CWE-1325: Improperly Controlled Sequential Memory Allocation

BaseIncomplete

The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

View on MITRE
Back to CWE Lookup

Extended Description

While the product might limit the amount of memory that is allocated in a single operation for a single object (such as a malloc of an array), if an attacker can cause multiple objects to be allocated in separate operations, then this might cause higher total memory consumption than the developer intended, leading to a denial of service.

Technical Details

Structure
Simple

Applicable To

Languages
CC++Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-1325: Improperly Controlled Sequential Memory Allocation?+

CWE-1325: Improperly Controlled Sequential Memory Allocation is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects. While the product might limit the amount of memory that is allocated in a single operation for a single object (such as a malloc of an array), if an attacker can cause multiple objects to be allocated in separate operations, then this might cause higher total memory consumption than the developer intended, leading to a denial of service.

What are the security consequences of Improperly Controlled Sequential Memory Allocation?+

If exploited, CWE-1325 (Improperly Controlled Sequential Memory Allocation) it can compromise Availability, leading to outcomes such as DoS: Resource Consumption (Memory).

How do you prevent or mitigate Improperly Controlled Sequential Memory Allocation?+

Recommended mitigations for CWE-1325 include: Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

Which programming languages are affected by Improperly Controlled Sequential Memory Allocation?+

CWE-1325 commonly affects C, C++ and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improperly Controlled Sequential Memory Allocation?+

MITRE documents real CVEs mapped to CWE-1325, including CVE-2020-36049, CVE-2019-20176 and CVE-2013-1591. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1325 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More