CWE-415: CWE-415: Double Free

VariantStable

Description

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

Frequently Asked Questions

What is CWE-415: CWE-415: Double Free?+

CWE-415: CWE-415: Double Free is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

What are the security consequences of CWE-415: Double Free?+

If exploited, CWE-415 (CWE-415: Double Free) it can compromise Modify Memory and Execute Unauthorized Code or Commands, leading to outcomes such as Scope: Integrity, Confidentiality, Availability When a program calls free() twice with the same argument, the program's memory management data structures may become corrupted, potentially leading to the reading or modification of unexpected memory addresses. This corruption can cause the program to crash or and in some circumstances.

How do you prevent or mitigate CWE-415: Double Free?+

Recommended mitigations for CWE-415 include: Choose a language that provides automatic memory management. Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once. Use a static analysis tool to find double free instances.

Which programming languages are affected by CWE-415: Double Free?+

CWE-415 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-415 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More