Category: SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
Stable
Summary
Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-131 | Incorrect Calculation of Buffer Size | This vulnerability occurs when a program miscalculates the amount of memory needed for a buffer, potentially leading to a buffer overflow that can crash the software or allow attackers to execute malicious code. |
| CWE-190 | Integer Overflow or Wraparound | Integer overflow or wraparound occurs when a calculation produces a numeric result that exceeds the maximum value a variable can hold. Instead of increasing as expected, the value wraps around to a very small or negative number, breaking the program's logic. |
| CWE-401 | Missing Release of Memory after Effective Lifetime | This vulnerability occurs when a program allocates memory but fails to properly release it after it's no longer needed, causing a gradual accumulation of unused memory that can't be reclaimed by the system. |
| CWE-404 | Improper Resource Shutdown or Release | This vulnerability occurs when a program fails to properly close or release a system resource—like a file handle, database connection, or memory block—after it's no longer needed, preventing its reuse. |
| CWE-415 | Double Free | A double free vulnerability occurs when a program mistakenly calls the 'free()' function twice on the same block of memory. |
| CWE-416 | Use After Free | Use After Free happens when a program continues to use a pointer to a memory location after that memory has been freed. This can lead to unpredictable behavior, crashes, or security vulnerabilities because the freed memory may have been reallocated for a different purpose. |
| CWE-459 | Incomplete Cleanup | This vulnerability occurs when an application fails to properly remove temporary files, data structures, or system resources after they are no longer needed. |
| CWE-467 | Use of sizeof() on a Pointer Type | This vulnerability occurs when a developer uses the sizeof() operator on a pointer variable instead of the data it points to, leading to incorrect size calculations and potential buffer overflows or underflows. |
| CWE-590 | Free of Memory not on the Heap | This vulnerability occurs when a program calls free() on a memory pointer that wasn't originally allocated using standard heap functions like malloc(), calloc(), or realloc(). |
| CWE-666 | Operation on Resource in Wrong Phase of Lifetime | This vulnerability occurs when software interacts with a resource—like memory, a file, or a network connection—at an incorrect stage of its existence, leading to crashes, data corruption, or unpredictable behavior. |
| CWE-672 | Operation on a Resource after Expiration or Release | This vulnerability occurs when a program continues to use a resource—like memory, a file handle, or a network connection—after it has been freed, closed, or is no longer valid. |
| CWE-680 | Integer Overflow to Buffer Overflow | This vulnerability occurs when a program calculates the size of memory to allocate, but an integer overflow in that calculation results in a much smaller buffer being created than intended. This undersized buffer can then be overflowed by subsequent operations, corrupting adjacent memory. |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | This weakness occurs when software depends on specific behaviors of an API, data structure, or system component that are not formally guaranteed by its specification. The code assumes these behaviors will always work a certain way, but they might change or fail under different conditions. |
| CWE-771 | Missing Reference to Active Allocated Resource | This vulnerability occurs when software loses track of a resource it has allocated, like memory or a file handle, preventing the system from properly releasing it back for future use. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | This vulnerability occurs when a program fails to properly release a system resource—like memory, file handles, or network sockets—after it is no longer needed. This leads to a gradual accumulation of unused resources, known as a resource leak. |
| CWE-789 | Memory Allocation with Excessive Size Value | This vulnerability occurs when a program allocates memory based on a user-supplied or untrusted size value without proper validation. If an attacker provides an excessively large number, the application can attempt to allocate massive amounts of system memory, leading to a denial-of-service or system instability. |
| CWE-1154 | Weaknesses Addressed by the SEI CERT C Coding Standard | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.