Choose a language that provides automatic memory management.
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Use a static analysis tool to find double free instances.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
CWE-415: CWE-415: Double Free is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
If exploited, CWE-415 (CWE-415: Double Free) it can compromise Modify Memory and Execute Unauthorized Code or Commands, leading to outcomes such as Scope: Integrity, Confidentiality, Availability When a program calls free() twice with the same argument, the program's memory management data structures may become corrupted, potentially leading to the reading or modification of unexpected memory addresses. This corruption can cause the program to crash or and in some circumstances.
Recommended mitigations for CWE-415 include: Choose a language that provides automatic memory management. Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once. Use a static analysis tool to find double free instances.
CWE-415 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-415 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.