Common Weakness Enumeration

CWE-772

Allowed

Missing Release of Resource after Effective Lifetime

Abstraction: Base · Status: Draft

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

567 vulnerabilities reference this CWE, most recent first.

GHSA-J5XV-V2P4-5Q4W

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42
VLAI
Details

There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-18T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.",
  "id": "GHSA-j5xv-v2p4-5q4w",
  "modified": "2022-05-13T01:42:48Z",
  "published": "2022-05-13T01:42:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12962"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1482331"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J6R6-35JF-JM62

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-11 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: cx88: Add missing unmap in snd_cx88_hw_params()

In error path, add cx88_alsa_dma_unmap() to release resource acquired by cx88_alsa_dma_map().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:46Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx88: Add missing unmap in snd_cx88_hw_params()\n\nIn error path, add cx88_alsa_dma_unmap() to release\nresource acquired by cx88_alsa_dma_map().",
  "id": "GHSA-j6r6-35jf-jm62",
  "modified": "2026-05-11T18:31:36Z",
  "published": "2026-05-06T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43257"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10ab64f8efc2f479293dce929fde326c285fc96f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ce8c2a8f050a23240553c8bae628ac623f9dbc1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24f3dabeb97bd0bec8c1c926c97e3eb6a8129225"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3baefeeb7b85e1e34eebef399ffa312be7179e30"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dbc527d980f7ba8559de38f8c1e4158c71a78915"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc911fccc6e08ef46a66b2a42a764252b001ee3c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3fb15aadfc8643203bbdf97ace0396e4586fa64"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f0d7f735eba963742009b0706e19dd0bed91537a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J78W-MVWV-RWCF

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2022-05-24 16:57
VLAI
Details

In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-30T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn-\u003efb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.",
  "id": "GHSA-j78w-mvwv-rwcf",
  "modified": "2022-05-24T16:57:09Z",
  "published": "2022-05-24T16:57:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16994"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/07f12b26e21ab359261bf75cfcb424fdc7daeb6d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=07f12b26e21ab359261bf75cfcb424fdc7daeb6d"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191031-0005"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-J8VH-QRJX-HPM6

Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40
VLAI
Details

In SWFTools, a memory leak was found in wav2swf.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-17T01:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In SWFTools, a memory leak was found in wav2swf.",
  "id": "GHSA-j8vh-qrjx-hpm6",
  "modified": "2022-05-13T01:40:58Z",
  "published": "2022-05-13T01:40:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matthiaskramm/swftools/issues/30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J9GG-MHRV-X578

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07
VLAI
Details

Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-12-23T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in \u0027usbredir_handle_destroy\u0027. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.",
  "id": "GHSA-j9gg-mhrv-x578",
  "modified": "2022-05-13T01:07:30Z",
  "published": "2022-05-13T01:07:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9907"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2392"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2408"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2016-9907"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1402265"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-49"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/12/08/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC8C-GG53-WCM7

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

** DISPUTED ** Google gperftools 2.7 has a memory leak in malloc_extension.cc, related to MallocExtension::Register and InitModule. NOTE: the software maintainer indicates that this is not a bug; it is only a false-positive report from the LeakSanitizer program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-13420"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-07T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "** DISPUTED ** Google gperftools 2.7 has a memory leak in malloc_extension.cc, related to MallocExtension::Register and InitModule. NOTE: the software maintainer indicates that this is not a bug; it is only a false-positive report from the LeakSanitizer program.",
  "id": "GHSA-jc8c-gg53-wcm7",
  "modified": "2022-05-13T01:49:47Z",
  "published": "2022-05-13T01:49:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13420"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gperftools/gperftools/issues/1013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF83-PJR3-8VR2

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:45
VLAI
Details

In ImageMagick 7.0.7-4 Q16, a memory leak vulnerability was found in the function ReadVIPSImage in coders/vips.c, which allows attackers to cause a denial of service (memory consumption in ResizeMagickMemory in MagickCore/memory.c) via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-22T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "In ImageMagick 7.0.7-4 Q16, a memory leak vulnerability was found in the function ReadVIPSImage in coders/vips.c, which allows attackers to cause a denial of service (memory consumption in ResizeMagickMemory in MagickCore/memory.c) via a crafted file.",
  "id": "GHSA-jf83-pjr3-8vr2",
  "modified": "2025-04-20T03:45:42Z",
  "published": "2022-05-13T01:43:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14684"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/770"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3681-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF9P-2FV9-2JP2

Vulnerability from github – Published: 2025-11-21 18:19 – Updated: 2025-11-27 07:53
VLAI
Summary
thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS
Details

Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms.

Windows

The thread_amount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached.

macOS / iOS

The thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using vm_deallocate. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer.

Impact

Long-running applications (such as servers, daemons, or monitoring tools) that use this crate to periodically check thread counts will eventually crash due to resource exhaustion.

Resources

  • https://github.com/jzeuzs/thread-amount/pull/29
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "thread-amount"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-772"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-21T18:19:40Z",
    "nvd_published_at": "2025-11-21T23:15:45Z",
    "severity": "HIGH"
  },
  "details": "Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms.\n\n### Windows\nThe `thread_amount` function calls `CreateToolhelp32Snapshot` but fails to close the returned `HANDLE` using `CloseHandle`. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached.\n\n### macOS / iOS\nThe `thread_amount` function calls `task_threads` (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using `vm_deallocate`. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer.\n\n### Impact\nLong-running applications (such as servers, daemons, or monitoring tools) that use this crate to periodically check thread counts will eventually crash due to resource exhaustion.\n\n### Resources\n\n- https://github.com/jzeuzs/thread-amount/pull/29",
  "id": "GHSA-jf9p-2fv9-2jp2",
  "modified": "2025-11-27T07:53:32Z",
  "published": "2025-11-21T18:19:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jzeuzs/thread-amount/security/advisories/GHSA-jf9p-2fv9-2jp2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65947"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jzeuzs/thread-amount/pull/29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jzeuzs/thread-amount/commit/28860d4a38286609cb884c13b5b7941edc2390e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jzeuzs/thread-amount"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0125.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS"
}

GHSA-JFRW-3J8Q-2C86

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

Some Huawei products IPS Module V500R001C50; NGFW Module V500R001C50; V500R002C10; NIP6300 V500R001C50; NIP6600 V500R001C50; NIP6800 V500R001C50; Secospace USG6600 V500R001C50; USG9500 V500R001C50 have a memory leak vulnerability. The software does not release allocated memory properly when processing Protal questionnaire. A remote attacker could send a lot questionnaires to the device, successful exploit could cause the device to reboot since running out of memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Some Huawei products IPS Module V500R001C50; NGFW Module V500R001C50; V500R002C10; NIP6300 V500R001C50; NIP6600 V500R001C50; NIP6800 V500R001C50; Secospace USG6600 V500R001C50; USG9500 V500R001C50 have a memory leak vulnerability. The software does not release allocated memory properly when processing Protal questionnaire. A remote attacker could send a lot questionnaires to the device, successful exploit could cause the device to reboot since running out of memory.",
  "id": "GHSA-jfrw-3j8q-2c86",
  "modified": "2022-05-13T01:53:28Z",
  "published": "2022-05-13T01:53:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7994"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180704-01-firewall-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JG5V-CPQP-FCX5

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadPATTERNImage in coders/pattern.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-05T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadPATTERNImage in coders/pattern.c.",
  "id": "GHSA-jg5v-cpqp-fcx5",
  "modified": "2022-05-13T01:52:44Z",
  "published": "2022-05-13T01:52:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5246"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/929"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3681-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102469"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
Implementation

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.

Mitigation MIT-47
Operation Architecture and Design

Strategy: Resource Limitation

  • Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
  • When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
  • Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-469: HTTP DoS

An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.