CWE-825 Base Incompleto

Expired Pointer Dereference

This vulnerability occurs when a program tries to use a pointer that still points to a memory location that has already been freed or released.

Definición

What is CWE-825?

This vulnerability occurs when a program tries to use a pointer that still points to a memory location that has already been freed or released.
This issue, often called a 'use-after-free' scenario, happens when your code frees a block of memory but accidentally keeps a reference (pointer) to it. Later, when that same pointer is used to read or write data, the memory may have been reallocated for a completely different purpose within your application or system. This means you're now interacting with data you didn't intend to, leading to unpredictable behavior. The consequences depend entirely on what now occupies that memory region. You might crash the program (denial of service), read sensitive information that belongs elsewhere (information exposure), or, in the worst case, have attacker-controlled data executed as code. This makes expired pointer dereference a critical weakness that can serve as a gateway to severe security breaches.
Impacto en el mundo real

Real-world CVEs caused by CWE-825

  • CVE-2008-5013

    access of expired memory address leads to arbitrary code execution

  • CVE-2010-3257

    stale pointer issue leads to denial of service and possibly other consequences

  • CVE-2008-0062

    Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption.

  • CVE-2007-1211

    read of value at an offset into a structure after the offset is no longer valid

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    The following code shows a simple example of a use after free error:

  2. 2

    When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.

  3. 3

    The following code shows a simple example of a double free error:

  4. 4

    Double free vulnerabilities have two common (and sometimes overlapping) causes:

  5. 5

    - Error conditions and other exceptional circumstances - Confusion over which part of the program is responsible for freeing the memory

Ejemplo de código vulnerable

Vulnerable C

The following code shows a simple example of a use after free error:

Vulnerable C 
char* ptr = (char*)malloc (SIZE);
  if (err) {
  	abrt = 1;
  	free(ptr);
  }
  ...
  if (abrt) {
  	logError("operation aborted before commit", ptr);
  }
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-825

  • Architecture and Design Choose a language that provides automatic memory management.
  • Implementation When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
Señales de detección

How to detect CWE-825

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-825 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-825?

This vulnerability occurs when a program tries to use a pointer that still points to a memory location that has already been freed or released.

¿Qué gravedad tiene CWE-825?

MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.

¿Qué lenguajes o plataformas se ven afectados por CWE-825?

MITRE lists the following affected platforms: C, C++.

¿Cómo puedo prevenir CWE-825?

Choose a language that provides automatic memory management. When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

¿Cómo detecta y corrige Plexicus CWE-825?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-825 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-825?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/825.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-825

CWE-119 Padre

Improper Restriction of Operations within the Bounds of a Memory Buffer

This vulnerability occurs when software accesses a memory buffer but reads from or writes to a location outside its allocated boundary.…

CWE-120 Hermano

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

This vulnerability occurs when a program copies data from one memory location to another without first verifying that the source data will…

CWE-123 Hermano

Write-what-where Condition

A write-what-where condition occurs when an attacker can control both the data written and the exact memory location where it's written,…

CWE-125 Hermano

Out-of-bounds Read

An out-of-bounds read occurs when software accesses memory outside the boundaries of a buffer, array, or similar data structure, reading…

CWE-130 Hermano

Improper Handling of Length Parameter Inconsistency

This vulnerability occurs when a program reads a structured data packet or message but fails to properly validate that the declared length…

CWE-466 Hermano

Return of Pointer Value Outside of Expected Range

This vulnerability occurs when a function returns a memory pointer that points outside the expected buffer range, potentially exposing…

CWE-786 Hermano

Access of Memory Location Before Start of Buffer

This vulnerability occurs when software attempts to read from or write to a memory location positioned before the official start of a…

CWE-787 Hermano

Out-of-bounds Write

This vulnerability occurs when software incorrectly writes data outside the boundaries of its allocated memory buffer, either beyond the…

CWE-788 Hermano

Access of Memory Location After End of Buffer

This vulnerability occurs when software attempts to read from or write to a memory buffer using an index or pointer that points past the…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo