logo

Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor

Incomplete Base
Structure: Simple
Description

This occurs when a base class defines a virtual destructor, but a derived class inherits from it without declaring its own virtual destructor.

Extended Description

When you delete an object through a pointer to its base class, the destructor call must propagate correctly down the inheritance chain. If the child class manages its own resources (like memory, file handles, or network connections) but lacks a virtual destructor, only the parent's destructor will be invoked. This leaves the child's cleanup logic unexecuted, causing resource leaks and leaving the program in an unstable state. While this is fundamentally a reliability issue that can lead to memory leaks (CWE-401), it can become a security vulnerability if an attacker can trigger or exploit the resulting instability. For example, sustained memory leaks can lead to denial of service, and corrupted program state might be leveraged for further attacks. The fix is straightforward: always declare a virtual destructor in any class that is intended to be inherited from, ensuring proper cleanup for all derived types.
Common Consequences 1
Scope: Other

Impact: Reduce Reliability
References 3
Automated Source Code Reliability Measure (ASCRM)
Object Management Group (OMG)
01-2016
http://www.omg.org/spec/ASCRM/1.0/
ID: REF-961
C++ Virtual Destructors: How to Avoid Memory Leaks
QuantStart
https://www.quantstart.com/articles/C-Virtual-Destructors-How-to-Avoid-Memory-Leaks/(2023-04-07)
ID: REF-977
Virtual Destructor
GeeksforGeeks
https://www.geeksforgeeks.org/virtual-destructor/
ID: REF-978
Related Weaknesses
ChildOf: Insufficient Adherence to Expected Conventions (CWE-1076)
Taxonomy Mapping
  • OMG ASCRM