Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-762 (不匹配的内存管理例程) — Vulnerability Class 9

9 vulnerabilities classified as CWE-762 (不匹配的内存管理例程). AI Chinese analysis included.

CWE-762 represents a critical memory management weakness where developers incorrectly pair allocation and deallocation routines, such as freeing stack-allocated memory or using mismatched heap functions like malloc and free. This inconsistency typically leads to severe runtime errors, including heap corruption, double-free vulnerabilities, or application crashes, which attackers can exploit to execute arbitrary code or cause denial of service. To prevent this, developers must strictly adhere to consistent memory management practices, ensuring that every allocation function has a corresponding, compatible deallocation routine. Utilizing static analysis tools and automated memory sanitizers during the development lifecycle helps identify these mismatches early. Furthermore, adopting higher-level languages with automatic garbage collection or employing smart pointers in C++ can significantly reduce the risk of manual memory management errors, thereby enhancing overall software stability and security.

MITRE CWE Description
The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. This weakness can be generally described as mismatching memory management routines, such as: The memory was allocated on the stack (automatically), but it was deallocated using the memory management routine free() (CWE-590), which is intended for explicitly allocated heap memory. The memory was allocated explicitly using one set of memory management functions, and deallocated using a different set. For example, memory might be allocated with malloc() in C++ instead of the new operator, and then deallocated with the delete operator. When the memory management functions are mismatched, the consequences may be as severe as code execution, memory corruption, or program crash. Consequences and ease of exploit will vary depending on the implementation of the routines and the object being managed.
Common Consequences (1)
Integrity, Availability, ConfidentialityModify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands
Mitigations (4)
ImplementationOnly call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().
ImplementationChoose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. For example, glibc in Linux provides protection against free of invalid pointers. When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. To help correctly and consistently manage memory when programming in C++, consider using a smart pointer…
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, glibc in Linux provides protection against free of invalid pointers.
Architecture and DesignUse a language that provides abstractions for memory allocation and deallocation.
Examples (2)
This example allocates a BarObj object using the new operator in C++, however, the programmer then deallocates the object using free(), which may lead to unexpected behavior.
void foo(){ BarObj *ptr = new BarObj() /* do some work with ptr here */ ... free(ptr); }
Bad · C++
void foo(){ BarObj *ptr = new BarObj() /* do some work with ptr here */ ... delete ptr; }
Good · C++
In this example, the program does not use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource.
class A { void foo(); }; void A::foo(){ int *ptr; ptr = (int*)malloc(sizeof(int)); delete ptr; }
Bad · C++
CVE IDTitleCVSSSeverityPublished
CVE-2025-48431 Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error. — Apache Thrift 7.5AIHighAI2026-04-28
CVE-2025-11015 OGRECave Ogre OgreSTBICodec.cpp encode mismatched memory management routines — Ogre 5.3 Medium2025-09-26
CVE-2025-48755 Rust 安全漏洞 — sdk 2.9 Low2025-05-24
CVE-2025-47737 Trailer 安全漏洞 — trailer 2.9 Low2025-05-09
CVE-2025-20189 Cisco IOS XE 安全漏洞 — Cisco IOS XE Software 7.4 High2025-05-07
CVE-2024-4853 Mismatched Memory Management Routines in editcap — editcap 3.6 Low2024-05-14
CVE-2024-2955 Mismatched Memory Management Routines in Wireshark — Wireshark 7.8 High2024-03-26
CVE-2023-41056 Redis vulnerable to integer overflow in certain payloads — redis 8.1 High2024-01-10
CVE-2023-3648 Mismatched Memory Management Routines in Wireshark — Wireshark 5.3 Medium2023-07-14

Vulnerabilities classified as CWE-762 (不匹配的内存管理例程) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.