1. Home
  2. CWE Database
  3. CWE-775
Variant · Low-Medium

CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime

The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.

CWE-775 · Variant Level ·1 CVEs ·1 Mitigations

Description

The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.

When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles, or otherwise preventing other system processes from obtaining their own file descriptors/handles.

Potential Impact

Availability

DoS: Resource Consumption (Other)

Mitigations & Prevention

OperationArchitecture and Design

Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems. When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resour

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2007-0897Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.

CWE-772: Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer ne...

CWE-404: Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

Taxonomy Mappings

  • CERT C Secure Coding: FIO42-C — Close files when they are no longer needed
  • Software Fault Patterns: SFP14 — Failure to Release Resource

Frequently Asked Questions

What is CWE-775?

CWE-775 (Missing Release of File Descriptor or Handle after Effective Lifetime) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.

How can CWE-775 be exploited?

Attackers can exploit CWE-775 (Missing Release of File Descriptor or Handle after Effective Lifetime) to dos: resource consumption (other). This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-775?

Key mitigations include: Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resourc

What is the severity of CWE-775?

CWE-775 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.