CWE-401 Detail

CWE-401

Name

Missing Release of Memory after Effective Lifetime

Likelihood

Medium

Status

Draft

Published

2006-07-19
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

CWE Description

This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.

General Informations

Modes Of Introduction

Implementation :

Memory leaks have two common and sometimes overlapping causes:

Error conditions and other exceptional circumstances
Confusion over which part of the program is responsible for freeing the memory

Applicable Platforms

Language

Name: C (Undetermined)
Name: C++ (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Availability	DoS: Crash, Exit, or Restart, DoS: Instability, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) Note: Most memory leaks result in general product reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition.
Other	Reduce Performance

Observed Examples

References	Description
CVE-2005-3119	Memory leak because function does not free() an element of a data structure.
CVE-2004-0427	Memory leak when counter variable is not decremented.
CVE-2002-0574	chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
CVE-2005-3181	Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.
CVE-2004-0222	Memory leak via unknown manipulations as part of protocol test suite.
CVE-2001-0136	Memory leak via a series of the same command.

Potential Mitigations

Phases : Implementation

Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.

For example, glibc in Linux provides protection against free of invalid pointers.

When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].

To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.

Phases : Architecture and Design
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Phases : Architecture and Design // Build and Compilation
The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.

Detection Methods

Fuzzing

Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Effectiveness : High

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.
"memory leak" has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).

References

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-390

How to Break Software Security
J. Whittaker, H. Thompson.

REF-391

Transitioning to ARC Release Notes
iOS Developer Library.
https://developer.apple.com/library/archive/releasenotes/ObjectiveC/RN-TransitioningToARC/Introduction/Introduction.html

REF-959

Automated Source Code Performance Efficiency Measure (ASCPEM)
Object Management Group (OMG).
https://www.omg.org/spec/ASCPEM/

Submission

Name	Organization	Date	Date release	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Name	Organization	Date	Comment
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
	KDM Analytics	2008-08-01 +00:00	added/updated white box definitions
	Veracode	2008-08-15 +00:00	Suggested OWASP Top Ten 2004 mapping
CWE Content Team	MITRE	2008-09-08 +00:00	updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, References, Relationship_Notes, Taxonomy_Mappings, Terminology_Notes
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description
CWE Content Team	MITRE	2009-03-10 +00:00	updated Other_Notes
CWE Content Team	MITRE	2009-05-27 +00:00	updated Name
KDM Analytics		2009-07-17 +00:00	Improved the White_Box_Definition
CWE Content Team	MITRE	2009-07-27 +00:00	updated White_Box_Definitions
CWE Content Team	MITRE	2009-10-29 +00:00	updated Modes_of_Introduction, Other_Notes
CWE Content Team	MITRE	2010-02-16 +00:00	updated Relationships
CWE Content Team	MITRE	2010-06-21 +00:00	updated Other_Notes, Potential_Mitigations
CWE Content Team	MITRE	2010-12-13 +00:00	updated Demonstrative_Examples, Name
CWE Content Team	MITRE	2011-03-29 +00:00	updated Alternate_Terms
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2013-02-21 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2014-02-18 +00:00	updated Potential_Mitigations, References
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2017-11-08 +00:00	updated References, Relationships, Taxonomy_Mappings, White_Box_Definitions
CWE Content Team	MITRE	2019-01-03 +00:00	updated Common_Consequences, Demonstrative_Examples, Name, References, Relationships, Taxonomy_Mappings, Type, Weakness_Ordinalities
CWE Content Team	MITRE	2019-06-20 +00:00	updated Description, Name
CWE Content Team	MITRE	2020-02-24 +00:00	updated References, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2020-08-20 +00:00	updated Relationships
CWE Content Team	MITRE	2021-03-15 +00:00	updated Relationships
CWE Content Team	MITRE	2022-10-13 +00:00	updated Taxonomy_Mappings
CWE Content Team	MITRE	2023-01-31 +00:00	updated Common_Consequences, Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Detection_Factors, References, Relationships, Time_of_Introduction
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes