Category: CERT C Secure Coding Standard (2008) Chapter 9 - Memory Management (MEM)
Obsolete
Summary
Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | This vulnerability occurs when software accesses a memory buffer but reads from or writes to a location outside its allocated boundary. This can corrupt adjacent data, crash the program, or allow attackers to execute arbitrary code. |
| CWE-128 | Wrap-around Error | A wrap-around error happens when a variable exceeds the maximum value its data type can hold, causing it to unexpectedly reset to a very small, negative, or undefined number instead of increasing further. |
| CWE-131 | Incorrect Calculation of Buffer Size | This vulnerability occurs when a program miscalculates the amount of memory needed for a buffer, potentially leading to a buffer overflow that can crash the software or allow attackers to execute malicious code. |
| CWE-190 | Integer Overflow or Wraparound | Integer overflow or wraparound occurs when a calculation produces a numeric result that exceeds the maximum value a variable can hold. Instead of increasing as expected, the value wraps around to a very small or negative number, breaking the program's logic. |
| CWE-20 | Improper Input Validation | This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and correctly formatted before using it. This missing or flawed validation check allows malicious or malformed inputs to disrupt the application's logic or security. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | This vulnerability occurs when a system releases a resource like memory or a file for reuse but fails to erase the sensitive data it previously contained. The old information remains accessible when the resource is allocated to a new process or used in a different context. |
| CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') | Using realloc() to resize buffers containing secrets like passwords or keys can leave that sensitive data exposed in memory, as the original data is not securely erased. |
| CWE-252 | Unchecked Return Value | This vulnerability occurs when a program fails to verify the result of a function or method call, allowing it to continue execution without detecting errors or unexpected conditions. |
| CWE-415 | Double Free | A double free vulnerability occurs when a program mistakenly calls the 'free()' function twice on the same block of memory. |
| CWE-416 | Use After Free | Use After Free happens when a program continues to use a pointer to a memory location after that memory has been freed. This can lead to unpredictable behavior, crashes, or security vulnerabilities because the freed memory may have been reallocated for a different purpose. |
| CWE-476 | NULL Pointer Dereference | This vulnerability occurs when a program attempts to access or manipulate memory using a pointer that is set to NULL, causing a crash or unexpected behavior. |
| CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere | This vulnerability occurs when an application creates a core dump file (a snapshot of memory at the time of a crash) and places it in a location accessible to unauthorized users or systems. |
| CWE-590 | Free of Memory not on the Heap | This vulnerability occurs when a program calls free() on a memory pointer that wasn't originally allocated using standard heap functions like malloc(), calloc(), or realloc(). |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | This vulnerability occurs when an application stores sensitive information, like passwords or encryption keys, in system memory that isn't properly secured from being written to disk. If the memory isn't locked, the operating system's virtual memory manager can swap it to a page or swap file, leaving the data exposed on the storage drive where attackers could potentially recover it. |
| CWE-628 | Function Call with Incorrectly Specified Arguments | This weakness occurs when a function is called with arguments that are incorrectly specified, causing the function to behave in an unintended and consistently wrong manner. |
| CWE-665 | Improper Initialization | This vulnerability occurs when software fails to properly set up a resource before use, or provides incorrect starting values, leaving it in an unpredictable and potentially dangerous state. |
| CWE-687 | Function Call With Incorrectly Specified Argument Value | This vulnerability occurs when a function is called with an argument that holds an incorrect or unexpected value, leading to unintended program behavior or security flaws. |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | This weakness occurs when software fails to properly anticipate and handle rare or unexpected runtime situations that fall outside normal operation. |
| CWE-734 | Weaknesses Addressed by the CERT C Secure Coding Standard (2008) | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.