CWE-672
Operation on a Resource after Expiration or Release
ClassDraft
Description
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Hierarchy (View 1000)
CVEs mapped to this weakness (7)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-6031 | Hig | 0.49 | 7.5 | 0.00 | Jun 12, 2025 | Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported. When a user powers on the Amazon Cloud Cam, the device attempts to connect to a remote service infrastructure that has been deprecated due to end-of-life status. The device defaults to a pairing status in which an arbitrary user can bypass SSL pinning to associate the device to an arbitrary network, allowing for network traffic interception and modification. We recommend customers discontinue usage of any remaining Amazon Cloud Cams. | |
| CVE-2009-3547 | Hig | 0.49 | 7.0 | 0.03 | Nov 4, 2009 | Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname. | |
| CVE-2024-4693 | Med | 0.36 | 5.5 | 0.00 | May 14, 2024 | A flaw was found in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci.c). An improper release and use of the irqfd for vector 0 during the boot process leads to a guest triggerable crash via vhost_net_stop(). This flaw allows a malicious guest to crash the QEMU process on the host. | |
| CVE-2019-20022 | Med | 0.35 | 6.5 | 0.00 | Dec 27, 2019 | An invalid memory address dereference was discovered in load_pnm in frompnm.c in libsixel before 1.8.3. | |
| CVE-2025-2517 | Low | 0.15 | — | 0.00 | Apr 21, 2025 | Reference to Expired Domain Vulnerability in OpenText™ ArcSight Enterprise Security Manager. | |
| CVE-2026-1237 | Low | 0.14 | — | 0.00 | Jan 28, 2026 | Vulnerable cross-model authorization in juju. If a charm's cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing. | |
| CVE-2025-22149 | Low | 0.07 | — | 0.00 | Jan 9, 2025 | JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). |