CWE-401: Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
🏆 CWE Top 25 Historical Ranking
Security Consequences
Scope
Impact
Most memory leaks result in general product reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition.
Scope
Impact
Mitigation Strategies
Phase
Description
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Phase
Description
The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The following C function leaks a block of allocated memory if the call to read() does not return the expected number of bytes:
Observed CVE Examples (6)
Memory leak because function does not free() an element of a data structure.
View Detailschain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
View DetailsKernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-401: Missing Release of Memory after Effective Lifetime?+
CWE-401: Missing Release of Memory after Effective Lifetime is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Is CWE-401 in the CWE Top 25 Most Dangerous Software Weaknesses?+
Yes. CWE-401 ranked #23 in the CWE Top 25 for 2024, associated with 772 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.
What are the security consequences of Missing Release of Memory after Effective Lifetime?+
If exploited, CWE-401 (Missing Release of Memory after Effective Lifetime) it can compromise Availability and Other, leading to outcomes such as DoS: Crash, Exit, or Restart, DoS: Instability, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) and Reduce Performance.
How do you prevent or mitigate Missing Release of Memory after Effective Lifetime?+
Recommended mitigations for CWE-401 include: Use an abstraction library to abstract away risky APIs. Not a complete solution. The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.
Which programming languages are affected by Missing Release of Memory after Effective Lifetime?+
CWE-401 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Missing Release of Memory after Effective Lifetime?+
MITRE documents real CVEs mapped to CWE-401, including CVE-2005-3119, CVE-2004-0427, CVE-2002-0574, CVE-2005-3181 and CVE-2004-0222. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-401 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.
Learn More
Search for vulnerabilities that exploit CWE-401
See how this weakness ranks against others
Understanding vulnerabilities vs weaknesses
How vulnerability severity is measured
Complete technical details and references