VYPR

CWE-404

Improper Resource Shutdown or Release

ClassDraftLikelihood: Medium

Description

The product does not release or incorrectly releases a resource before it is made available for re-use.

When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-131 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-666

CVEs mapped to this weakness (306)

page 2 of 16
  • CVE-2018-8164HigMay 9, 2018
    risk 0.51cvss 7.8epss 0.01

    An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server…

  • CVE-2018-6592HigFeb 19, 2018
    risk 0.51cvss 7.8epss 0.00

    Unisys Stealth 3.3 Windows endpoints before 3.3.016.1 allow local users to gain access to Stealth-enabled devices by leveraging improper cleanup of memory used for negotiation key storage.

  • CVE-2017-11016HigDec 5, 2017
    risk 0.51cvss 7.8epss 0.00

    In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, when memory allocation fails while creating a calibration block in create_cal_block stale pointers are left uncleared.

  • CVE-2017-0769HigSep 8, 2017
    risk 0.51cvss 7.8epss 0.00

    A elevation of privilege vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-37662122.

  • CVE-2026-10069HigMay 29, 2026
    risk 0.49cvss 7.5epss 0.00

    A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability…

  • CVE-2026-7263HigMay 10, 2026
    risk 0.49cvss 7.5epss 0.00

    In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter…

  • CVE-2026-1876HigMar 3, 2026
    risk 0.49cvss 7.5epss 0.00

    Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP…

  • CVE-2026-1875HigMar 3, 2026
    risk 0.49cvss 7.5epss 0.00

    Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP versions 1.000 and prior allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP…

  • CVE-2025-55102HigJan 27, 2026
    risk 0.49cvss 7.5epss 0.00

    A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet…

  • CVE-2025-8671HigAug 13, 2025
    risk 0.49cvss 7.5epss 0.05

    A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then…

  • CVE-2025-8761HigAug 13, 2025
    risk 0.49cvss 7.5epss 0.06

    A vulnerability has been found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This vulnerability affects unknown code of the component Backend IPC Server. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and…

  • CVE-2025-31237HigMay 12, 2025
    risk 0.49cvss 7.5epss 0.01

    This issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. Mounting a maliciously crafted AFP network share may lead to system termination.

  • CVE-2025-29313HigMar 24, 2025
    risk 0.49cvss 7.5epss 0.00

    Use of incorrectly resolved name or reference in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to cause a Denial of Service (DoS).

  • CVE-2025-24811HigFeb 11, 2025
    risk 0.49cvss 7.5epss 0.01

    A vulnerability has been identified in SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0), SIMATIC…

  • CVE-2024-4791HigMay 14, 2024
    risk 0.49cvss 7.5epss 0.01

    A vulnerability classified as critical was found in Contemporary Control System BASrouter BACnet BASRT-B 2.7.2. This vulnerability affects unknown code of the component Application Protocol Data Unit. The manipulation leads to denial of service. The attack can be initiated…

  • CVE-2017-1000411HigJan 31, 2018
    risk 0.49cvss 7.5epss 0.02

    OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with…

  • CVE-2012-2805HigAug 28, 2017
    risk 0.49cvss 7.5epss 0.02

    Unspecified vulnerability in FFMPEG 0.10 allows remote attackers to cause a denial of service.

  • CVE-2016-10363HigJun 16, 2017
    risk 0.49cvss 7.5epss 0.01

    Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled…

  • CVE-2016-8212HigFeb 3, 2017
    risk 0.49cvss 7.5epss 0.02

    An issue was discovered in EMC RSA BSAFE Crypto-J versions prior to 6.2.2. There is an Improper OCSP Validation Vulnerability. OCSP responses have two time values: thisUpdate and nextUpdate. These specify a validity period; however, both values are optional. Crypto-J treats the…

  • CVE-2010-4038HigOct 21, 2010
    risk 0.49cvss 7.5epss 0.02

    The Web Sockets implementation in Google Chrome before 7.0.517.41 does not properly handle a shutdown action, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors.