CWE-772 - Missing Release of Resource after Effective Lifetime

Read Time:1 Minute, 45 Second

Description

The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

When a resource is not released after use, it can allow attackers to cause a denial of service by causing the allocation of resources without triggering their release. Frequently-affected resources include memory, CPU, disk space, power or battery, etc.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-404
CWE-404
CWE-404
CWE-404

Consequences

Availability: DoS: Resource Consumption (Other)

An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource.

Potential Mitigations

Phase: Requirements

Effectiveness:

Description:

Phase: Implementation

Effectiveness:

Description:

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.

Phase: Operation, Architecture and Design

Effectiveness:

Description:

CVE References

CVE-2007-0897
- Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.

CVE-2001-0830
- Sockets not properly closed when attacker repeatedly connects and disconnects from server.

CVE-1999-1127
- Does not shut down named pipe connections if malformed data is sent.

CVE-2009-2858
- Chain: memory leak (CWE-404) leads to resource exhaustion.

CVE-2009-2054
- Product allows exhaustion of file descriptors when processing a large number of TCP packets.

CVE-2008-2122
- Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.

CVE-2007-4103
- Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.

CVE-2002-1372
- Return values of file/socket operations not checked, allowing resultant consumption of file descriptors.

InCVE-2007-0897, CWE- 772, Missing Release of Resource after Effective Lifetime

The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)

US and Japan Blame North Korea for $308m Crypto Heist

Spyware Maker NSO Group Found Liable for Hacking WhatsApp

Spyware Maker NSO Group Liable for WhatsApp User Hacks

Major Biometric Data Farming Operation Uncovered

Ransomware Attack Exposes Data of 5.6 Million Ascension Patients

Critical Vulnerabilities Found in WordPress Plugins WPLMS and VibeBP

Criminal Complaint against LockBit Ransomware Writer

Cryptomining Malware Found in Popular Open Source Packages

CWE-772 – Missing Release of Resource after Effective Lifetime

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security