Category: Comprehensive Categorization: Resource Lifecycle Management
Incomplete
Summary
Weaknesses in this category are related to resource lifecycle management.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1042 | Static Member Data Element outside of a Singleton Class Element | This weakness occurs when a class that isn't designed as a singleton (a class meant to have only one instance) contains a non-final static member variable. This creates a shared, mutable state across all instances of that class, which can lead to unexpected behavior and data corruption. |
| CWE-1046 | Creation of Immutable Text Using String Concatenation | This weakness occurs when code builds a string within a loop using simple concatenation (like +=), which unintentionally creates new string objects every time instead of efficiently appending to a buffer. |
| CWE-1049 | Excessive Data Query Operations in a Large Data Table | This weakness occurs when an application runs a database query that uses numerous joins and sub-queries on a very large table, leading to severe performance degradation. |
| CWE-1050 | Excessive Platform Resource Consumption within a Loop | This vulnerability occurs when a loop contains code that repeatedly consumes critical system resources like file handles, database connections, memory, or session locks. Each iteration of the loop drains these finite platform assets without proper release. |
| CWE-1051 | Initialization with Hard-Coded Network Resource Configuration Data | This vulnerability occurs when software uses fixed, hard-coded values—like IP addresses, domain names, or URLs—to identify network resources during its startup or configuration phase. |
| CWE-1052 | Excessive Use of Hard-Coded Literals in Initialization | This weakness occurs when software initializes variables or data structures using hard-coded values (like strings, file paths, or network addresses) instead of configurable constants or parameters. While simple numbers or true constants are acceptable, embedding non-trivial literals directly in code creates maintenance and security risks. |
| CWE-1063 | Creation of Class Instance within a Static Code Block | This weakness occurs when a class instance is created inside a static initializer block, causing premature and potentially expensive object creation. |
| CWE-1067 | Excessive Execution of Sequential Searches of Data Resource | This weakness occurs when a database query is structured in a way that forces the system to scan entire tables row-by-row, instead of using an available index for efficient lookups. |
| CWE-1072 | Data Resource Access without Use of Connection Pooling | This weakness occurs when an application creates a new database connection for every request instead of using a managed connection pool. This inefficient pattern forces the system to repeatedly endure the full overhead of establishing and tearing down connections. |
| CWE-1073 | Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses | This weakness occurs when a client-side function or method makes an excessive number of individual data requests through a non-SQL data manager, instead of using more efficient bulk operations or database-native capabilities. |
| CWE-1084 | Invokable Control Element with Excessive File or Data Access Operations | This weakness occurs when a single function or method performs an excessive number of file or database operations, such as repeated reads, writes, or queries. It over-relies on a single data manager or file resource, creating a tightly coupled and fragile code structure. |
| CWE-1089 | Large Data Table with Excessive Number of Indices | This weakness occurs when an application uses a database table with a very large number of rows and creates too many indexes on it, degrading overall system performance. |
| CWE-1091 | Use of Object without Invoking Destructor Method | This weakness occurs when a program accesses an object but fails to properly call its destructor or finalizer method. This leaves the cleanup of the object's resources to the system's automatic garbage collection, which may not happen immediately or predictably. |
| CWE-1094 | Excessive Index Range Scan for a Data Resource | This weakness occurs when a database query performs an index range scan that can access an unnecessarily large number of rows from a substantial data table, leading to severe performance degradation. |
| CWE-1176 | Inefficient CPU Computation | This weakness occurs when software uses inefficient algorithms or suboptimal CPU operations, performing unnecessary or overly complex calculations that waste processing power and slow down performance. |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') | This vulnerability occurs when software fails to properly check the boundaries of an indexed resource, like an array, buffer, or file, before accessing it. This allows reading from or writing to memory locations outside the intended range. |
| CWE-1188 | Initialization of a Resource with an Insecure Default | This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it later. |
| CWE-1221 | Incorrect Register Defaults or Module Parameters | This vulnerability occurs when hardware description language (HDL) code sets insecure default values for hardware registers or configurable module parameters. These hardcoded values leave the hardware in an unsafe state after a reset, creating a permanent security weakness that software cannot patch. |
| CWE-1229 | Creation of Emergent Resource | This vulnerability occurs when a system's normal operations unintentionally create new, exploitable resources that attackers can use to bypass security controls. |
| CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | This weakness occurs when a program relies on automatic boxing and unboxing of primitive types within performance-sensitive code sections, causing unnecessary computational overhead and potential resource strain. |
| CWE-1239 | Improper Zeroization of Hardware Register | This vulnerability occurs when a hardware component fails to properly erase sensitive data from its internal registers before a new user or process gains access to the hardware block. |
| CWE-1246 | Improper Write Handling in Limited-write Non-Volatile Memories | This vulnerability occurs when a system fails to properly manage write operations on memory hardware that has a limited lifespan, such as Flash or EEPROM. Without correct wear leveling, specific memory cells wear out faster than intended, leading to premature device failure. |
| CWE-1250 | Improper Preservation of Consistency Between Independent Representations of Shared State | This vulnerability occurs when a system with multiple independent components (like distributed services or separate hardware units) each maintain their own copy of shared data—such as user state, cache, or configuration—but the system fails to keep all these local copies synchronized and consistent with each other. |
| CWE-1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | This vulnerability occurs when hardware fails to erase sensitive data like cryptographic keys and intermediate values before entering debug mode, leaving them exposed. |
| CWE-1266 | Improper Scrubbing of Sensitive Data from Decommissioned Device | This vulnerability occurs when a system lacks a reliable method for administrators to permanently erase sensitive information before taking hardware or software out of service. The data scrubbing feature might be missing, ineffective, or flawed, leaving confidential data behind. |
| CWE-1271 | Uninitialized Value on Reset for Registers Holding Security Settings | Security-critical hardware registers start with random, unpredictable values when a device powers on or resets, creating an immediate vulnerability window before software can initialize them. |
| CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition | This vulnerability occurs when a device changes its power mode or enters a debug state but fails to wipe sensitive data that should become inaccessible after the transition. |
| CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready | This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to supply valid data, potentially compromising security. |
| CWE-1301 | Insufficient or Incomplete Data Removal within Hardware Component | The product's data removal process fails to completely erase all data from hardware components, potentially leaving sensitive information behind. |
| CWE-1325 | Improperly Controlled Sequential Memory Allocation | This vulnerability occurs when a system allocates memory separately for each item in a collection but fails to enforce a global limit on the total memory used by all items combined. |
| CWE-1330 | Remanent Data Readable after Memory Erase | Sensitive data stored in memory hardware can still be accessed or reconstructed even after a standard clear or erase command has been executed. |
| CWE-1333 | Inefficient Regular Expression Complexity | This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service. |
| CWE-1342 | Information Exposure through Microarchitectural State after Transient Execution | This vulnerability occurs when a CPU fails to completely erase temporary data traces left behind by speculative execution or error recovery processes. These lingering microarchitectural hints can be analyzed through side-channels to leak sensitive information. |
| CWE-1386 | Insecure Operation on Windows Junction / Mount Point | This vulnerability occurs when a Windows application opens a file or directory without properly validating that the path is not a symbolic link (junction or mount point) pointing to a location outside the application's intended security boundary. |
| CWE-1389 | Incorrect Parsing of Numbers with Different Radices | This vulnerability occurs when software processes numeric input expecting standard decimal numbers (base 10), but fails to handle inputs formatted in other bases like octal or hexadecimal. This mismatch leads to the system interpreting the same digits as a completely different numeric value. |
| CWE-1419 | Incorrect Initialization of Resource | This weakness occurs when a system fails to properly set up a resource during its creation, leaving it in an unstable, incorrect, or insecure state when used later. |
| CWE-1420 | Exposure of Sensitive Information during Transient Execution | Transient execution vulnerabilities occur when a processor speculatively runs operations that don't officially commit, potentially leaking sensitive data through covert side channels like cache timing. |
| CWE-1421 | Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution | This vulnerability occurs when a processor's speculative execution (transient operations) can temporarily access restricted data from another security domain. This sensitive information can leave traces in shared hardware structures like CPU caches, where an attacker could potentially retrieve it using a covert channel attack. |
| CWE-1422 | Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution | This vulnerability occurs when a CPU incorrectly forwards outdated or incorrect data during speculative execution. This allows sensitive information to leak through covert side-channel attacks, even when software-level protections are in place. |
| CWE-1423 | Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution | This vulnerability occurs when separate software components, like different processes or virtual machines, share the processor's internal prediction mechanisms. An attacker can manipulate these shared predictors to trigger speculative execution in a victim component, potentially leaking sensitive data across a security boundary via covert side channels. |
| CWE-178 | Improper Handling of Case Sensitivity | This vulnerability occurs when software fails to consistently handle uppercase and lowercase letters when checking or accessing resources, leading to unpredictable behavior and security gaps. |
| CWE-192 | Integer Coercion Error | An integer coercion error occurs when a program incorrectly converts, extends, or truncates a number between different data types, leading to unexpected values. |
| CWE-194 | Unexpected Sign Extension | This vulnerability occurs when a signed number from a smaller data type is moved or cast to a larger type, causing its sign bit to be incorrectly extended. If the original value is negative, this sign extension can fill the new, higher-order bits with '1's, leading to unexpectedly large positive values and causing logic errors, buffer overflows, or security bypasses. |
| CWE-195 | Signed to Unsigned Conversion Error | This vulnerability occurs when a signed integer (which can hold negative values) is converted to an unsigned integer (which holds only non-negative values). If the original signed value is negative, the conversion produces a large, unexpected positive number instead of an error, breaking the program's logic. |
| CWE-196 | Unsigned to Signed Conversion Error | This vulnerability occurs when a program takes an unsigned integer and converts it directly to a signed integer. If the original unsigned value is too large to fit within the signed type's positive range, the conversion results in an unexpected negative number, corrupting the data. |
| CWE-197 | Numeric Truncation Error | A numeric truncation error happens when a program converts a number to a smaller data type, cutting off its higher-order bits and corrupting the original value. |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | This vulnerability occurs when an application stores or transmits a resource containing sensitive data without properly cleaning it first, potentially exposing that information to unauthorized parties. |
| CWE-221 | Information Loss or Omission | This weakness occurs when an application fails to log critical security events or records them inaccurately, which can misguide security decisions and hinder incident investigation. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | This vulnerability occurs when a system releases a resource like memory or a file for reuse but fails to erase the sensitive data it previously contained. The old information remains accessible when the resource is allocated to a new process or used in a different context. |
| CWE-243 | Creation of chroot Jail Without Changing Working Directory | This vulnerability occurs when a program creates a chroot jail but fails to change its current working directory afterward. Because the process's working directory remains outside the jail, attackers can use relative paths to access files and directories that should be restricted. |
| CWE-372 | Incomplete Internal State Distinction | This vulnerability occurs when an application fails to accurately track its own operational state. The system incorrectly assumes it's in one mode or condition when it's actually in another, leading to security-critical actions being performed with the wrong assumptions. |
| CWE-386 | Symbolic Name not Mapping to Correct Object | This vulnerability occurs when a program uses a fixed symbolic name (like a constant or identifier) to refer to an object, but that name can later point to a different, unintended object during execution. |
| CWE-400 | Uncontrolled Resource Consumption | This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a denial of service. |
| CWE-404 | Improper Resource Shutdown or Release | This vulnerability occurs when a program fails to properly close or release a system resource—like a file handle, database connection, or memory block—after it's no longer needed, preventing its reuse. |
| CWE-405 | Asymmetric Resource Consumption (Amplification) | This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage. |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) | This vulnerability occurs when a system fails to properly limit the amount of network traffic it can generate in response to a request, allowing an attacker to abuse it to send a disproportionately large volume of data. |
| CWE-407 | Inefficient Algorithmic Complexity | This vulnerability occurs when a software component uses an algorithm with poor worst-case performance. An attacker can exploit this by providing specially crafted input that forces the algorithm into its slowest possible execution path, leading to severe performance degradation or denial of service. |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | This vulnerability occurs when software fails to safely process highly compressed data, where a small input file can trigger the creation of an extremely large amount of data during decompression, overwhelming system resources. |
| CWE-410 | Insufficient Resource Pool | This vulnerability occurs when a system's resource pool is too small to handle maximum usage. Attackers can exploit this by making a high volume of requests, consuming all available resources and blocking legitimate users. |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | This vulnerability occurs when an application accepts file uploads without properly restricting the file types, allowing attackers to upload and execute malicious files on the server. |
| CWE-453 | Insecure Default Variable Initialization | This vulnerability occurs when software sets an internal variable to an insecure or unnecessarily weak default value during initialization, rather than using the most secure option available. |
| CWE-454 | External Initialization of Trusted Variables or Data Stores | This vulnerability occurs when an application sets up its critical internal variables or storage systems using data from untrusted, external sources that an attacker could control. |
| CWE-456 | Missing Initialization of a Variable | This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory. |
| CWE-457 | Use of Uninitialized Variable | This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and potential security risks. |
| CWE-459 | Incomplete Cleanup | This vulnerability occurs when an application fails to properly remove temporary files, data structures, or system resources after they are no longer needed. |
| CWE-460 | Improper Cleanup on Thrown Exception | This vulnerability occurs when a program fails to properly restore its state or release resources after an exception is thrown, leaving the application in an inconsistent or unexpected condition. |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | This vulnerability occurs when an application fails to protect data it assumes cannot be changed, allowing an attacker to alter it. |
| CWE-487 | Reliance on Package-level Scope | This weakness occurs when a Java application mistakenly treats package-level access as a security boundary, assuming it can prevent unauthorized access to code. |
| CWE-495 | Private Data Structure Returned From A Public Method | This vulnerability occurs when a public method directly returns a reference to a private, internal data structure. Because the reference is live, external callers can bypass intended controls and modify the data unexpectedly, corrupting the application's state. |
| CWE-496 | Public Data Assigned to Private Array-Typed Field | This vulnerability occurs when a developer stores sensitive data in a private array, but then assigns a publicly accessible reference to that same array. This effectively makes all the private array's contents available to unauthorized code, bypassing intended access controls. |
| CWE-501 | Trust Boundary Violation | This vulnerability occurs when an application incorrectly stores or processes trusted and untrusted data together within the same structure, such as an object, array, or message. |
| CWE-568 | finalize() Method Without super.finalize() | This vulnerability occurs when a Java class overrides the finalize() method but fails to call super.finalize() within it. |
| CWE-580 | clone() Method Without super.clone() | This vulnerability occurs when a class's clone() method creates a new object directly instead of calling super.clone(). |
| CWE-588 | Attempt to Access Child of a Non-structure Pointer | This vulnerability occurs when code incorrectly treats a pointer to a basic data type (like an integer) as if it points to a structured object (like a 'struct' in C). The program then tries to access a member field that doesn't exist at that memory location, which can cause crashes or corrupt adjacent data. |
| CWE-607 | Public Static Final Field References Mutable Object | This vulnerability occurs when a class exposes a public or protected static final field that points to a changeable object. Because the field's reference is constant but the object itself is not, malicious code or even accidental code in other packages can modify the object's contents, violating the intended immutability. |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | This vulnerability occurs when an application uses user-supplied input to reference a resource located outside its intended security boundary, allowing attackers to redirect operations to unintended locations. |
| CWE-618 | Exposed Unsafe ActiveX Method | This vulnerability occurs when an ActiveX control, designed for web browsers, exposes methods that bypass the browser's built-in security restrictions. These unsafe methods can perform actions outside the browser's intended security boundaries, such as those defined by zones or domains. |
| CWE-662 | Improper Synchronization | This vulnerability occurs when a multi-threaded or multi-process application allows shared resources to be accessed by multiple threads or processes simultaneously, without proper safeguards to enforce exclusive access. |
| CWE-664 | Improper Control of a Resource Through its Lifetime | This vulnerability occurs when software fails to properly manage a resource throughout its entire lifecycle—from creation and active use to its final release or destruction. |
| CWE-665 | Improper Initialization | This vulnerability occurs when software fails to properly set up a resource before use, or provides incorrect starting values, leaving it in an unpredictable and potentially dangerous state. |
| CWE-666 | Operation on Resource in Wrong Phase of Lifetime | This vulnerability occurs when software interacts with a resource—like memory, a file, or a network connection—at an incorrect stage of its existence, leading to crashes, data corruption, or unpredictable behavior. |
| CWE-669 | Incorrect Resource Transfer Between Spheres | This vulnerability occurs when an application incorrectly moves or shares a resource (like data, permissions, or functionality) between different trust boundaries or security contexts. This improper transfer can give unintended actors control over that resource, leading to security breaches. |
| CWE-673 | External Influence of Sphere Definition | The application allows external parties to modify its security boundaries or trusted zones, which should be defined and controlled internally. |
| CWE-681 | Incorrect Conversion between Numeric Types | This vulnerability occurs when a program converts a value from one numeric type to another (like a 64-bit integer to a 32-bit integer) and the conversion loses or misinterprets data. If these corrupted values are later used in security-critical operations—like calculating buffer sizes, checking permissions, or performing financial transactions—they can lead to crashes, incorrect behavior, or security bypasses. |
| CWE-704 | Incorrect Type Conversion or Cast | This vulnerability occurs when software incorrectly changes data from one type to another, leading to unexpected behavior or security flaws. |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | This vulnerability occurs when software uses a name, path, or reference to access a resource, but that identifier points to something outside the area the application is supposed to control, leading to unauthorized access or manipulation. |
| CWE-749 | Exposed Dangerous Method or Function | This vulnerability occurs when a software component exposes an API or interface containing a high-risk function that lacks proper access controls, allowing unauthorized actors to trigger it. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of it as a buffet with no rules on how much one person can take, eventually leaving nothing for others and causing the system to fail. |
| CWE-771 | Missing Reference to Active Allocated Resource | This vulnerability occurs when software loses track of a resource it has allocated, like memory or a file handle, preventing the system from properly releasing it back for future use. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | This vulnerability occurs when a program fails to properly release a system resource—like memory, file handles, or network sockets—after it is no longer needed. This leads to a gradual accumulation of unused resources, known as a resource leak. |
| CWE-773 | Missing Reference to Active File Descriptor or Handle | This vulnerability occurs when a program fails to keep track of open files or resources, preventing the system from properly closing and reclaiming them. |
| CWE-774 | Allocation of File Descriptors or Handles Without Limits or Throttling | This vulnerability occurs when an application creates file descriptors or handles for a user or process without enforcing any limits on the total number that can be opened. |
| CWE-775 | Missing Release of File Descriptor or Handle after Effective Lifetime | This vulnerability occurs when a program fails to properly close file descriptors or handles after they are no longer needed, leaving these system resources allocated. |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | This vulnerability occurs when an XML parser allows Document Type Definitions (DTDs) to contain recursively defined entities without proper limits, enabling malicious data structures. |
| CWE-779 | Logging of Excessive Data | This vulnerability occurs when an application records more information than necessary in its logs, making log files difficult to analyze and potentially slowing down incident response or security investigations. |
| CWE-782 | Exposed IOCTL with Insufficient Access Control | This vulnerability occurs when a system exposes an IOCTL (Input/Output Control) interface that performs sensitive operations, but fails to implement proper checks to verify which users or processes are allowed to call it. |
| CWE-827 | Improper Control of Document Type Definition | This vulnerability occurs when an application fails to properly restrict which Document Type Definitions (DTDs) can be referenced during XML parsing. Attackers can exploit this by injecting references to malicious DTDs, potentially leading to unauthorized file access, server-side request forgery (SSRF), or denial-of-service through resource exhaustion. |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | This weakness occurs when an application integrates executable code, like a library or plugin, from a source it does not fully control or trust. |
| CWE-830 | Inclusion of Web Functionality from an Untrusted Source | This vulnerability occurs when a web application directly imports and executes functionality, like a widget or script, from an external, untrusted domain. Because the imported code runs within your application's own security context (origin), it gains the same level of access to user data and the DOM as your own code, potentially giving the third party full control. |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | Type confusion occurs when a program creates a resource—like a pointer, object, or variable—with one data type, but later incorrectly accesses it as a different, incompatible type. |
| CWE-908 | Use of Uninitialized Resource | This vulnerability occurs when software attempts to use a resource—like memory, a file handle, or an object—before it has been properly set up or assigned a valid starting state. |
| CWE-909 | Missing Initialization of Resource | The software fails to properly set up a critical resource before using it. |
| CWE-911 | Improper Update of Reference Count | This vulnerability occurs when a program uses a reference counter to track resource usage but fails to update the count correctly, either by missing an update or applying an incorrect value. |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | This vulnerability occurs when an application fails to properly secure access to code resources that can be created or altered at runtime, such as variables, functions, or objects. |
| CWE-920 | Improper Restriction of Power Consumption | This vulnerability occurs when software running on a power-constrained device, like a battery-powered mobile or embedded system, fails to actively manage and limit its own energy usage. |
| CWE-922 | Insecure Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data—like credentials, personal information, or encryption keys—without enforcing proper access controls, allowing unauthorized users to read or modify it. |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | This vulnerability occurs when a PHP application uses unvalidated or insufficiently restricted user input directly within file inclusion functions like require() or include(). |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.