目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-789 未经控制的内存分配 类漏洞列表 98

CWE-789 未经控制的内存分配 类弱点 98 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-789 属于内存分配漏洞,指程序基于不可信的大数值分配内存,却未验证其是否在预期范围内。攻击者通常利用此缺陷提交超大尺寸值,导致系统分配过量内存,进而引发拒绝服务或内存耗尽。开发者应避免此类风险,在分配内存前严格校验输入参数,确保其处于合理且安全的阈值范围内,从而防止资源被恶意滥用。

MITRE CWE 官方描述
CWE:CWE-789 使用过大值进行内存分配(Memory Allocation with Excessive Size Value) 英文:该产品基于不受信任的大尺寸值分配内存,但未确保该尺寸在预期限制范围内,从而导致可以分配任意数量的内存。
常见影响 (1)
AvailabilityDoS: Resource Consumption (Memory)
Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.
缓解措施 (2)
Implementation, Architecture and DesignPerform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
OperationRun your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
代码示例 (2)
Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.
unsigned int size = GetUntrustedInt(); /* ignore integer overflow (CWE-190) for this example */ unsigned int totBytes = size * sizeof(char); char *string = (char *)malloc(totBytes); InitializeString(string);
Bad · C
Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.
unsigned int size = GetUntrustedInt(); HashMap list = new HashMap(size);
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-42241 ParquetSharp 大精度Decimal解析栈溢出漏洞 — ParquetSharp 5.3 Medium2026-05-07
CVE-2026-43868 Apache Thrift Rust实现 CVE-2020-13949 漏洞 — Apache Thrift 9.1AICriticalAI2026-05-05
CVE-2026-42146 CImg库nb_colors字段导致内存分配失控漏洞 — CImg 5.5 Medium2026-05-04
CVE-2026-42440 Apache OpenNLP 内存溢出拒绝服务漏洞 — Apache OpenNLP 7.5AIHighAI2026-05-04
CVE-2018-25295 Ambient ObserverIP Scan Tool 安全漏洞 — ObserverIP Scan Tool 6.2 Medium2026-04-26
CVE-2018-25279 jiNa OCR Image to Text 安全漏洞 — jiNa OCR Image to Text 6.2 Medium2026-04-26
CVE-2018-25274 InfraRecorder 安全漏洞 — InfraRecorder 6.2 Medium2026-04-26
CVE-2026-33524 zserio 安全漏洞 — zserio 7.5 High2026-04-24
CVE-2026-40894 OpenTelemetry .NET 安全漏洞 — opentelemetry-dotnet 5.3 Medium2026-04-23
CVE-2026-40891 OpenTelemetry .NET 安全漏洞 — opentelemetry-dotnet 5.3 Medium2026-04-23
CVE-2026-40182 OpenTelemetry .NET 安全漏洞 — opentelemetry-dotnet 5.3 Medium2026-04-23
CVE-2026-41314 pypdf 安全漏洞 — pypdf 6.5AIMediumAI2026-04-22
CVE-2026-41312 pypdf 安全漏洞 — pypdf 6.5AIMediumAI2026-04-22
CVE-2026-35633 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-09
CVE-2026-35186 wasmtime 安全漏洞 — wasmtime 9.1AICriticalAI2026-04-09
CVE-2026-39882 OpenTelemetry-Go 安全漏洞 — opentelemetry-go 5.3 Medium2026-04-08
CVE-2026-24146 NVIDIA Triton Inference Server 安全漏洞 — Triton Inference Server 7.5 High2026-04-07
CVE-2026-39312 SoftEther VPN 安全漏洞 — SoftEtherVPN 7.5 High2026-04-07
CVE-2026-35549 MariaDB Server 安全漏洞 — MariaDB 6.5 Medium2026-04-03
CVE-2026-24158 NVIDIA Triton Inference Server 安全漏洞 — Triton Inference Server 7.5 High2026-03-24
CVE-2026-33174 Rails 安全漏洞 — activestorage 7.5 -2026-03-23
CVE-2026-26931 Elastic Metricbeat 安全漏洞 — Metricbeat 5.7 Medium2026-03-19
CVE-2026-32836 dr_libs 安全漏洞 — dr_libs dr_flac.h 6.2 Medium2026-03-17
CVE-2026-25780 Mattermost 安全漏洞 — Mattermost 4.3 Medium2026-03-16
CVE-2026-26246 Mattermost 安全漏洞 — Mattermost 4.3 Medium2026-03-16
CVE-2026-2456 Mattermost 安全漏洞 — Mattermost 5.3 Medium2026-03-16
CVE-2026-28253 Trane多款产品 安全漏洞 — Tracer SC 7.5AIHighAI2026-03-12
CVE-2026-20048 Cisco Nexus 9000 Series Fabric Switches 安全漏洞 — Cisco NX-OS System Software in ACI Mode 7.7 High2026-02-25
CVE-2026-25899 Fiber 安全漏洞 — fiber 7.5 High2026-02-24
CVE-2025-2668 IBM Db2 安全漏洞 — Db2 for Linux, UNIX and Windows 6.5 Medium2026-01-30

CWE-789(未经控制的内存分配) 是常见的弱点类别,本平台收录该类弱点关联的 98 条 CVE 漏洞。