1. Home
  2. CWE Database
  3. CWE-664
Pillar · Foundational

CWE-664: Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

CWE-664 · Pillar Level ·2 CVEs

Description

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Resources often have explicit instructions on how to be created, used and destroyed. When code does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."

Potential Impact

Other

Other

Demonstrative Examples

This code allocates a socket and forks each time it receives a new connection.
Bad
sock=socket(AF_INET, SOCK_STREAM, 0);while (1) {newsock=accept(sock, ...);printf("A connection has been accepted\n");pid = fork();}
The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely.

Detection Methods

  • Automated Static Analysis — Use Static analysis tools to check for unreleased resources.

Real-World CVE Examples

CVE IDDescription
CVE-2018-1000613Cryptography API uses unsafe reflection when deserializing a private key
CVE-2019-19911Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow

Taxonomy Mappings

  • CERT C Secure Coding: FIO39-C — Do not alternately input and output from a stream without an intervening flush or positioning call

Frequently Asked Questions

What is CWE-664?

CWE-664 (Improper Control of a Resource Through its Lifetime) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Pillar-level weakness. The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

How can CWE-664 be exploited?

Attackers can exploit CWE-664 (Improper Control of a Resource Through its Lifetime) to other. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-664?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-664?

CWE-664 is classified as a Pillar-level weakness (Foundational abstraction). It has been observed in 2 real-world CVEs.