ClassDraft
CWE-404Improper Resource Shutdown or Release
Category: logic
Description
The product does not release or incorrectly releases a resource before it is made available for re-use.
When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Common consequences· 2
- Availability / Other — DoS: Resource Consumption (Other), Varies by ContextMost unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, the attacker might be able to launch a denial of service attack by depleting the resource pool.
- Confidentiality — Read Application DataWhen a resource containing sensitive information is not correctly shutdown, it may expose the sensitive data in a subsequent allocation.
Potential mitigations· 4
- [Requirements]
- [Implementation]It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
- [Implementation]Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
- [Implementation]When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
Related CAPEC attack patterns· 7
References
Exploits (incoming)7
| Type | Target | Confidence | Tier |
|---|---|---|---|
| AttackPattern | Excessive Allocationcapec-130 | 100% | live |
| AttackPattern | Resource Leak Exposurecapec-131 | 100% | live |
| AttackPattern | ICMP Fragmentationcapec-496 | 100% | live |
| AttackPattern | TCP Fragmentationcapec-494 | 100% | live |
| AttackPattern | UDP Fragmentationcapec-495 | 100% | live |
| AttackPattern | BlueSmackingcapec-666 | 100% | live |
| AttackPattern | Floodingcapec-125 | 100% | live |
Compliance frameworks addressing this (incoming)1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| ComplianceControl | nist_csf-rc | 100% | live |
(incoming)9
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Vulnerability | CVE-2025-5867cve-2025-5867 | 0% | live |
| Vulnerability | CVE-2026-1173cve-2026-1173 | 0% | live |
| Vulnerability | CVE-2026-2957cve-2026-2957 | 0% | live |
| KEVEntry | Microsoft Win32k Privilege Escalation Vulnerabilitykev-cve-2018-8120 | 0% | live |
| KEVEntry | Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerabilitykev-cve-2018-8405 | 0% | live |
| KEVEntry | Microsoft DirectX Graphics Kernel Privilege Escalation Vulnerabilitykev-cve-2018-8406 | 0% | live |
| KEVEntry | Microsoft Win32k Privilege Escalation Vulnerabilitykev-cve-2018-8453 | 0% | live |
| KEVEntry | Microsoft Windows Kernel Privilege Escalation Vulnerabilitykev-cve-2018-8611 | 0% | live |
| KEVEntry | Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerabilitykev-cve-2018-8639 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.