CWE-1341 Base Incomplete

Multiple Releases of Same Resource or Handle

This vulnerability occurs when a program incorrectly tries to close or release the same system resource—like memory, a file, or a network connection—more than once. This double-free or double-close…

Definition

What is CWE-1341?

This vulnerability occurs when a program incorrectly tries to close or release the same system resource—like memory, a file, or a network connection—more than once. This double-free or double-close violates the API's contract and leads to unpredictable and often dangerous behavior.
Modern software constantly acquires and releases resources such as memory blocks, file handles, and socket connections. APIs like `free()`, `delete()`, or `close()` are designed to manage this lifecycle, but they typically assume the developer will call them exactly once per resource. When the same release function is called a second time on an already-freed resource, the underlying system management structures can become corrupted. This corruption can directly cause crashes, memory leaks, or even create security gaps that attackers might exploit to execute arbitrary code. To prevent this, developers must carefully manage the state of each resource handle, ensuring release calls are paired one-to-one with successful acquisitions. A common best practice is to set pointers or handles to NULL (or another null-like state) immediately after release, as many safe implementations will check for this and ignore subsequent calls. Reusing the same variable identifier for a different resource before properly closing the first is a major risk, as it can lead to closing the wrong, active resource, compounding the problem.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-1341

  • CVE-2019-13351

    file descriptor double close can cause the wrong file to be associated with a file descriptor.

  • CVE-2006-5051

    Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).

  • CVE-2004-0772

    Double free resultant from certain error conditions.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    This example attempts to close a file twice. In some cases, the C library fclose() function will catch the error and return an error code. In other implementations, a double-free (CWE-415) occurs, causing the program to fault. Note that the examples presented here are simplistic, and double fclose() calls will frequently be spread around a program, making them more difficult to find during code reviews.

  2. 2

    There are multiple possible fixes. This fix only has one call to fclose(), which is typically the preferred handling of this problem - but this simplistic method is not always possible.

  3. 3

    This fix uses a flag to call fclose() only once. Note that this flag is explicit. The variable "f" could also have been used as it will be either NULL if the file is not able to be opened or a valid pointer if the file was successfully opened. If "f" is replacing "f_flg" then "f" would need to be set to NULL after the first fclose() call so the second fclose call would never be executed.

  4. 4

    The following code shows a simple example of a double free vulnerability.

  5. 5

    Double free vulnerabilities have two common (and sometimes overlapping) causes:

Verwundbares Codebeispiel

Vulnerable C

This example attempts to close a file twice. In some cases, the C library fclose() function will catch the error and return an error code. In other implementations, a double-free (CWE-415) occurs, causing the program to fault. Note that the examples presented here are simplistic, and double fclose() calls will frequently be spread around a program, making them more difficult to find during code reviews.

Verwundbar C 
char b[2000];
 FILE *f = fopen("dbl_cls.c", "r");
 if (f)
 {

```
  b[0] = 0;
   fread(b, 1, sizeof(b) - 1, f);
   printf("%s\n'", b);
   int r1 = fclose(f);
   printf("\n-----------------\n1 close done '%d'\n", r1);
   int r2 = fclose(f); // Double close
   printf("2 close done '%d'\n", r2);
 }
Sicheres Codebeispiel

Secure C

There are multiple possible fixes. This fix only has one call to fclose(), which is typically the preferred handling of this problem - but this simplistic method is not always possible.

Sicher C 
char b[2000];
 FILE *f = fopen("dbl_cls.c", "r");
 if (f)
 {

```
  b[0] = 0;
   fread(b, 1, sizeof(b) - 1, f);
   printf("%s\n'", b);
   int r = fclose(f);
   printf("\n-----------------\n1 close done '%d'\n", r);
 }
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-1341

  • Implementation Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals.
  • Implementation It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer.
  • Implementation When closing a resource, set the resource's associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value without causing errors. For other APIs, this can lead to application crashes or exceptions, which may still be preferable to corrupting an unintended resource such as memory or data.
Erkennungssignale

How to detect CWE-1341

Automated Static Analysis

For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.

Automated Dynamic Analysis

Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.

Plexicus Auto-Fix

Plexicus erkennt CWE-1341 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-1341?

This vulnerability occurs when a program incorrectly tries to close or release the same system resource—like memory, a file, or a network connection—more than once. This double-free or double-close violates the API's contract and leads to unpredictable and often dangerous behavior.

Wie gravierend ist CWE-1341?

MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.

Welche Sprachen oder Plattformen sind von CWE-1341 betroffen?

MITRE lists the following affected platforms: Java, Rust, C, C++, Not OS-Specific, Not Architecture-Specific, Not Technology-Specific.

Wie kann ich CWE-1341 verhindern?

Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals. It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However,…

Wie erkennt und behebt Plexicus CWE-1341?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-1341 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-1341?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/1341.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-1341

CWE-675 Parent

Multiple Operations on Resource in Single-Operation Context

This vulnerability occurs when a software component performs the same action on a resource multiple times, even though the action is…

CWE-174 Sibling

Double Decoding of the Same Data

This vulnerability occurs when an application decodes the same piece of data twice in sequence. This double processing can bypass or…

CWE-605 Sibling

Multiple Binds to the Same Port

This vulnerability occurs when a system's socket configuration allows multiple applications to bind to the same network port…

CWE-764 Sibling

Multiple Locks of a Critical Resource

This vulnerability occurs when a critical resource, such as a file, data structure, or connection, is locked more times than the software…

CWE-765 Sibling

Multiple Unlocks of a Critical Resource

This vulnerability occurs when a critical resource, like a lock or semaphore, is unlocked more times than it was locked, putting the…

CWE-672 Kann vorausgehen

Operation on a Resource after Expiration or Release

This vulnerability occurs when a program continues to use a resource—like memory, a file handle, or a network connection—after it has been…

CWE-415 Child

Double Free

A double free vulnerability occurs when a program mistakenly calls the 'free()' function twice on the same block of memory.

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen