CWE-401 Details

CWE-401

Missing Release of Memory after Effective Lifetime
Mittel
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Allgemeine Informationen

Einführungsmodi

Implementation

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)
Name: C (Undetermined)
Name: C++ (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
AvailabilityDoS: Crash, Exit, or Restart, DoS: Instability, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Note: Most memory leaks result in general product reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition.
OtherReduce Performance

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2005-3119

Memory leak because function does not free() an element of a data structure.

CVE-2004-0427

Memory leak when counter variable is not decremented.

CVE-2002-0574

chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.

CVE-2005-3181

Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.

CVE-2004-0222

Memory leak via unknown manipulations as part of protocol test suite.

CVE-2001-0136

Memory leak via a series of the same command.

Mögliche Gegenmaßnahmen

Phases : Implementation
Phases : Architecture and Design
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Phases : Architecture and Design // Build and Compilation
The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.

Erkennungsmethoden

Fuzzing

Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Wirksamkeit : High

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Hinweise

This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.
"memory leak" has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).

Referenzen

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-390

How to Break Software Security
J. Whittaker, H. Thompson.

REF-391

Transitioning to ARC Release Notes
iOS Developer Library.
https://developer.apple.com/library/archive/releasenotes/ObjectiveC/RN-TransitioningToARC/Introduction/Introduction.html

REF-959

Automated Source Code Performance Efficiency Measure (ASCPEM)
Object Management Group (OMG).
https://www.omg.org/spec/ASCPEM/

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Änderungen

Name Organisation Datum Kommentar
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, References, Relationship_Notes, Taxonomy_Mappings, Terminology_Notes
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2009-03-10 +00:00 updated Other_Notes
CWE Content Team MITRE 2009-05-27 +00:00 updated Name
KDM Analytics 2009-07-17 +00:00 Improved the White_Box_Definition
CWE Content Team MITRE 2009-07-27 +00:00 updated White_Box_Definitions
CWE Content Team MITRE 2009-10-29 +00:00 updated Modes_of_Introduction, Other_Notes
CWE Content Team MITRE 2010-02-16 +00:00 updated Relationships
CWE Content Team MITRE 2010-06-21 +00:00 updated Other_Notes, Potential_Mitigations
CWE Content Team MITRE 2010-12-13 +00:00 updated Demonstrative_Examples, Name
CWE Content Team MITRE 2011-03-29 +00:00 updated Alternate_Terms
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Observed_Examples
CWE Content Team MITRE 2014-02-18 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated References, Relationships, Taxonomy_Mappings, White_Box_Definitions
CWE Content Team MITRE 2019-01-03 +00:00 updated Common_Consequences, Demonstrative_Examples, Name, References, Relationships, Taxonomy_Mappings, Type, Weakness_Ordinalities
CWE Content Team MITRE 2019-06-20 +00:00 updated Description, Name
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2023-01-31 +00:00 updated Common_Consequences, Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-04-03 +00:00 updated Description, Diagram, Modes_of_Introduction
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.