CWE-765: Multiple Unlocks of a Critical Resource

BaseIncomplete

The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.

View on MITRE
Back to CWE Lookup

Extended Description

When the product is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra calls to unlock will increase the count for the number of available resources, likely resulting in a crash or unpredictable behavior when the system nears capacity.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-765: Multiple Unlocks of a Critical Resource?+

CWE-765: Multiple Unlocks of a Critical Resource is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product unlocks a critical resource more times than intended, leading to an unexpected state in the system. When the product is operating in a concurrent environment and repeatedly unlocks a critical resource, the consequences will vary based on the type of lock, the lock's implementation, and the resource being protected. In some situations such as with semaphores, the resources are pooled and extra calls to unlock will increase the count for the number of available resources, likely resulting in a crash or unpredictable behavior when the system nears capacity.

What are the security consequences of Multiple Unlocks of a Critical Resource?+

If exploited, CWE-765 (Multiple Unlocks of a Critical Resource) it can compromise Availability and Integrity, leading to outcomes such as DoS: Crash, Exit, or Restart, Modify Memory and Unexpected State.

How do you prevent or mitigate Multiple Unlocks of a Critical Resource?+

Recommended mitigations for CWE-765 include: When locking and unlocking a resource, try to be sure that all control paths through the code in which the resource is locked one or more times correspond to exactly as many unlocks. If the product acquires a lock and then determines it is not able to perform its intended behavior, be sure to release the lock(s) before waiting for conditions to improve. Reacquire the lock(s) before trying again.

What are real-world examples of Multiple Unlocks of a Critical Resource?+

MITRE documents real CVEs mapped to CWE-765, including CVE-2009-0935. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-765 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More