logo

Operation on Resource in Wrong Phase of Lifetime

Draft Class
Structure: Simple
Description

This vulnerability occurs when software interacts with a resource—like memory, a file, or a network connection—at an incorrect stage of its existence, leading to crashes, data corruption, or unpredictable behavior.

Extended Description

Every resource in a program has a distinct lifecycle: it's created (initialized), used for its intended purpose, and finally cleaned up (released). Each of these phases has specific rules. A common mistake is trying to use a resource before it's fully ready—like reading from an uninitialized memory buffer—or after it's been disposed of, such as closing an already-closed file handle. These operations violate the expected sequence and directly cause instability. To prevent this, developers must explicitly manage state. Ensure initialization is complete before use, validate the resource is in an 'active' state for operations, and avoid repeated or premature release. Using design patterns like RAII (Resource Acquisition Is Initialization) or implementing clear state flags can enforce the correct order and make invalid phase transitions obvious bugs during development.
Common Consequences 1
Scope: Other

Impact: Other
Potential Mitigations 1
Phase: Architecture and Design
Follow the resource's lifecycle from creation to release.
Demonstrative Examples 1

ID : DX-149

The following code shows a simple example of a double free vulnerability.

Code Example:

Bad
C
c
Double free vulnerabilities have two common (and sometimes overlapping) causes:
- Error conditions and other exceptional circumstances - Confusion over which part of the program is responsible for freeing the memory
Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
Observed Examples 1
CVE-2006-5051Chain: Signal handler contains too much functionality (Signal Handler with Functionality that is not Asynchronous-Safe), introducing a race condition (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) that leads to a double free (Double Free).
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Control of a Resource Through its Lifetime (CWE-664)
Taxonomy Mapping
  • CERT C Secure Coding
  • CERT C Secure Coding