BaseIncomplete

CWE-1325Improperly Controlled Sequential Memory Allocation

Category: memory

Description

The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

Common consequences· 1

  • Availability — DoS: Resource Consumption (Memory)
    Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.

Potential mitigations· 2

  • [Implementation]Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
  • [Operation]Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

Related CAPEC attack patterns· 1

CAPEC-130

References

  1. https://cwe.mitre.org/data/definitions/1325.html

Exploits (incoming)1

TypeTargetConfidenceTier
AttackPatternExcessive Allocationcapec-130100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Memory Allocation with Excessive Size Value
CWE
Missing Release of Memory after Effective Lifetime
CWE
Uncontrolled Recursion
CWE
Improper Resource Shutdown or Release
CWE
Improper Synchronization
CWE
Improper Locking
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.