CWE-1341: Multiple Releases of Same Resource or Handle

BaseIncomplete

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

View on MITRE
Back to CWE Lookup

Extended Description

Code typically requires "opening" handles or references to resources such as memory, files, devices, socket connections, services, etc. When the code is finished with using the resource, it is typically expected to "close" or "release" the resource, which indicates to the environment (such as the OS) that the resource can be re-assigned or reused by unrelated processes or actors - or in some cases, within the same process. API functions or other abstractions are often used to perform this release, such as free() or delete() within C/C++, or file-handle close() operations that are used in many languages. Unfortunately, the implementation or design of such APIs might expect the developer to be responsible for ensuring that such APIs are only called once per release of the resource. If the developer attempts to release the same resource/handle more than once, then the API's expectations are not met, resulting in undefined and/or insecure behavior. This could lead to consequences such as memory corruption, data corruption, execution path corruption, or other consequences. Note that while the implementation for most (if not all) resource reservation allocations involve a unique identifier/pointer/symbolic reference, then if this identifier is reused, checking the identifier for resource closure may result in a false state of openness and closing of the wrong resource. For this reason, reuse of identifiers is discouraged.

Technical Details

Structure
Simple

Applicable To

Languages
JavaRustCC++Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1341: Multiple Releases of Same Resource or Handle?+

CWE-1341: Multiple Releases of Same Resource or Handle is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product attempts to close or release a resource or handle more than once, without any successful open between the close operations. Code typically requires "opening" handles or references to resources such as memory, files, devices, socket connections, services, etc. When the code is finished with using the resource, it is typically expected to "close" or "release" the resource, which indicates to the environment (such as the OS) that the resource can be re-assigned or reused by unrelated processes or actors - or in some cases, within the same process. API functions or other abstractions are often used to perform this release, such as free() or delete() within C/C++, or file-handle close() operations that are used in many languages. Unfortunately, the implementation or design of such APIs might expect the developer to be responsible for ensuring that such APIs are only called once per release of the resource. If the developer attempts to release the same resource/handle more than once, then the API's expectations are not met, resulting in undefined and/or insecure behavior. This could lead to consequences such as memory corruption, data corruption, execution path corruption, or other consequences. Note that while the implementation for most (if not all) resource reservation allocations involve a unique identifier/pointer/symbolic reference, then if this identifier is reused, checking the identifier for resource closure may result in a false state of openness and closing of the wrong resource. For this reason, reuse of identifiers is discouraged.

What are the security consequences of Multiple Releases of Same Resource or Handle?+

If exploited, CWE-1341 (Multiple Releases of Same Resource or Handle) it can compromise Availability and Integrity, leading to outcomes such as DoS: Crash, Exit, or Restart.

How do you prevent or mitigate Multiple Releases of Same Resource or Handle?+

Recommended mitigations for CWE-1341 include: Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals. It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer.

How is Multiple Releases of Same Resource or Handle detected?+

CWE-1341 can be detected using Automated Static Analysis and Automated Dynamic Analysis. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Multiple Releases of Same Resource or Handle?+

CWE-1341 commonly affects Java, Rust, C, C++ and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Multiple Releases of Same Resource or Handle?+

MITRE documents real CVEs mapped to CWE-1341, including CVE-2019-13351, CVE-2006-5051 and CVE-2004-0772. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1341 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More