CWE-772
AllowedMissing Release of Resource after Effective Lifetime
Abstraction: Base · Status: Draft
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
567 vulnerabilities reference this CWE, most recent first.
GHSA-CVX3-4GWF-V4QJ
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.
{
"affected": [],
"aliases": [
"CVE-2017-14930"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-30T01:29:00Z",
"severity": "HIGH"
},
"details": "Memory leak in decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file.",
"id": "GHSA-cvx3-4gwf-v4qj",
"modified": "2022-05-13T01:43:34Z",
"published": "2022-05-13T01:43:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14930"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CW63-CPQX-9VX9
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2025-04-20 03:48The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.
{
"affected": [],
"aliases": [
"CVE-2017-12190"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-22T18:29:00Z",
"severity": "MODERATE"
},
"details": "The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.",
"id": "GHSA-cw63-cpqx-9vx9",
"modified": "2025-04-20T03:48:54Z",
"published": "2022-05-13T01:42:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12190"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/95d78c28b5a85bacbc29b8dba7c04babb9b0d467"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3583-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3583-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3582-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3582-1"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K93472064?utm_source=f5support\u0026amp;utm_medium=RSS"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K93472064?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1495089"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-12190"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1190"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1170"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1854"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0676"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0654"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95d78c28b5a85bacbc29b8dba7c04babb9b0d467"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2017/q4/52"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101911"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F232-5CH9-885F
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2025-04-20 03:50In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in the function WriteOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted PNG image file.
{
"affected": [],
"aliases": [
"CVE-2017-17884"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-27T17:08:00Z",
"severity": "MODERATE"
},
"details": "In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in the function WriteOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted PNG image file.",
"id": "GHSA-f232-5ch9-885f",
"modified": "2025-04-20T03:50:34Z",
"published": "2022-05-13T01:44:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17884"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/902"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2GP-JVMQ-H6FM
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43In several places in ihevcd_decode.c, a dead loop could occur due to incomplete frames which could lead to memory leaks. This could lead to a remote denial of service of a critical system process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-63522067.
{
"affected": [],
"aliases": [
"CVE-2017-13196"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-12T23:29:00Z",
"severity": "HIGH"
},
"details": "In several places in ihevcd_decode.c, a dead loop could occur due to incomplete frames which could lead to memory leaks. This could lead to a remote denial of service of a critical system process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-63522067.",
"id": "GHSA-f2gp-jvmq-h6fm",
"modified": "2022-05-13T01:43:06Z",
"published": "2022-05-13T01:43:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13196"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-01-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102414"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040106"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2MG-36Q9-GH2V
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2017-8348"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-30T17:59:00Z",
"severity": "MODERATE"
},
"details": "In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file.",
"id": "GHSA-f2mg-36q9-gh2v",
"modified": "2022-05-13T01:47:30Z",
"published": "2022-05-13T01:47:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8348"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/445"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3863"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F46H-MH94-F4W2
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-10-25 19:00Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.
{
"affected": [],
"aliases": [
"CVE-2021-22553"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-17T12:15:00Z",
"severity": "HIGH"
},
"details": "Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.",
"id": "GHSA-f46h-mh94-f4w2",
"modified": "2022-10-25T19:00:30Z",
"published": "2022-05-24T17:42:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22553"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/gerrit/issues/detail?id=13858"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F4V5-V733-MGFM
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2017-18027"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-12T20:29:00Z",
"severity": "MODERATE"
},
"details": "In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file.",
"id": "GHSA-f4v5-v733-mgfm",
"modified": "2022-05-13T01:44:34Z",
"published": "2022-05-13T01:44:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18027"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/734"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102527"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F58X-5QWH-88R6
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12A vulnerability in Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, remote attacker to cause a queue wedge on a leaf switch, which could result in critical control plane traffic to the device being dropped. This could result in one or more leaf switches being removed from the fabric. This vulnerability is due to mishandling of ingress TCP traffic to a specific port. An attacker could exploit this vulnerability by sending a stream of TCP packets to a specific port on a Switched Virtual Interface (SVI) configured on the device. A successful exploit could allow the attacker to cause a specific packet queue to queue network buffers but never process them, leading to an eventual queue wedge. This could cause control plane traffic to be dropped, resulting in a denial of service (DoS) condition where the leaf switches are unavailable. Note: This vulnerability requires a manual intervention to power-cycle the device to recover.
{
"affected": [],
"aliases": [
"CVE-2021-1523"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-25T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, remote attacker to cause a queue wedge on a leaf switch, which could result in critical control plane traffic to the device being dropped. This could result in one or more leaf switches being removed from the fabric. This vulnerability is due to mishandling of ingress TCP traffic to a specific port. An attacker could exploit this vulnerability by sending a stream of TCP packets to a specific port on a Switched Virtual Interface (SVI) configured on the device. A successful exploit could allow the attacker to cause a specific packet queue to queue network buffers but never process them, leading to an eventual queue wedge. This could cause control plane traffic to be dropped, resulting in a denial of service (DoS) condition where the leaf switches are unavailable. Note: This vulnerability requires a manual intervention to power-cycle the device to recover.",
"id": "GHSA-f58x-5qwh-88r6",
"modified": "2022-05-24T19:12:11Z",
"published": "2022-05-24T19:12:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1523"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n9kaci-queue-wedge-cLDDEfKF"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F5CR-MP3H-4JJJ
Vulnerability from github – Published: 2023-08-08 18:30 – Updated: 2024-04-04 06:41Uncontrolled resource consumption in Zoom SDKs before 5.14.7 may allow an unauthenticated user to enable a denial of service via network access.
{
"affected": [],
"aliases": [
"CVE-2023-36533"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T18:15:14Z",
"severity": "HIGH"
},
"details": "Uncontrolled resource consumption in Zoom SDKs before 5.14.7 may allow an unauthenticated user to enable a denial of service via network access.",
"id": "GHSA-f5cr-mp3h-4jjj",
"modified": "2024-04-04T06:41:59Z",
"published": "2023-08-08T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36533"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F5GC-665W-JV83
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot's auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.
{
"affected": [],
"aliases": [
"CVE-2017-15132"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-25T20:29:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in dovecot\u0027s auth client used by login processes. The leak has impact in high performance configuration where same login processes are reused and can cause the process to crash due to memory exhaustion.",
"id": "GHSA-f5gc-665w-jv83",
"modified": "2022-05-13T01:37:33Z",
"published": "2022-05-13T01:37:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15132"
},
{
"type": "WEB",
"url": "https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1532768"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3556-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3556-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4130"
},
{
"type": "WEB",
"url": "https://www.dovecot.org/list/dovecot-news/2018-February/000370.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.
Mitigation MIT-47
Strategy: Resource Limitation
- Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
- When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
- Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.