1. Home
  2. CWE Database
  3. CWE-666
Class · High

CWE-666: Operation on Resource in Wrong Phase of Lifetime

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

CWE-666 · Class Level ·1 CVEs ·1 Mitigations

Description

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

A resource's lifecycle includes several phases: initialization, use, and release. For each phase, it is important to follow the specifications outlined for how to operate on the resource and to ensure that the resource is in the expected phase. Otherwise, if a resource is in one phase but the operation is not valid for that phase (i.e., an incorrect phase of the resource's lifetime), then this can produce resultant weaknesses. For example, using a resource before it has been fully initialized could cause corruption or incorrect data to be used.

Potential Impact

Other

Other

Demonstrative Examples

The following code shows a simple example of a double free vulnerability.
Bad
char* ptr = (char*)malloc (SIZE);
				   ...
				   if (abrt) {
				   
					 free(ptr);
				   
				   }
				   ...
				   free(ptr);
Double free vulnerabilities have two common (and sometimes overlapping) causes:
Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

Mitigations & Prevention

Architecture and Design

Follow the resource's lifecycle from creation to release.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2006-5051Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).

CWE-664: Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use,...

Taxonomy Mappings

  • CERT C Secure Coding: FIO46-C — Do not access a closed file
  • CERT C Secure Coding: MEM30-C — Do not access freed memory

Frequently Asked Questions

What is CWE-666?

CWE-666 (Operation on Resource in Wrong Phase of Lifetime) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

How can CWE-666 be exploited?

Attackers can exploit CWE-666 (Operation on Resource in Wrong Phase of Lifetime) to other. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-666?

Key mitigations include: Follow the resource's lifecycle from creation to release.

What is the severity of CWE-666?

CWE-666 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.