CWE-772 - Missing Release of Resource after Effective Lifetime

Read Time:1 Minute, 45 Second

Description

The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

When a resource is not released after use, it can allow attackers to cause a denial of service by causing the allocation of resources without triggering their release. Frequently-affected resources include memory, CPU, disk space, power or battery, etc.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-404
CWE-404
CWE-404
CWE-404

Consequences

Availability: DoS: Resource Consumption (Other)

An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource.

Potential Mitigations

Phase: Requirements

Effectiveness:

Description:

Phase: Implementation

Effectiveness:

Description:

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.

Phase: Operation, Architecture and Design

Effectiveness:

Description:

CVE References

CVE-2007-0897
- Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.

CVE-2001-0830
- Sockets not properly closed when attacker repeatedly connects and disconnects from server.

CVE-1999-1127
- Does not shut down named pipe connections if malformed data is sent.

CVE-2009-2858
- Chain: memory leak (CWE-404) leads to resource exhaustion.

CVE-2009-2054
- Product allows exhaustion of file descriptors when processing a large number of TCP packets.

CVE-2008-2122
- Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.

CVE-2007-4103
- Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.

CVE-2002-1372
- Return values of file/socket operations not checked, allowing resultant consumption of file descriptors.

InCVE-2007-0897, CWE- 772, Missing Release of Resource after Effective Lifetime

White House to Tackle AI-Generated Sexual Abuse Images

Legacy Ivanti Cloud Service Appliance Being Exploited

Half of UK Firms Lack Basic Cybersecurity Skills

Advanced Phishing Attacks Put X Accounts at Risk

Apple to Drop Spyware Lawsuit Over Security Concerns

Tackling the Unique Cybersecurity Challenges of Online Learning Platforms

Meta Goes Ahead With Controversial AI Training in UK

23andMe Agrees to $30m Data Breach Settlement

UK Hosts International Cyber Skills Conference

CWE-772 – Missing Release of Resource after Effective Lifetime

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security