logo

Explicit Call to Finalize()

Draft Base
Structure: Simple
Description

This vulnerability occurs when code directly calls an object's finalize() method from outside its designated finalizer context.

Extended Description

Although the Java language specification technically permits calling an object's finalize() method explicitly, this practice is strongly discouraged and often leads to unexpected behavior. The primary issue is that it forces the finalization routine to execute prematurely, outside the control of the garbage collector, which can corrupt the object's state and break standard cleanup logic. Explicitly invoking finalize() typically causes the method to run multiple times: once during the manual call and again later when the garbage collector naturally disposes of the object. This double execution can trigger resource leaks, double-free errors, or other instability because cleanup code is not designed to be idempotent. Developers should rely on the garbage collector to manage finalization automatically and use try-with-resources or explicit close() methods for deterministic cleanup instead.
Common Consequences 1
Scope: IntegrityOther

Impact: Unexpected StateQuality Degradation
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: ImplementationTesting
Do not make explicit calls to finalize(). Use static analysis tools to spot such instances.
Demonstrative Examples 1
The following code fragment calls finalize() explicitly:

Code Example:

Bad
Java


// time to clean up*
widget.finalize();
     
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Java : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Insufficient Adherence to Expected Conventions (CWE-1076) 
 
 
 
 
Taxonomy Mapping 
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns