Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-404 (不恰当的资源关闭或释放) — Vulnerability Class 337

337 vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放). AI Chinese analysis included.

CWE-404 represents a critical resource management weakness where software fails to properly release or incorrectly frees allocated resources, such as memory, file handles, or network connections, before they are reused. This flaw typically leads to resource exhaustion, causing application crashes, denial of service, or system instability as available resources dwindle. Attackers often exploit this by triggering repeated allocations without corresponding releases, effectively starving the system of necessary assets. To mitigate this risk, developers must implement rigorous lifecycle management, ensuring every allocated resource has a corresponding release mechanism. This involves using structured cleanup routines, leveraging language-specific garbage collection or smart pointers, and accounting for all execution paths, including error conditions and timeouts, to guarantee resources are consistently returned to the pool for safe reuse.

MITRE CWE Description
The product does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common Consequences (2)
Availability, OtherDoS: Resource Consumption (Other), Varies by Context
Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
ConfidentialityRead Application Data
When a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Mitigations (4)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
ImplementationIt is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
ImplementationMemory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
ImplementationWhen releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Examples (2)
The following method never closes the new file handle. Given enough time, the Finalize() method for BufferReader should eventually call Close(), but there is no guarantee as to how long this action will take. In fact, there is no guarantee that Finalize() will ever be invoked. In a busy environment, the Operating System could use up all of the available file handles before the Close() function is …
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } }
Bad · Java
private void processFile(string fName) { BufferReader fil = new BufferReader(new FileReader(fName)); String line; while ((line = fil.ReadLine()) != null) { processLine(line); } fil.Close(); }
Good · Java
This code attempts to open a connection to a database and catches any exceptions that may occur.
try { Connection con = DriverManager.getConnection(some_connection_string); } catch ( Exception e ) { log( e ); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2019-25104 rtcwcoop Team Command ai_cast_script.c AICast_ScriptLoad denial of service — rtcwcoop 3.5 Low2023-02-20
CVE-2016-15024 doomsider shadow denial of service — shadow 2.5 Low2023-02-19
CVE-2023-0909 cxasm notepad-- Directory Comparison denial of service — notepad-- 3.3 Low2023-02-18
CVE-2023-0908 Xoslab Easy File Locker xlkfs.sys MessageNotifyCallback denial of service — Easy File Locker 5.5 Medium2023-02-18
CVE-2023-0907 Filseclab Twister Antivirus IoControlCode ffsmon.sys 0x220017 denial of service — Twister Antivirus 4.4 Medium2023-02-18
CVE-2023-0850 Netgear WNDR3700v2 Web Interface denial of service — WNDR3700v2 2.7 Low2023-02-15
CVE-2023-0848 Netgear WNDR3700v2 Web Management Interface denial of service — WNDR3700v2 5.3 Medium2023-02-15
CVE-2014-125066 emmflo yuko-bot denial of service — yuko-bot 4.3 Medium2023-01-08
CVE-2015-10025 luelista miniConf URL Scanning MessageView.cs denial of service — miniConf 3.5 Low2023-01-07
CVE-2023-0029 Multilaser RE708 Telnet Service denial of service — RE708 5.3 Medium2023-01-01
CVE-2018-25062 flar2 ElementalX ipsec xfrm_user.c xfrm_dump_policy_done denial of service — ElementalX 3.5 Low2023-01-01
CVE-2017-20154 ghostlander Phoenixcoin main.cpp accept denial of service — Phoenixcoin 3.5 Low2022-12-30
CVE-2021-4280 styler_praat_scripts Slash file_segmenter.praat denial of service — styler_praat_scripts 4.3 Medium2022-12-25
CVE-2022-33324 Denial-of-Service Vulnerability in Ethernet port of MELSEC iQ-R, iQ-L Series and MELIPC Series — MELSEC iQ-R Series R00CPU 7.5 High2022-12-23
CVE-2021-4247 OWASP NodeGoat Query Parameter research.js denial of service — NodeGoat 4.3 Medium2022-12-18
CVE-2021-4249 xml-conduit DOCTYPE Entity Expansion Parse.hs infinite loop — xml-conduit 4.3 Medium2022-12-18
CVE-2021-4250 cgriego active_attr Regex boolean_typecaster.rb call denial of service — active_attr 3.5 Low2022-12-18
CVE-2022-4565 Dromara HuTool cn.hutool.core.util.ZipUtil.java resource consumption — HuTool 4.3 Medium2022-12-16
CVE-2022-4296 TP-Link TL-WR740N ARP resource consumption — TL-WR740N 6.5 Medium2022-12-06
CVE-2022-4246 Kakao PotPlayer MID File denial of service — PotPlayer 4.3 Medium2022-12-01
CVE-2022-4066 davidmoreno onion Log response.c onion_response_flush allocation of resources — onion 3.5 Low2022-11-19
CVE-2022-3957 GPAC SVG Parser svg_attributes.c svg_parse_preserveaspectratio memory leak — GPAC 4.3 Medium2022-11-11
CVE-2022-39368 Californium Failing DTLS handshakes causes Data Loss due to throttling blocking processing of records — californium 8.2 High2022-11-09
CVE-2022-3807 Axiomatic Bento4 Incomplete Fix CVE-2019-13238 resource consumption — Bento4 4.3 Medium2022-11-01
CVE-2022-3809 Axiomatic Bento4 mp4tag Mp4Tag.cpp ParseCommandLine denial of service — Bento4 4.3 Medium2022-11-01
CVE-2022-3810 Axiomatic Bento4 mp42hevc Mp42Hevc.cpp AP4_File denial of service — Bento4 4.3 Medium2022-11-01
CVE-2022-3812 Axiomatic Bento4 mp4encrypt AP4_ContainerAtom memory leak — Bento4 4.3 Medium2022-11-01
CVE-2022-3813 Axiomatic Bento4 mp4edit memory leak — Bento4 4.3 Medium2022-11-01
CVE-2022-3814 Axiomatic Bento4 mp4decrypt memory leak — Bento4 4.3 Medium2022-11-01
CVE-2022-3815 Axiomatic Bento4 mp4decrypt memory leak — Bento4 4.3 Medium2022-11-01

Vulnerabilities classified as CWE-404 (不恰当的资源关闭或释放) represent 337 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.