Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-672 (在过期或释放后对资源进行操作) — Vulnerability Class 28

28 vulnerabilities classified as CWE-672 (在过期或释放后对资源进行操作). AI Chinese analysis included.

CWE-672 represents a resource management weakness where software continues to interact with a resource after it has been expired, released, or revoked. This vulnerability typically arises when applications fail to properly track the lifecycle of memory pointers, file handles, or network connections, leading to use-after-free errors or access to invalid data. Attackers exploit this by triggering the release of a resource while it remains referenced, potentially causing application crashes, data corruption, or arbitrary code execution through heap corruption. To mitigate this risk, developers must implement rigorous lifecycle management protocols, ensuring that all references to a resource are nullified or invalidated immediately upon release. Utilizing smart pointers, garbage collection mechanisms, and strict ownership models helps prevent dangling references, while comprehensive testing for race conditions ensures that concurrent operations do not inadvertently access freed resources.

MITRE CWE Description
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Common Consequences (2)
Integrity, ConfidentialityModify Application Data, Read Application Data
If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity.
Other, AvailabilityOther, DoS: Crash, Exit, or Restart
When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash.
Examples (2)
The following code shows a simple example of a use after free error:
char* ptr = (char*)malloc (SIZE); if (err) { abrt = 1; free(ptr); } ... if (abrt) { logError("operation aborted before commit", ptr); }
Bad · C
The following code shows a simple example of a double free error:
char* ptr = (char*)malloc (SIZE); ... if (abrt) { free(ptr); } ... free(ptr);
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2013-10075 Apache::Session versions through 1.94 for Perl re-creates deleted sessions — Apache::Session 5.3AIMediumAI2026-05-08
CVE-2026-43585 OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution — OpenClaw 8.1 High2026-05-06
CVE-2026-1629 Permalink Preview Information Disclosure After Permission Revocation — Mattermost 4.3 Medium2026-03-16
CVE-2026-31875 Parse Server MFA recovery codes not consumed after use — parse-server 8.1AIHighAI2026-03-11
CVE-2026-1237 Juju 安全漏洞 — juju 8.8AIHighAI2026-01-28
CVE-2025-69415 Plex media server 安全漏洞 — Media Server 7.1 High2026-01-02
CVE-2025-55669 BIG-IP HTTP/2 vulnerability — BIG-IP 7.5 High2025-10-15
CVE-2025-10060 MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation — MongoDB Server 6.5 Medium2025-09-05
CVE-2025-53901 Wasmtime has host panic with `fd_renumber` WASIp1 function — wasmtime 3.5 Low2025-07-18
CVE-2025-6031 Insecure device pairing in end of life Amazon Cloud Cam — Cloud Cam 7.5 High2025-06-12
CVE-2025-2517 Reference to Expired Domain Vulnerability in OpenText™ ArcSight Enterprise Security Manager — ArcSight Enterprise Security Manager 9.8 -2025-04-21
CVE-2025-30351 Suspended Directus user can continue to use session token to access API — directus 3.5 Low2025-03-26
CVE-2025-21117 Dell Avamar 安全漏洞 — Avamar 6.6 Medium2025-02-05
CVE-2024-47571 Fortinet FortiManager 安全漏洞 — FortiManager 7.9 High2025-01-14
CVE-2025-22149 JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh — jwkset 9.1 -2025-01-09
CVE-2024-4693 Qemu-kvm: virtio-pci: improper release of configure vector leads to guest triggerable crash 5.5 Medium2024-05-10
CVE-2023-48220 Decidim's devise_invitable gem vulnerable to circumvention of invitation token expiry period — decidim 5.7 Medium2024-02-20
CVE-2024-23332 Client configured with permissive trust policies susceptible to rollback attack in Notary Project — specifications 4.0 Medium2024-01-19
CVE-2021-42778 OpenSC 资源管理错误漏洞 — opensc 5.3 -2022-04-18
CVE-2022-22197 Junos OS and Junos OS Evolved: An rpd core will be observed with proxy BGP route-target filtering enabled and certain route add and delete event happening — Junos OS 7.5 High2022-04-14
CVE-2021-37204 Siemens SIMATIC S7-1500系列产品输入验证错误漏洞 — SIMATIC Drive Controller family 7.5 High2022-02-09
CVE-2021-37185 Siemens SIMATIC S7-1500 系列产品输入验证错误漏洞 — SIMATIC Drive Controller family 7.5 High2022-02-09
CVE-2020-15270 Improper session expiration in Parse Server — parse-server 4.3 Medium2020-10-22
CVE-2019-17638 Eclipse Jetty 安全漏洞 — Eclipse Jetty 9.4 -2020-07-09
CVE-2020-12043 Baxter Spectrum WBM 安全漏洞 — Baxter Sigma Spectrum Infusion Pumps 9.1 -2020-06-29
CVE-2020-11027 Password reset links invalidation issue in WordPress — WordPress 6.1 Medium2020-04-30
CVE-2019-15794 Reference counting error in overlayfs/shiftfs error path when used in conjuction with aufs — Linux kernel 7.1 High2020-04-23
CVE-2019-15791 Reference count underflow in shiftfs — Shiftfs in the Linux kernel 7.1 High2020-04-23

Vulnerabilities classified as CWE-672 (在过期或释放后对资源进行操作) represent 28 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.