Category: Resource Management Errors
Draft
Summary
Weaknesses in this category are related to improper management of system resources.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1188 | Initialization of a Resource with an Insecure Default | This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it later. |
| CWE-1341 | Multiple Releases of Same Resource or Handle | This vulnerability occurs when a program incorrectly tries to close or release the same system resource—like memory, a file, or a network connection—more than once. This double-free or double-close violates the API's contract and leads to unpredictable and often dangerous behavior. |
| CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | This vulnerability occurs when a parent process launches a child process without first closing sensitive file descriptors. The child process inherits these open handles, potentially gaining unauthorized access to files, sockets, or other resources it shouldn't be able to interact with. |
| CWE-410 | Insufficient Resource Pool | This vulnerability occurs when a system's resource pool is too small to handle maximum usage. Attackers can exploit this by making a high volume of requests, consuming all available resources and blocking legitimate users. |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | This vulnerability occurs when an application uses unvalidated external input, like a URL parameter or form field, to dynamically decide which class to load or which method to execute via reflection. An attacker can manipulate this input to force the application to load unexpected, potentially malicious code. |
| CWE-502 | Deserialization of Untrusted Data | This vulnerability occurs when an application accepts and processes serialized data from an untrusted source without proper validation, allowing an attacker to manipulate the data to execute malicious code or cause unexpected behavior. |
| CWE-619 | Dangling Database Cursor ('Cursor Injection') | A dangling database cursor occurs when a database cursor is not properly closed, potentially allowing other users to access it while it retains its original, often elevated, privileges. |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | This vulnerability occurs when an application creates file or resource names using unvalidated user input, failing to properly limit what characters or paths can be used. |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | This vulnerability occurs when a system uses multiple resources that can share the same identifier, even though the application logic requires each identifier to be unique. |
| CWE-73 | External Control of File Name or Path | This vulnerability occurs when an application uses unvalidated user input to construct file or directory paths for filesystem operations. |
| CWE-763 | Release of Invalid Pointer or Reference | This vulnerability occurs when a program tries to free a memory resource back to the system but uses an incorrect deallocation method or calls the correct method improperly. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of it as a buffet with no rules on how much one person can take, eventually leaving nothing for others and causing the system to fail. |
| CWE-771 | Missing Reference to Active Allocated Resource | This vulnerability occurs when software loses track of a resource it has allocated, like memory or a file handle, preventing the system from properly releasing it back for future use. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | This vulnerability occurs when a program fails to properly release a system resource—like memory, file handles, or network sockets—after it is no longer needed. This leads to a gradual accumulation of unused resources, known as a resource leak. |
| CWE-826 | Premature Release of Resource During Expected Lifetime | This happens when software incorrectly frees or closes a resource—like memory, a file handle, or a network connection—while that resource is still supposed to be in active use by the program or another component. |
| CWE-908 | Use of Uninitialized Resource | This vulnerability occurs when software attempts to use a resource—like memory, a file handle, or an object—before it has been properly set up or assigned a valid starting state. |
| CWE-909 | Missing Initialization of Resource | The software fails to properly set up a critical resource before using it. |
| CWE-910 | Use of Expired File Descriptor | This vulnerability occurs when a program attempts to use a file descriptor after it has been closed, treating it as if it were still valid. |
| CWE-911 | Improper Update of Reference Count | This vulnerability occurs when a program uses a reference counter to track resource usage but fails to update the count correctly, either by missing an update or applying an incorrect value. |
| CWE-914 | Improper Control of Dynamically-Identified Variables | This vulnerability occurs when an application fails to properly secure access to variables whose names are determined at runtime, allowing attackers to read or modify data they shouldn't have access to. |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | This vulnerability occurs when an application accepts user input that specifies which object attributes or fields to create or update, but fails to restrict which specific attributes can be changed. Attackers can exploit this to modify sensitive internal properties they shouldn't have access to. |
| CWE-920 | Improper Restriction of Power Consumption | This vulnerability occurs when software running on a power-constrained device, like a battery-powered mobile or embedded system, fails to actively manage and limit its own energy usage. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1287]. This CWE ID may have become widely-used because of NIST's usage in NVD from 2008 to 2016 (see CWE-635 view, updated to the CWE-1003 view in 2016).
Comment:
Some weakness-oriented alternatives might be found as descendants under Uncontrolled Resource Consumption (CWE-400).