The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
View on MITREOften, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.
The code could be left in a bad state.
If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.
No detection method information available for this CWE.
The following example demonstrates the weakness.
In this case, a thread might be left locked accidentally.
CWE-460: Improper Cleanup on Thrown Exception is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. Often, when functions or loops become complicated, some level of resource cleanup is needed throughout execution. Exceptions can disturb the flow of the code and prevent the necessary cleanup from happening.
If exploited, CWE-460 (Improper Cleanup on Thrown Exception) it can compromise Other, leading to outcomes such as Varies by Context.
Recommended mitigations for CWE-460 include: If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.
CWE-460 commonly affects C, C++, Java and C#. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-460 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.