1. Home
  2. CWE Database
  3. CWE-826
Base · Medium

CWE-826: Premature Release of Resource During Expected Lifetime

The product releases a resource that is still intended to be used by itself or another actor.

CWE-826 · Base Level ·1 CVEs

Description

The product releases a resource that is still intended to be used by itself or another actor.

This weakness focuses on errors in which the product should not release a resource, but performs the release anyway. This is different than a weakness in which the product releases a resource at the appropriate time, but it maintains a reference to the resource, which it later accesses. For this weakness, the resource should still be valid upon the subsequent access. When a product releases a resource that is still being used, it is possible that operations will still be taken on this resource, which may have been repurposed in the meantime, leading to issues similar to CWE-825. Consequences may include denial of service, information exposure, or code execution.

Potential Impact

Confidentiality

Read Application Data, Read Memory

Availability

DoS: Crash, Exit, or Restart

Integrity, Confidentiality, Availability

Execute Unauthorized Code or Commands, Modify Application Data, Modify Memory

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2009-3547Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)

CWE-666: Operation on Resource in Wrong Phase of Lifetime

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpe...

CWE-672: Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revok...

Frequently Asked Questions

What is CWE-826?

CWE-826 (Premature Release of Resource During Expected Lifetime) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product releases a resource that is still intended to be used by itself or another actor.

How can CWE-826 be exploited?

Attackers can exploit CWE-826 (Premature Release of Resource During Expected Lifetime) to read application data, read memory. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-826?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-826?

CWE-826 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.