Common Weakness Enumeration

CWE-772

Allowed

Missing Release of Resource after Effective Lifetime

Abstraction: Base · Status: Draft

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

567 vulnerabilities reference this CWE, most recent first.

GHSA-RRRW-3VQX-F9M3

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

A memory buffer error vulnerability exists in a component interface of Huawei Smartphone. Local attackers can exploit this vulnerability to cause memory leakage and doS attacks by carefully constructing attack scenarios.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-01T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A memory buffer error vulnerability exists in a component interface of Huawei Smartphone. Local attackers can exploit this vulnerability to cause memory leakage and doS attacks by carefully constructing attack scenarios.",
  "id": "GHSA-rrrw-3vqx-f9m3",
  "modified": "2022-05-24T17:46:02Z",
  "published": "2022-05-24T17:46:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9146"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/cn/support/bulletin/2021/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RVX5-CGPM-65XR

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteINLINEImage in coders/inline.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-07T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteINLINEImage in coders/inline.c.",
  "id": "GHSA-rvx5-cgpm-65xr",
  "modified": "2022-05-13T01:14:46Z",
  "published": "2022-05-13T01:14:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/d5559407ce29f4371e5df9c1cbde65455fe5854c"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100226"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWM7-X88C-3G2P

Vulnerability from github – Published: 2026-05-06 23:10 – Updated: 2026-05-14 18:02
VLAI
Summary
Netty epoll transport denial of service via RST on half-closed TCP connection
Details

Summary

Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread.

Affected versions

All versions of 4.2.x netty-transport-native-epoll up to and including 4.2.12.Final

Fixed in

4.2.13.Final (fix merged into the 4.2 branch via #16689; release not yet cut as of 2026-04-25).

Severity

Medium — Denial of Service (resource exhaustion / CPU spin)

CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - 7.5

CWE: CWE-772: Missing Release of Resource after Effective Lifetime

Description

When a TCP connection using Netty's epoll transport has ALLOW_HALF_CLOSURE enabled (or is in a half-closed state via the HTTP codec), and the remote peer:

  1. Sends a FIN (half-close), causing the server to mark the input as shutdown, then
  2. Sends a RST (e.g. by closing with SO_LINGER=0)

the server-side channel is never closed. This happens because:

  • epollOutReady() is a no-op when there is no pending flush.
  • epollInReady() short-circuits via shouldBreakEpollInReady() because input is already marked as shutdown.
  • The EPOLLERR/EPOLLHUP error condition is therefore never processed, and channelInactive is never fired.

Depending on the Netty version and configuration, this results in:

  • Stale channels: The connection is never closed or deregistered. An unauthenticated remote attacker can repeat the sequence to accumulate stale connections, exhausting file descriptors, memory, or connection-count limits.
  • CPU busy-loop: In code paths where clearEpollIn0() is not called during the ChannelInputShutdownReadComplete event, epoll_wait returns immediately on every iteration for the affected fd, causing 100% CPU utilization on the event loop thread and starving all other connections multiplexed on it.

Mitigation

  • Upgrade to 4.2.13.Final when released (or build from the 4.2 branch at commit 0ec3d97).
  • If upgrading is not immediately possible, configure idle timeouts on connections to limit the lifetime of stale channels.

References

  • Issue: https://github.com/netty/netty/issues/16683
  • Fix: https://github.com/netty/netty/pull/16689
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.netty:netty-transport-native-epoll"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0.Final"
            },
            {
              "fixed": "4.2.13.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:10:41Z",
    "nvd_published_at": "2026-05-13T19:17:23Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nNetty\u0027s epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread.\n\n## Affected versions\n\nAll versions of 4.2.x `netty-transport-native-epoll` up to and including 4.2.12.Final\n\n## Fixed in\n\n4.2.13.Final (fix merged into the `4.2` branch via [#16689](https://github.com/netty/netty/pull/16689); release not yet cut as of 2026-04-25).\n\n## Severity\n\n**Medium** \u2014 Denial of Service (resource exhaustion / CPU spin)\n\n**CVSS:** 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - **7.5**\n\n**CWE:** CWE-772: Missing Release of Resource after Effective Lifetime\n\n## Description\n\nWhen a TCP connection using Netty\u0027s epoll transport has `ALLOW_HALF_CLOSURE` enabled (or is in a half-closed state via the HTTP codec), and the remote peer:\n\n1. Sends a FIN (half-close), causing the server to mark the input as shutdown, then\n2. Sends a RST (e.g. by closing with `SO_LINGER=0`)\n\nthe server-side channel is never closed. This happens because:\n\n- `epollOutReady()` is a no-op when there is no pending flush.\n- `epollInReady()` short-circuits via `shouldBreakEpollInReady()` because input is already marked as shutdown.\n- The `EPOLLERR`/`EPOLLHUP` error condition is therefore never processed, and `channelInactive` is never fired.\n\nDepending on the Netty version and configuration, this results in:\n\n- **Stale channels**: The connection is never closed or deregistered. An unauthenticated remote attacker can repeat the sequence to accumulate stale connections, exhausting file descriptors, memory, or connection-count limits.\n- **CPU busy-loop**: In code paths where `clearEpollIn0()` is not called during the `ChannelInputShutdownReadComplete` event, `epoll_wait` returns immediately on every iteration for the affected fd, causing 100% CPU utilization on the event loop thread and starving all other connections multiplexed on it.\n\n## Mitigation\n\n- Upgrade to 4.2.13.Final when released (or build from the `4.2` branch at commit [`0ec3d97`](https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d)).\n- If upgrading is not immediately possible, configure idle timeouts on connections to limit the lifetime of stale channels.\n\n## References\n\n- Issue: https://github.com/netty/netty/issues/16683\n- Fix: https://github.com/netty/netty/pull/16689",
  "id": "GHSA-rwm7-x88c-3g2p",
  "modified": "2026-05-14T18:02:39Z",
  "published": "2026-05-06T23:10:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/pull/16689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netty/netty"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Netty epoll transport denial of service via RST on half-closed TCP connection"
}

GHSA-RXR2-QR3H-M2RP

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42
VLAI
Details

The ReadMATImage function in coders/mat.c in ImageMagick through 6.9.9-3 and 7.x through 7.0.6-3 has memory leaks involving the quantum_info and clone_info data structures.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-29T05:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The ReadMATImage function in coders/mat.c in ImageMagick through 6.9.9-3 and 7.x through 7.0.6-3 has memory leaks involving the quantum_info and clone_info data structures.",
  "id": "GHSA-rxr2-qr3h-m2rp",
  "modified": "2022-05-13T01:42:29Z",
  "published": "2022-05-13T01:42:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11724"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/624"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201711-07"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104597"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2G8-4FGQ-7RHX

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2025-06-09 18:32
VLAI
Details

An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-21T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.",
  "id": "GHSA-v2g8-4fgq-7rhx",
  "modified": "2025-06-09T18:32:00Z",
  "published": "2022-05-24T17:07:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZPCOMW5X6IZZXASCDD2CNW2DLF3YADC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZPCOMW5X6IZZXASCDD2CNW2DLF3YADC"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200210-0002"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4269-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00014.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2Q9-M664-5F32

Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18
VLAI
Details

CloudEngine 12800 products with versions of V200R019C00, V200R019C10SPC800, V200R019C00SPC600, V200R019C10; and CloudEngine 6800 products with versions of V200R019C00SPC800 have a denial of service vulnerability. Due to improper memory management, memory leakage may occur in some special cases. Attackers can perform a series of operations to exploit this vulnerability. Successful exploit may cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-29T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "CloudEngine 12800 products with versions of V200R019C00, V200R019C10SPC800, V200R019C00SPC600, V200R019C10; and CloudEngine 6800 products with versions of V200R019C00SPC800 have a denial of service vulnerability. Due to improper memory management, memory leakage may occur in some special cases. Attackers can perform a series of operations to exploit this vulnerability. Successful exploit may cause a denial of service.",
  "id": "GHSA-v2q9-m664-5f32",
  "modified": "2022-05-24T17:18:51Z",
  "published": "2022-05-24T17:18:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1870"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200527-01-dos-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V34Q-J8XH-HJGX

Vulnerability from github – Published: 2024-07-09 00:31 – Updated: 2024-11-02 00:36
VLAI
Details

OpenVPN 2.6.10 and earlier in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-08T22:15:02Z",
    "severity": "MODERATE"
  },
  "details": "OpenVPN 2.6.10 and earlier in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session",
  "id": "GHSA-v34q-j8xh-hjgx",
  "modified": "2024-11-02T00:36:20Z",
  "published": "2024-07-09T00:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28882"
    },
    {
      "type": "WEB",
      "url": "https://community.openvpn.net/openvpn/wiki/CVE-2024-28882"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3GF-G9FC-578X

Vulnerability from github – Published: 2024-10-23 18:33 – Updated: 2024-10-23 18:33
VLAI
Details

A vulnerability in the login authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to deny further VPN user authentications for several minutes, resulting in a temporary denial of service (DoS) condition.

This vulnerability is due to ineffective handling of memory resources during the authentication process. An attacker could exploit this vulnerability by sending crafted packets, which could cause resource exhaustion of the authentication process. A successful exploit could allow the attacker to deny authentication for Remote Access SSL VPN users for several minutes, resulting in a temporary DoS condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-23T18:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the login authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to deny further VPN user authentications for several minutes, resulting in a temporary denial of service (DoS) condition.\n\n This vulnerability is due to ineffective handling of memory resources during the authentication process. An attacker could exploit this vulnerability by sending crafted packets, which could cause resource exhaustion of the authentication process. A successful exploit could allow the attacker to deny authentication for Remote Access SSL VPN users for several minutes, resulting in a temporary DoS condition.",
  "id": "GHSA-v3gf-g9fc-578x",
  "modified": "2024-10-23T18:33:09Z",
  "published": "2024-10-23T18:33:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20493"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-vpn-4gYEWMKg"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V3RJ-H6W7-8V5M

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-05-24 17:03
VLAI
Details

CloudEngine 12800 has a DoS vulnerability. An attacker of a neighboring device sends a large number of specific packets. As a result, a memory leak occurs after the device uses the specific packet. As a result, the attacker can exploit this vulnerability to cause DoS attacks on the target device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-13T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "CloudEngine 12800 has a DoS vulnerability. An attacker of a neighboring device sends a large number of specific packets. As a result, a memory leak occurs after the device uses the specific packet. As a result, the attacker can exploit this vulnerability to cause DoS attacks on the target device.",
  "id": "GHSA-v3rj-h6w7-8v5m",
  "modified": "2022-05-24T17:03:39Z",
  "published": "2022-05-24T17:03:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5248"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20191204-03-dos-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V3X9-WRQ5-868J

Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2025-03-13 21:39
VLAI
Summary
Apache Answer: The link for resetting user password is not Single-Use
Details

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/apache/incubator-answer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-12T18:33:35Z",
    "nvd_published_at": "2024-08-12T13:38:31Z",
    "severity": "MODERATE"
  },
  "details": "Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.3.5.\n\nThe password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked.\nUsers are recommended to upgrade to version 1.3.6, which fixes the issue.",
  "id": "GHSA-v3x9-wrq5-868j",
  "modified": "2025-03-13T21:39:46Z",
  "published": "2024-08-12T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41888"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/incubator-answer/commit/2820efc454f5808974dce0aa99aac106be3f727b"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4"
    },
    {
      "type": "PACKAGE",
      "url": "github.com/apache/incubator-answer"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/08/09/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Answer: The link for resetting user password is not Single-Use"
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
Implementation

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.

Mitigation MIT-47
Operation Architecture and Design

Strategy: Resource Limitation

  • Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
  • When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
  • Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-469: HTTP DoS

An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.