CWE-460: Improper Cleanup on Thrown Exception
The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
View on MITREExtended Description
Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
The code could be left in a bad state.
Mitigation Strategies
Phase
Description
If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The following example demonstrates the weakness.
In this case, a thread might be left locked accidentally.
CWE Relationships
Frequently Asked Questions
What is CWE-460: Improper Cleanup on Thrown Exception?+
CWE-460: Improper Cleanup on Thrown Exception is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.
What are the security consequences of Improper Cleanup on Thrown Exception?+
If exploited, CWE-460 (Improper Cleanup on Thrown Exception) it can compromise Other, leading to outcomes such as Varies by Context.
How do you prevent or mitigate Improper Cleanup on Thrown Exception?+
Recommended mitigations for CWE-460 include: If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.
Which programming languages are affected by Improper Cleanup on Thrown Exception?+
CWE-460 commonly affects C, C++, Java and C#. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-460 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.