CWE-789: Memory Allocation with Excessive Size Value

VariantDraft

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
CC++Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-789: Memory Allocation with Excessive Size Value?+

CWE-789: Memory Allocation with Excessive Size Value is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

What are the security consequences of Memory Allocation with Excessive Size Value?+

If exploited, CWE-789 (Memory Allocation with Excessive Size Value) it can compromise Availability, leading to outcomes such as DoS: Resource Consumption (Memory).

How do you prevent or mitigate Memory Allocation with Excessive Size Value?+

Recommended mitigations for CWE-789 include: Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary. Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

Which programming languages are affected by Memory Allocation with Excessive Size Value?+

CWE-789 commonly affects C, C++ and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Memory Allocation with Excessive Size Value?+

MITRE documents real CVEs mapped to CWE-789, including CVE-2019-19911, CVE-2010-3701, CVE-2008-1708, CVE-2008-0977 and CVE-2006-3791. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-789 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More