CWE-772
AllowedMissing Release of Resource after Effective Lifetime
Abstraction: Base · Status: Draft
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
567 vulnerabilities reference this CWE, most recent first.
GHSA-J5XV-V2P4-5Q4W
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2017-12962"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-18T21:29:00Z",
"severity": "HIGH"
},
"details": "There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.",
"id": "GHSA-j5xv-v2p4-5q4w",
"modified": "2022-05-13T01:42:48Z",
"published": "2022-05-13T01:42:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12962"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1482331"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J6R6-35JF-JM62
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-11 18:31In the Linux kernel, the following vulnerability has been resolved:
media: cx88: Add missing unmap in snd_cx88_hw_params()
In error path, add cx88_alsa_dma_unmap() to release resource acquired by cx88_alsa_dma_map().
{
"affected": [],
"aliases": [
"CVE-2026-43257"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:46Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx88: Add missing unmap in snd_cx88_hw_params()\n\nIn error path, add cx88_alsa_dma_unmap() to release\nresource acquired by cx88_alsa_dma_map().",
"id": "GHSA-j6r6-35jf-jm62",
"modified": "2026-05-11T18:31:36Z",
"published": "2026-05-06T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43257"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/10ab64f8efc2f479293dce929fde326c285fc96f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1ce8c2a8f050a23240553c8bae628ac623f9dbc1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/24f3dabeb97bd0bec8c1c926c97e3eb6a8129225"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3baefeeb7b85e1e34eebef399ffa312be7179e30"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dbc527d980f7ba8559de38f8c1e4158c71a78915"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc911fccc6e08ef46a66b2a42a764252b001ee3c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3fb15aadfc8643203bbdf97ace0396e4586fa64"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f0d7f735eba963742009b0706e19dd0bed91537a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J78W-MVWV-RWCF
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2022-05-24 16:57In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.
{
"affected": [],
"aliases": [
"CVE-2019-16994"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-30T13:15:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn-\u003efb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.",
"id": "GHSA-j78w-mvwv-rwcf",
"modified": "2022-05-24T16:57:09Z",
"published": "2022-05-24T16:57:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16994"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/07f12b26e21ab359261bf75cfcb424fdc7daeb6d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=07f12b26e21ab359261bf75cfcb424fdc7daeb6d"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20191031-0005"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J8VH-QRJX-HPM6
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40In SWFTools, a memory leak was found in wav2swf.
{
"affected": [],
"aliases": [
"CVE-2017-1000182"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-17T01:29:00Z",
"severity": "MODERATE"
},
"details": "In SWFTools, a memory leak was found in wav2swf.",
"id": "GHSA-j8vh-qrjx-hpm6",
"modified": "2022-05-13T01:40:58Z",
"published": "2022-05-13T01:40:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000182"
},
{
"type": "WEB",
"url": "https://github.com/matthiaskramm/swftools/issues/30"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J9GG-MHRV-X578
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.
{
"affected": [],
"aliases": [
"CVE-2016-9907"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-23T22:59:00Z",
"severity": "MODERATE"
},
"details": "Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in \u0027usbredir_handle_destroy\u0027. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.",
"id": "GHSA-j9gg-mhrv-x578",
"modified": "2022-05-13T01:07:30Z",
"published": "2022-05-13T01:07:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9907"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2392"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2408"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-9907"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1402265"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-49"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/08/3"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JC8C-GG53-WCM7
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49** DISPUTED ** Google gperftools 2.7 has a memory leak in malloc_extension.cc, related to MallocExtension::Register and InitModule. NOTE: the software maintainer indicates that this is not a bug; it is only a false-positive report from the LeakSanitizer program.
{
"affected": [],
"aliases": [
"CVE-2018-13420"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-07T17:29:00Z",
"severity": "HIGH"
},
"details": "** DISPUTED ** Google gperftools 2.7 has a memory leak in malloc_extension.cc, related to MallocExtension::Register and InitModule. NOTE: the software maintainer indicates that this is not a bug; it is only a false-positive report from the LeakSanitizer program.",
"id": "GHSA-jc8c-gg53-wcm7",
"modified": "2022-05-13T01:49:47Z",
"published": "2022-05-13T01:49:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13420"
},
{
"type": "WEB",
"url": "https://github.com/gperftools/gperftools/issues/1013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JF83-PJR3-8VR2
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2025-04-20 03:45In ImageMagick 7.0.7-4 Q16, a memory leak vulnerability was found in the function ReadVIPSImage in coders/vips.c, which allows attackers to cause a denial of service (memory consumption in ResizeMagickMemory in MagickCore/memory.c) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2017-14684"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-22T01:29:00Z",
"severity": "HIGH"
},
"details": "In ImageMagick 7.0.7-4 Q16, a memory leak vulnerability was found in the function ReadVIPSImage in coders/vips.c, which allows attackers to cause a denial of service (memory consumption in ResizeMagickMemory in MagickCore/memory.c) via a crafted file.",
"id": "GHSA-jf83-pjr3-8vr2",
"modified": "2025-04-20T03:45:42Z",
"published": "2022-05-13T01:43:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14684"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/770"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JF9P-2FV9-2JP2
Vulnerability from github – Published: 2025-11-21 18:19 – Updated: 2025-11-27 07:53Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms.
Windows
The thread_amount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached.
macOS / iOS
The thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using vm_deallocate. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer.
Impact
Long-running applications (such as servers, daemons, or monitoring tools) that use this crate to periodically check thread counts will eventually crash due to resource exhaustion.
Resources
- https://github.com/jzeuzs/thread-amount/pull/29
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "thread-amount"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65947"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-772"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-21T18:19:40Z",
"nvd_published_at": "2025-11-21T23:15:45Z",
"severity": "HIGH"
},
"details": "Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms.\n\n### Windows\nThe `thread_amount` function calls `CreateToolhelp32Snapshot` but fails to close the returned `HANDLE` using `CloseHandle`. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached.\n\n### macOS / iOS\nThe `thread_amount` function calls `task_threads` (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using `vm_deallocate`. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer.\n\n### Impact\nLong-running applications (such as servers, daemons, or monitoring tools) that use this crate to periodically check thread counts will eventually crash due to resource exhaustion.\n\n### Resources\n\n- https://github.com/jzeuzs/thread-amount/pull/29",
"id": "GHSA-jf9p-2fv9-2jp2",
"modified": "2025-11-27T07:53:32Z",
"published": "2025-11-21T18:19:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jzeuzs/thread-amount/security/advisories/GHSA-jf9p-2fv9-2jp2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65947"
},
{
"type": "WEB",
"url": "https://github.com/jzeuzs/thread-amount/pull/29"
},
{
"type": "WEB",
"url": "https://github.com/jzeuzs/thread-amount/commit/28860d4a38286609cb884c13b5b7941edc2390e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/jzeuzs/thread-amount"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0125.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS"
}
GHSA-JFRW-3J8Q-2C86
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53Some Huawei products IPS Module V500R001C50; NGFW Module V500R001C50; V500R002C10; NIP6300 V500R001C50; NIP6600 V500R001C50; NIP6800 V500R001C50; Secospace USG6600 V500R001C50; USG9500 V500R001C50 have a memory leak vulnerability. The software does not release allocated memory properly when processing Protal questionnaire. A remote attacker could send a lot questionnaires to the device, successful exploit could cause the device to reboot since running out of memory.
{
"affected": [],
"aliases": [
"CVE-2018-7994"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-31T14:29:00Z",
"severity": "HIGH"
},
"details": "Some Huawei products IPS Module V500R001C50; NGFW Module V500R001C50; V500R002C10; NIP6300 V500R001C50; NIP6600 V500R001C50; NIP6800 V500R001C50; Secospace USG6600 V500R001C50; USG9500 V500R001C50 have a memory leak vulnerability. The software does not release allocated memory properly when processing Protal questionnaire. A remote attacker could send a lot questionnaires to the device, successful exploit could cause the device to reboot since running out of memory.",
"id": "GHSA-jfrw-3j8q-2c86",
"modified": "2022-05-13T01:53:28Z",
"published": "2022-05-13T01:53:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7994"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180704-01-firewall-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JG5V-CPQP-FCX5
Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadPATTERNImage in coders/pattern.c.
{
"affected": [],
"aliases": [
"CVE-2018-5246"
],
"database_specific": {
"cwe_ids": [
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-05T19:29:00Z",
"severity": "MODERATE"
},
"details": "In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadPATTERNImage in coders/pattern.c.",
"id": "GHSA-jg5v-cpqp-fcx5",
"modified": "2022-05-13T01:52:44Z",
"published": "2022-05-13T01:52:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5246"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/929"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102469"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.
Mitigation MIT-47
Strategy: Resource Limitation
- Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
- When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
- Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.