1. Home
  2. CWE Database
  3. CWE-771
Base · Medium

CWE-771: Missing Reference to Active Allocated Resource

The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

CWE-771 · Base Level ·1 Mitigations

Description

The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

This does not necessarily apply in languages or frameworks that automatically perform garbage collection, since the removal of all references may act as a signal that the resource is ready to be reclaimed.

Potential Impact

Availability

DoS: Resource Consumption (Other)

Mitigations & Prevention

OperationArchitecture and Design

Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resour

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-400: Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Taxonomy Mappings

  • CERT C Secure Coding: FIO42-C — Close files when they are no longer needed
  • CERT C Secure Coding: MEM31-C — Free dynamically allocated memory when no longer needed
  • Software Fault Patterns: SFP14 — Failure to Release Resource
  • ISA/IEC 62443: Part 3-3 — Req SR 7.2
  • ISA/IEC 62443: Part 4-1 — Req SVV-1
  • ISA/IEC 62443: Part 4-2 — Req CR 7.2

Frequently Asked Questions

What is CWE-771?

CWE-771 (Missing Reference to Active Allocated Resource) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

How can CWE-771 be exploited?

Attackers can exploit CWE-771 (Missing Reference to Active Allocated Resource) to dos: resource consumption (other). This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-771?

Key mitigations include: Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resourc

What is the severity of CWE-771?

CWE-771 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.