{"@ID": "415", "@Name": "Double Free", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-415-Diagram.png", "Description": "The product calls free() twice on the same memory address.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "825", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "1341", "@View_ID": "1000"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "672", "@View_ID": "1340", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "666", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "416", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "123", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Resultant"}}, "Applicable_Platforms": {"Language": [{"@Class": "Memory-Unsafe", "@Prevalence": "Often"}, {"@Name": "C", "@Prevalence": "Undetermined"}, {"@Name": "C++", "@Prevalence": "Undetermined"}]}, "Alternate_Terms": {"Alternate_Term": {"Term": "Double-free"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": {"Scope": ["Integrity", "Confidentiality", "Availability"], "Impact": ["Modify Memory", "Execute Unauthorized Code or Commands"], "Note": {"xhtml:p": ["When a program calls free() twice with the same argument, the program's memory management data structures may become corrupted, potentially leading to the reading or modification of unexpected memory addresses. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.", "Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code."]}}}, "Detection_Methods": {"Detection_Method": [{"@Detection_Method_ID": "DM-13", "Method": "Fuzzing", "Description": "Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.", "Effectiveness": "High"}, {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}, {"@Detection_Method_ID": "DM-15", "Method": "Automated Dynamic Analysis", "Description": "Use tools that are integrated during\n\t     compilation to insert runtime error-checking mechanisms\n\t     related to memory safety errors, such as AddressSanitizer\n\t     (ASan) for C/C++ [REF-1518].", "Effectiveness": "Moderate", "Effectiveness_Notes": "Crafted inputs are necessary to\n\t     reach the code containing the error, such as generated\n\t     by fuzzers.  Also, these tools may reduce performance,\n\t     and they only report the error condition - not the\n\t     original mistake that led to the\n\t     error."}]}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Choose a language that provides automatic memory management."}, {"Phase": "Implementation", "Description": "Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once."}, {"Phase": "Implementation", "Description": "Use a static analysis tool to find double free instances."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-149", "Intro_Text": "The following code shows a simple example of a double free vulnerability.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "free(ptr);"}, "#text": "char* ptr = (char*)malloc (SIZE);\n\t\t\t\t   ...\n\t\t\t\t   if (abrt) {\n\t\t\t\t   \n\t\t\t\t   }\n\t\t\t\t   ...\n\t\t\t\t   free(ptr);"}}, "Body_Text": ["Double free vulnerabilities have two common (and sometimes overlapping) causes:", {"xhtml:ul": {"xhtml:li": [{"xhtml:div": "Error conditions and other exceptional circumstances"}, {"xhtml:div": "Confusion over which part of the program is responsible for freeing the memory"}]}}, "Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once."]}, {"Intro_Text": "While contrived, this code should be exploitable on Linux distributions that do not ship with heap-chunk check summing turned on.", "Example_Code": {"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null, null, null, null, null], "#text": "char *buf1R1;char *buf2R1;char *buf1R2;buf1R1 = (char *) malloc(BUFSIZE2);buf2R1 = (char *) malloc(BUFSIZE2);free(buf1R1);free(buf2R1);buf1R2 = (char *) malloc(BUFSIZE1);strncpy(buf1R2, argv[1], BUFSIZE1-1);free(buf2R1);free(buf1R2);"}, "#text": "#include <stdio.h>#include <unistd.h>#define BUFSIZE1 512#define BUFSIZE2 ((BUFSIZE1/2) - 8)\n                     int main(int argc, char **argv) {}"}}}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2006-5051", "Description": "Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).", "Link": "https://www.cve.org/CVERecord?id=CVE-2006-5051"}, {"Reference": "CVE-2004-0642", "Description": "Double free resultant from certain error conditions.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0642"}, {"Reference": "CVE-2004-0772", "Description": "Double free resultant from certain error conditions.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-0772"}, {"Reference": "CVE-2005-1689", "Description": "Double free resultant from certain error conditions.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1689"}, {"Reference": "CVE-2003-0545", "Description": "Double free from invalid ASN.1 encoding.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-0545"}, {"Reference": "CVE-2003-1048", "Description": "Double free from malformed GIF.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-1048"}, {"Reference": "CVE-2005-0891", "Description": "Double free from malformed GIF.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-0891"}, {"Reference": "CVE-2002-0059", "Description": "Double free from malformed compressed data.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0059"}]}, "Functional_Areas": {"Functional_Area": "Memory Management"}, "Affected_Resources": {"Affected_Resource": "Memory"}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "DFREE - Double-Free Vulnerability"}, {"@Taxonomy_Name": "7 Pernicious Kingdoms", "Entry_Name": "Double Free"}, {"@Taxonomy_Name": "CLASP", "Entry_Name": "Doubly freeing memory"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "MEM00-C", "Entry_Name": "Allocate and free memory in the same module, at the same level of abstraction"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "MEM01-C", "Entry_Name": "Store a new value in pointers immediately after free()"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "MEM30-C", "Entry_Name": "Do not access freed memory", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "MEM31-C", "Entry_Name": "Free dynamically allocated memory exactly once"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP12", "Entry_Name": "Faulty Memory Release"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-44", "@Section": "\"Sin 8: C++ Catastrophes.\" Page 143"}, {"@External_Reference_ID": "REF-62", "@Section": "Chapter 7, \"Double Frees\", Page 379"}, {"@External_Reference_ID": "REF-18"}, {"@External_Reference_ID": "REF-1518"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": [{"@Type": "Relationship", "#text": "This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows."}, {"@Type": "Theoretical", "#text": "It could be argued that Double Free would be most appropriately located as a child of \"Use after Free\", but \"Use\" and \"Release\" are considered to be distinct operations within vulnerability theory, therefore this is more accurately \"Release of a Resource after Expiration or Release\", which doesn't exist yet."}]}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Organization": "KDM Analytics", "Modification_Date": "2008-08-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated white box definitions"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, White_Box_Definitions"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-06-25", "Modification_Version": "4.1", "Modification_ReleaseDate": "2020-06-25", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Maintenance_Notes, Theoretical_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Common_Consequences, Description, Diagram"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Functional_Areas"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Detection_Factors, References, Weakness_Ordinalities"}]}}
