Description
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
When a product releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the product to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution.
Potential Impact
Confidentiality
Read Memory
Availability
DoS: Crash, Exit, or Restart
Integrity, Confidentiality, Availability
Execute Unauthorized Code or Commands
Demonstrative Examples
char* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);}char* ptr = (char*)malloc (SIZE);...if (abrt) {free(ptr);}...free(ptr);Mitigations & Prevention
Choose a language that provides automatic memory management.
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
Detection Methods
- Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
- Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2023-26463 | Chain: IPSec VPN product uses the same variable for multiple purposes in the same function (CWE-1109), leading to incorrect access control (CWE-284) and expired pointer dereference (CWE-825) |
| CVE-2008-5013 | access of expired memory address leads to arbitrary code execution |
| CVE-2010-3257 | stale pointer issue leads to denial of service and possibly other consequences |
| CVE-2008-0062 | Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the sys |
| CVE-2007-1211 | read of value at an offset into a structure after the offset is no longer valid |
Related Weaknesses
Frequently Asked Questions
What is CWE-825?
CWE-825 (Expired Pointer Dereference) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
How can CWE-825 be exploited?
Attackers can exploit CWE-825 (Expired Pointer Dereference) to read memory. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-825?
Key mitigations include: Choose a language that provides automatic memory management.
What is the severity of CWE-825?
CWE-825 is classified as a Base-level weakness (Medium abstraction). It has been observed in 5 real-world CVEs.