CWE WEAKNESSES  /  CWE-401

CWE-401

Missing Release of Memory after Effective Lifetime

What it is

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Impact

Mitigations

• [Implementation]Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.For example, glibc in Linux provides protection against free of invalid pointers.When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].To help correctly and consistently manage memory when programming in C++, consider using a smart
• [Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.
• [Architecture and Design, Build and Compilation] Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

Real-world CVE examples

• CVE-2005-3119 — Memory leak because function does not free() an element of a data structure.
• CVE-2004-0427 — Memory leak when counter variable is not decremented.
• CVE-2002-0574 — chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
• CVE-2005-3181 — Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.
• CVE-2004-0222 — Memory leak via unknown manipulations as part of protocol test suite.
• CVE-2001-0136 — Memory leak via a series of the same command.

Related weaknesses

Source: MITRE CWE. View on cwe.mitre.org →