{"@ID": "401", "@Name": "Missing Release of Memory after Effective Lifetime", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-401-Diagram.png", "Description": "The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "772", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "404", "@View_ID": "1305", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Resultant"}}, "Applicable_Platforms": {"Language": [{"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, {"@Name": "C", "@Prevalence": "Undetermined"}, {"@Name": "C++", "@Prevalence": "Undetermined"}]}, "Alternate_Terms": {"Alternate_Term": {"Term": "Memory Leak", "Description": "a common term for not releasing memory;\n\t\t\t   however, the same term is also used for \"disclosure of\n\t\t\t   sensitive information from memory,\" so use of this term\n\t\t\t   is discouraged."}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": {"xhtml:p": "Memory leaks have two common and sometimes overlapping causes:", "xhtml:ul": {"xhtml:li": ["Error conditions and other exceptional circumstances often triggered by improper handling of malformed data or unexpectedly interrupted sessions.", "Confusion over which part of the program is responsible for freeing the memory, since in some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release."]}}}}, "Likelihood_Of_Exploit": "Medium", "Common_Consequences": {"Consequence": [{"Scope": "Availability", "Impact": ["DoS: Crash, Exit, or Restart", "DoS: Instability", "DoS: Resource Consumption (CPU)", "DoS: Resource Consumption (Memory)"], "Note": "Most memory leaks result in general product reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition."}, {"Scope": "Other", "Impact": "Reduce Performance"}]}, "Detection_Methods": {"Detection_Method": [{"@Detection_Method_ID": "DM-13", "Method": "Fuzzing", "Description": "Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.", "Effectiveness": "High"}, {"@Detection_Method_ID": "DM-15", "Method": "Automated Dynamic Analysis", "Description": "Use tools that are integrated during\n\t\t\t compilation to insert runtime error-checking mechanisms\n\t\t\t related to memory safety errors, such as AddressSanitizer\n\t\t\t (ASan) for C/C++ [REF-1518] or valgrind [REF-480].", "Effectiveness": "Moderate", "Effectiveness_Notes": "Crafted inputs are necessary to\n\t\t\t reach the code containing the error, such as generated\n\t\t\t by fuzzers.  Also, these tools may reduce performance,\n\t\t\t and they only report the error condition - not the\n\t\t\t original mistake that led to the\n\t\t\t error."}, {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-41", "Phase": "Implementation", "Strategy": "Libraries or Frameworks", "Description": {"xhtml:p": ["Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.", "For example, glibc in Linux provides protection against free of invalid pointers.", "When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].", "To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost."]}}, {"Phase": "Architecture and Design", "Description": "Use an abstraction library to abstract away risky APIs. Not a complete solution."}, {"Phase": ["Architecture and Design", "Build and Compilation"], "Description": "Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.", "Effectiveness": "Moderate", "Effectiveness_Notes": "This is not a complete solution as it is not 100% effective."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "The following C function leaks a block of allocated memory if the call to read() does not return the expected number of bytes:", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "return NULL;"}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": null, "#text": "return NULL;"}}], "#text": "char* buf = (char*) malloc(BLOCK_SIZE);if (!buf) {}if (read(fd, buf, BLOCK_SIZE) != BLOCK_SIZE) {}return buf;"}}, "#text": "char* getBlock(int fd) {}"}}}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2005-3119", "Description": "Memory leak because function does not free() an element of a data structure.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-3119"}, {"Reference": "CVE-2004-0427", "Description": "Memory leak when counter variable is not decremented.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0427"}, {"Reference": "CVE-2002-0574", "Description": "chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0574"}, {"Reference": "CVE-2005-3181", "Description": "Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-3181"}, {"Reference": "CVE-2004-0222", "Description": "Memory leak via unknown manipulations as part of protocol test suite.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0222"}, {"Reference": "CVE-2001-0136", "Description": "Memory leak via a series of the same command.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-0136"}]}, "Functional_Areas": {"Functional_Area": "Memory Management"}, "Affected_Resources": {"Affected_Resource": "Memory"}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Memory leak"}, {"@Taxonomy_Name": "7 Pernicious Kingdoms", "Entry_Name": "Memory Leak"}, {"@Taxonomy_Name": "CLASP", "Entry_Name": "Failure to deallocate data"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A9", "Entry_Name": "Denial of Service", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "MEM31-C", "Entry_Name": "Free dynamically allocated memory when no longer needed", "Mapping_Fit": "Exact"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "MSC04-J", "Entry_Name": "Do not leak memory"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP14", "Entry_Name": "Failure to Release Resource"}, {"@Taxonomy_Name": "OMG ASCPEM", "Entry_ID": "ASCPEM-PRF-14"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-18"}, {"@External_Reference_ID": "REF-390"}, {"@External_Reference_ID": "REF-391"}, {"@External_Reference_ID": "REF-959", "@Section": "ASCPEM-PRF-14"}, {"@External_Reference_ID": "REF-1518"}, {"@External_Reference_ID": "REF-480"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": [{"@Type": "Relationship", "#text": "This is often a resultant weakness due to improper handling of malformed data or early termination of sessions."}, {"@Type": "Terminology", "#text": "\"memory leak\" has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict)."}]}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Organization": "KDM Analytics", "Modification_Date": "2008-08-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated white box definitions"}, {"Modification_Organization": "Veracode", "Modification_Date": "2008-08-15", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "Suggested OWASP Top Ten 2004 mapping"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, References, Relationship_Notes, Taxonomy_Mappings, Terminology_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Name"}, {"Modification_Name": "KDM Analytics", "Modification_Date": "2009-07-17", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "Improved the White_Box_Definition"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated White_Box_Definitions"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Modes_of_Introduction, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Other_Notes, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Demonstrative_Examples, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Alternate_Terms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-02-21", "Modification_Version": "2.4", "Modification_ReleaseDate": "2013-02-21", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-02-18", "Modification_Version": "2.6", "Modification_ReleaseDate": "2014-02-19", "Modification_Comment": "updated Potential_Mitigations, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated References, Relationships, Taxonomy_Mappings, White_Box_Definitions"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Common_Consequences, Demonstrative_Examples, Name, References, Relationships, Taxonomy_Mappings, Type, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Description, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated References, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Common_Consequences, Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, References, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Description, Diagram, Modes_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-04-30", "Modification_Version": "4.20", "Modification_ReleaseDate": "2026-04-30", "Modification_Comment": "updated Alternate_Terms, Detection_Factors, Potential_Mitigations, References"}], "Previous_Entry_Name": [{"@Date": "2008-04-11", "#text": "Memory Leak"}, {"@Date": "2009-05-27", "#text": "Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')"}, {"@Date": "2010-12-13", "#text": "Failure to Release Memory Before Removing Last Reference ('Memory Leak')"}, {"@Date": "2019-01-03", "#text": "Improper Release of Memory Before Removing Last Reference ('Memory Leak')"}, {"@Date": "2019-06-20", "#text": "Improper Release of Memory Before Removing Last Reference"}]}}
