CWE-416 – Use After Free

Description

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-825
CWE-672
CWE-672
CWE-672
CWE-120
CWE-123

Consequences

Integrity: Modify Memory

The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere.

Availability: DoS: Crash, Exit, or Restart

If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information.

Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands

If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code.

Potential Mitigations

Phase: Architecture and Design

Description: 

Choose a language that provides automatic memory management.

Phase: Implementation

Description: 

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

CVE References

• CVE-2010-4168
  • Use-after-free triggered by closing a connection while data is still being transmitted.

• CVE-2010-2941
  • Improper allocation for invalid data leads to use-after-free.

• CVE-2010-2547
  • certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free

• CVE-2010-1772
  • Timers are not disabled when a related object is deleted

• CVE-2010-1437
  • Access to a “dead” object that is being cleaned up

• CVE-2010-1208
  • object is deleted even with a non-zero reference count, and later accessed

• CVE-2010-0629
  • use-after-free involving request containing an invalid version number

• CVE-2010-0378
  • unload of an object that is currently being accessed by other functionality

• CVE-2010-0302
  • incorrectly tracking a reference count leads to use-after-free

• CVE-2010-0249
  • use-after-free related to use of uninitialized memory

• CVE-2010-0050
  • HTML document with incorrectly-nested tags

• CVE-2009-3658
  • Use after free in ActiveX object by providing a malformed argument to a method

• CVE-2009-3616
  • use-after-free by disconnecting during data transfer, or a message containing incorrect data types

• CVE-2009-3553
  • disconnect during a large data transfer causes incorrect reference count, leading to use-after-free

• CVE-2009-2416
  • use-after-free found by fuzzing

• CVE-2009-1837
  • Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416)

• CVE-2009-0749
  • realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free

• CVE-2010-3328
  • Use-after-free in web browser, probably resultant from not initializing memory.

• CVE-2008-5038
  • use-after-free when one thread accessed memory that was freed by another thread

• CVE-2008-0077
  • assignment of malformed values to certain properties triggers use after free

• CVE-2006-4434
  • mail server does not properly handle a long header.

• CVE-2010-2753
  • chain: integer overflow leads to use-after-free

• CVE-2006-4997
  • freed pointer dereference