Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
CWE-401 Variant Draft
Missing Release of Memory after Effective Lifetime
This vulnerability occurs when a program allocates memory but fails to properly release it after it's no longer needed, causing a gradual accumulation of unused memory that can't be reclaimed by the…
Definition
What is CWE-401?
This vulnerability occurs when a program allocates memory but fails to properly release it after it's no longer needed, causing a gradual accumulation of unused memory that can't be reclaimed by the system.
Memory leaks happen when developers allocate memory (e.g., using `malloc()`, `new`, or similar functions) but neglect to free or delete it once the relevant operation is complete. This often stems from complex control flows, error conditions, or long-running processes where tracking every allocation becomes difficult. Over time, especially in servers or persistent applications, these unreleased blocks accumulate, steadily draining available system memory.
This resource exhaustion can lead to severe performance degradation, application instability, or complete crashes when the system runs out of memory. To prevent this, developers must ensure that every allocation has a corresponding, guaranteed release, using techniques like automatic resource management (e.g., smart pointers in C++, try-with-resources in Java), rigorous code reviews, and specialized leak detection tools during testing.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-401
-
Memory leak because function does not free() an element of a data structure.
-
Memory leak when counter variable is not decremented.
-
chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
-
Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.
-
Memory leak via unknown manipulations as part of protocol test suite.
-
Memory leak via a series of the same command.
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
Identifiziere einen Codepfad, der nicht vertrauenswürdige Eingaben ohne Validierung verarbeitet.
- 2
Erzeuge eine Payload, die das unsichere Verhalten auslöst — Injection, Traversal, Overflow oder Logik-Missbrauch.
- 3
Liefere die Payload über einen normalen Request aus und beobachte die Reaktion der Anwendung.
- 4
Iteriere, bis die Antwort Daten preisgibt, Angreifer-Code ausführt oder Berechtigungen eskaliert.
Verwundbares Codebeispiel
Vulnerable C
The following C function leaks a block of allocated memory if the call to read() does not return the expected number of bytes:
char* getBlock(int fd) {
char* buf = (char*) malloc(BLOCK_SIZE);
if (!buf) {
return NULL;
}
if (read(fd, buf, BLOCK_SIZE) != BLOCK_SIZE) {
return NULL;
}
return buf;
} Sicheres Codebeispiel
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-401
- Implementation Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. For example, glibc in Linux provides protection against free of invalid pointers. When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
- Architecture and Design Use an abstraction library to abstract away risky APIs. Not a complete solution.
- Architecture and Design / Build and Compilation The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.
Erkennungssignale
How to detect CWE-401
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Plexicus erkennt CWE-401 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-401?
Wie gravierend ist CWE-401?
Welche Sprachen oder Plattformen sind von CWE-401 betroffen?
Wie kann ich CWE-401 verhindern?
Wie erkennt und behebt Plexicus CWE-401?
Wo erfahre ich mehr über CWE-401?
Frequently asked questions
Was ist CWE-401?
This vulnerability occurs when a program allocates memory but fails to properly release it after it's no longer needed, causing a gradual accumulation of unused memory that can't be reclaimed by the system.
Wie gravierend ist CWE-401?
MITRE stuft die Exploit-Wahrscheinlichkeit als mittel ein — eine Ausnutzung ist realistisch, erfordert aber meist bestimmte Bedingungen.
Welche Sprachen oder Plattformen sind von CWE-401 betroffen?
MITRE lists the following affected platforms: C, C++.
Wie kann ich CWE-401 verhindern?
Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone. For example, glibc in Linux provides protection against free of invalid pointers. When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391]. To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and…
Wie erkennt und behebt Plexicus CWE-401?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-401 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-401?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/401.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-401
CWE-772 Parent
Missing Release of Resource after Effective Lifetime
This vulnerability occurs when a program fails to properly release a system resource—like memory, file handles, or network sockets—after…
CWE-1091 Sibling
Use of Object without Invoking Destructor Method
This weakness occurs when a program accesses an object but fails to properly call its destructor or finalizer method. This leaves the…
CWE-775 Sibling
Missing Release of File Descriptor or Handle after Effective Lifetime
This vulnerability occurs when a program fails to properly close file descriptors or handles after they are no longer needed, leaving…
Ressourcen
Further reading
- MITRE — offizielle CWE-401 https://cwe.mitre.org/data/definitions/401.html
- The CLASP Application Security Process https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
- Transitioning to ARC Release Notes https://developer.apple.com/library/archive/releasenotes/ObjectiveC/RN-TransitioningToARC/Introduction/Introduction.html
- Automated Source Code Performance Efficiency Measure (ASCPEM) https://www.omg.org/spec/ASCPEM/
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.