Description
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Potential Impact
Integrity
Modify Memory
Availability
DoS: Crash, Exit, or Restart
Confidentiality
Read Memory
Integrity, Confidentiality, Availability
Execute Unauthorized Code or Commands
Demonstrative Examples
#include <stdio.h>#include <unistd.h>#define BUFSIZER1 512#define BUFSIZER2 ((BUFSIZER1/2) - 8)int main(int argc, char **argv) {char *buf1R1;char *buf2R1;char *buf2R2;char *buf3R2;buf1R1 = (char *) malloc(BUFSIZER1);buf2R1 = (char *) malloc(BUFSIZER1);free(buf2R1);buf2R2 = (char *) malloc(BUFSIZER2);buf3R2 = (char *) malloc(BUFSIZER2);strncpy(buf2R1, argv[1], BUFSIZER1-1);free(buf1R1);free(buf2R2);free(buf3R2);}char* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);}Mitigations & Prevention
Choose a language that provides automatic memory management.
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
Detection Methods
- Fuzzing High — Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption,
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
- Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2023-38160 | TCP/IP code for an OS has a use-after-free that can leak heap memory contents |
| CVE-2022-20141 | Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416). |
| CVE-2022-2621 | Chain: two threads in a web browser use the same resource (CWE-366), but one of those threads can destroy the resource before the other has completed (CWE-416). |
| CVE-2021-0920 | Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV. |
| CVE-2020-6819 | Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV. |
| CVE-2010-4168 | Use-after-free triggered by closing a connection while data is still being transmitted. |
| CVE-2010-2941 | Improper allocation for invalid data leads to use-after-free. |
| CVE-2010-2547 | certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free |
| CVE-2010-1772 | Timers are not disabled when a related object is deleted |
| CVE-2010-1437 | Access to a "dead" object that is being cleaned up |
| CVE-2010-1208 | object is deleted even with a non-zero reference count, and later accessed |
| CVE-2010-0629 | use-after-free involving request containing an invalid version number |
| CVE-2010-0378 | unload of an object that is currently being accessed by other functionality |
| CVE-2010-0302 | incorrectly tracking a reference count leads to use-after-free |
| CVE-2010-0249 | use-after-free related to use of uninitialized memory |
Showing 15 of 29 observed examples.
Related Weaknesses
Taxonomy Mappings
- ISA/IEC 62443: Part 4-1 — Req SI-1
- 7 Pernicious Kingdoms: — Use After Free
- CLASP: — Using freed memory
- CERT C Secure Coding: MEM00-C — Allocate and free memory in the same module, at the same level of abstraction
- CERT C Secure Coding: MEM01-C — Store a new value in pointers immediately after free()
- CERT C Secure Coding: MEM30-C — Do not access freed memory
- Software Fault Patterns: SFP15 — Faulty Resource Use
Frequently Asked Questions
What is CWE-416?
CWE-416 (Use After Free) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a locati...
How can CWE-416 be exploited?
Attackers can exploit CWE-416 (Use After Free) to modify memory. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-416?
Key mitigations include: Choose a language that provides automatic memory management.
What is the severity of CWE-416?
CWE-416 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 29 real-world CVEs.