Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-590 (释放并不在堆上的内存) — Vulnerability Class 15

15 vulnerabilities classified as CWE-590 (释放并不在堆上的内存). AI Chinese analysis included.

CWE-590 represents a critical memory management weakness where software attempts to deallocate memory using free() on pointers that were not originally allocated via heap functions like malloc(), calloc(), or realloc(). This error typically arises when developers mistakenly free stack-allocated variables, static data, or already-freed memory blocks. Exploitation often leads to immediate application crashes due to heap metadata corruption, but sophisticated attackers may leverage this instability to trigger arbitrary code execution by manipulating the corrupted memory structures. To prevent this vulnerability, developers must rigorously track memory allocation sources, ensuring that every call to free() corresponds strictly to a prior heap allocation. Implementing static analysis tools and adhering to strict memory lifecycle management practices helps identify mismatched allocation and deallocation pairs, thereby preserving heap integrity and preventing potential security breaches.

MITRE CWE Description
The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). When free() is called on an invalid pointer, the program's memory management data structures may become corrupted. This corruption can cause the program to crash or, in some circumstances, an attacker may be able to cause free() to operate on controllable memory locations to modify critical program variables or execute code.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands, Modify Memory
There is the potential for arbitrary code execution with privileges of the vulnerable program via a "write, what where" primitive. If pointers to memory which hold user information are freed, a malicious user will be able to write 4 bytes anywhere in memory.
Mitigations (4)
ImplementationOnly free pointers that you have called malloc on previously. This is the recommended solution. Keep track of which pointers point at the beginning of valid chunks and free them only once.
ImplementationBefore freeing a pointer, the programmer should make sure that the pointer was previously allocated on the heap and that the memory belongs to the programmer. Freeing an unallocated pointer will cause undefined behavior in the program.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, glibc in Linux provides protection against free of invalid pointers.
Architecture and DesignUse a language that provides abstractions for memory allocation and deallocation.
Examples (1)
In this example, an array of record_t structs, bar, is allocated automatically on the stack as a local variable and the programmer attempts to call free() on the array. The consequences will vary based on the implementation of free(), but it will not succeed in deallocating the memory.
void foo(){ record_t bar[MAX_SIZE]; /* do something interesting with bar */ ... free(bar); }
Bad · C
record_t bar[MAX_SIZE]; //Global var void foo(){ /* do something interesting with bar */ ... free(bar); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-20810 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability — Windows 10 Version 1809 7.8 High2026-01-13
CVE-2025-54899 Microsoft Excel Remote Code Execution Vulnerability — Microsoft 365 Apps for Enterprise 7.8 High2025-09-09
CVE-2025-42996 Multiple vulnerabilities in SAP MDM Server — SAP MDM Server 5.6 Medium2025-06-10
CVE-2025-42995 Multiple vulnerabilities in SAP MDM Server — SAP MDM Server 7.5 High2025-06-10
CVE-2025-42994 Multiple vulnerabilities in SAP MDM Server — SAP MDM Server 7.5 High2025-06-10
CVE-2025-5899 GNU PSPP pspp-convert.c parse_variables_option free of memory not on the heap — PSPP 5.3 Medium2025-06-09
CVE-2025-32911 Libsoup: double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" ghashtable value 9.0 Critical2025-04-15
CVE-2023-22291 Ichitaro 2022 安全漏洞 — Ichitaro 7.0 High2023-04-05
CVE-2023-25565 GSS-NTLMSSP vulnerable to incorrect free when decoding target information — gss-ntlmssp 7.5 High2023-02-14
CVE-2022-31627 Heap buffer overflow in finfo_buffer — PHP 7.7 High2022-07-28
CVE-2022-31625 Freeing unallocated memory in php_pgsql_free_params() — PHP 8.1 High2022-06-16
CVE-2021-3939 Free of static data in accountsservice — accountsservice 7.8 High2021-11-17
CVE-2021-42377 Busybox 安全漏洞 — busybox 8.8 -2021-11-15
CVE-2021-39218 Out-of-bounds read/write and invalid free with `externref`s and GC safepoints in Wasmtime — wasmtime 6.3 Medium2021-09-17
CVE-2020-6016 ValveSoftware GameNetworkingSockets 缓冲区错误漏洞 — Game Networking Sockets 9.8 -2020-11-18

Vulnerabilities classified as CWE-590 (释放并不在堆上的内存) represent 15 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.