logo

Improper Control of a Resource Through its Lifetime

Draft Pillar
Structure: Simple
Description

This vulnerability occurs when software fails to properly manage a resource throughout its entire lifecycle—from creation and active use to its final release or destruction.

Extended Description

Resources, whether memory, files, database connections, or objects, come with inherent rules for safe handling. When code ignores these rules—like using a resource before it's fully initialized or after it's been marked for cleanup—it creates unstable conditions that attackers can exploit. Even without formal documentation, fundamental programming principles apply. You should never use an object before its constructor finishes, and you must avoid referencing resources scheduled for destruction. Consistent, disciplined management at each lifecycle stage is essential for preventing crashes, data corruption, and security breaches.
Common Consequences 1
Scope: Other

Impact: Other
Potential Mitigations 1
Phase: Testing
Use Static analysis tools to check for unreleased resources.
Observed Examples 2
CVE-2018-1000613Cryptography API uses unsafe reflection when deserializing a private key
CVE-2019-19911Chain: Python library does not limit the resources used to process images that specify a very large number of bands (Improper Validation of Specified Quantity in Input), leading to excessive memory consumption (Memory Allocation with Excessive Size Value) or an integer overflow (Integer Overflow or Wraparound).
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Taxonomy Mapping
  • CERT C Secure Coding
Notes
MaintenanceMore work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (Improper Resource Shutdown or Release, Improper Initialization), while other children are independent of lifecycle, such as Uncontrolled Resource Consumption. Others do not specify as many bases or variants, such as Incorrect Type Conversion or Cast, which primarily covers numbers at this stage.