilter.sys 0x8001E04C denial of service — Malware Fighter 5.5 Medium2023-03-26
CVE-2023-1638 IObit Malware Fighter IOCTL ImfRegistryFilter.sys 0x8001E040 denial of service — Malware Fighter 5.5 Medium2023-03-26
CVE-2023-1630 JiangMin Antivirus IOCTL kvcore.sys 0x222000 denial of service — Antivirus 5.5 Medium2023-03-25
CVE-2023-1627 Jianming Antivirus IoControlCode kvcore.sys denial of service — Antivirus 5.5 Medium2023-03-25
CVE-2023-1493 Max Secure Anti Virus Plus IoControlCode MaxProctetor64.sys 0x220019 denial of service — Anti Virus Plus 5.5 Medium2023-03-18
CVE-2023-1492 Max Secure Anti Virus Plus IoControlCode MaxProc64.sys 0x220019 denial of service — Anti Virus Plus 5.5 Medium2023-03-18
CVE-2023-1488 Lespeed WiseCleaner Wise System Monitor IoControlCode WiseHDInfo64.dll 0x9C40A0E0 denial of service — WiseCleaner Wise System Monitor 3.3 Low2023-03-18
CVE-2023-1487 Lespeed WiseCleaner Wise System Monitor IoControlCode WiseHDInfo64.dll 0x9C40A0E0 denial of service — WiseCleaner Wise System Monitor 5.5 Medium2023-03-18
CVE-2023-1451 MP4v2 mp4track.cpp GetSampleFileOffset denial of service — MP4v2 3.3 Low2023-03-17
CVE-2023-1450 MP4v2 mp4trackdump.cpp DumpTrack denial of service — MP4v2 3.3 Low2023-03-17
CVE-2023-1446 Watchdog Anti-Virus IoControlCode wsdk-driver.sys 0x80002008 denial of service — Anti-Virus 5.5 Medium2023-03-17
CVE-2023-1445 Filseclab Twister Antivirus IoControlCode fildds.sys 0x80112053 denial of service — Twister Antivirus 3.3 Low2023-03-17
CVE-2023-1444 Filseclab Twister Antivirus IoControlCode fildds.sys 0x8011206B denial of service — Twister Antivirus 7.5 High2023-03-17
CVE-2023-1443 Filseclab Twister Antivirus IoControlCode fildds.sys 0x80112053 denial of service — Twister Antivirus 6.5 Medium2023-03-17
CVE-2023-1369 TG Soft Vir.IT eXplorer IoControlCode VIRAGTLT.sys 0x82730088 denial of service — Vir.IT eXplorer 5.0 Medium2023-03-13
CVE-2023-1189 WiseCleaner Wise Folder Hider IoControlCode WiseFs64.sys 0x222410 denial of service — Wise Folder Hider 3.3 Low2023-03-06
CVE-2023-1188 FabulaTech Webcam for Remote Desktop IoControlCode ftwebcam.sys 0x222018 denial of service — Webcam for Remote Desktop 3.3 Low2023-03-06
CVE-2023-1187 FabulaTech Webcam for Remote Desktop Global Variable ftwebcam.sys denial of service — Webcam for Remote Desktop 3.3 Low2023-03-06
CVE-2023-1157 finixbit elf-parser elf_parser.cpp get_segments denial of service — elf-parser 2.8 Low2023-03-02
CVE-2023-1008 Twister Antivirus IoControlCode filmfd.sys 0x801120E4 denial of service — Antivirus 5.5 Medium2023-02-24
CVE-2015-10085 GoPistolet MTA denial of service — GoPistolet 3.5 Low2023-02-21
CVE-2022-3353 IEC 61850 MMS-Server Vulnerability in multiple Hitachi Energy Products — FOX61x TEGO1 5.9 Medium2023-02-21
CVE-2023-0936 TP-Link Archer C50 Web Management Interface denial of service — Archer C50 6.5 Medium2023-02-21

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 337 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.