CWE-772
Missing Release of Resource after Effective Lifetime
Description
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-469
CVEs mapped to this weakness (345)
page 2 of 18| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-12245 | Hig | 0.56 | 8.6 | 0.02 | Oct 5, 2017 | A vulnerability in SSL traffic decryption for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause depletion of system memory, aka a Firepower Detection Engine SSL Decryption Memory Consumption Denial of Service vulnerability. If… | ||
| CVE-2017-1000408 | Hig | 0.54 | 7.8 | 0.01 | Feb 1, 2018 | A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366. | ||
| CVE-2026-35227 | Hig | 0.53 | — | 0.00 | May 12, 2026 | An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections. | ||
| CVE-2001-0830 | Hig | 0.52 | 7.5 | 0.06 | Dec 6, 2001 | 6tunnel 0.08 and earlier does not properly close sockets that were initiated by a client, which allows remote attackers to cause a denial of service (resource exhaustion) by repeatedly connecting to and disconnecting from the server. | ||
| CVE-2017-15845 | Hig | 0.51 | 7.8 | 0.00 | Jan 10, 2018 | In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, an invalid input of firmware size (negative value) from user space can potentially lead to the memory leak or buffer overflow during the WLAN cal data store operation. | ||
| CVE-2017-0719 | Hig | 0.51 | 7.8 | 0.01 | Aug 9, 2017 | A remote code execution vulnerability in the Android media framework (mpeg2 decoder). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37273673. | ||
| CVE-2025-65947 | Hig | 0.50 | — | 0.00 | Nov 21, 2025 | thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function calls CreateToolhelp32Snapshot but fails… | ||
| CVE-1999-1127 | Hig | 0.50 | 7.5 | 0.18 | Dec 31, 1999 | Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability. | ||
| CVE-2026-39455 | Hig | 0.49 | 7.5 | 0.00 | May 13, 2026 | When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. Note: Software versions which have reached End of Technical… | ||
| CVE-2026-3104 | Hig | 0.49 | 7.5 | 0.01 | Mar 25, 2026 | A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and… | ||
| CVE-2025-24120 | Hig | 0.49 | 7.5 | 0.01 | Jan 27, 2025 | This issue was addressed by improved management of object lifetimes. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An attacker may be able to cause unexpected app termination. | ||
| CVE-2018-17332 | Hig | 0.49 | 7.5 | 0.01 | Sep 22, 2018 | An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls. | ||
| CVE-2018-1999043 | — | Hig | 0.49 | 7.5 | 0.02 | Aug 23, 2018 | A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials. | |
| CVE-2018-1000215 | Hig | 0.49 | 7.5 | 0.02 | Aug 20, 2018 | Dave Gamble cJSON version 1.7.6 and earlier contains a CWE-772 vulnerability in cJSON library that can result in Denial of Service (DoS). This attack appear to be exploitable via If the attacker can force the data to be printed and the system is in low memory it can force a leak… | ||
| CVE-2018-7994 | Hig | 0.49 | 7.5 | 0.01 | Jul 31, 2018 | Some Huawei products IPS Module V500R001C50; NGFW Module V500R001C50; V500R002C10; NIP6300 V500R001C50; NIP6600 V500R001C50; NIP6800 V500R001C50; Secospace USG6600 V500R001C50; USG9500 V500R001C50 have a memory leak vulnerability. The software does not release allocated memory… | ||
| CVE-2018-5536 | Hig | 0.49 | 7.5 | 0.02 | Jul 25, 2018 | A remote attacker via undisclosed measures, may be able to exploit an F5 BIG-IP APM 13.0.0-13.1.0.7 or 12.1.0-12.1.3.5 virtual server configured with an APM per-request policy object and cause a memory leak in the APM module. | ||
| CVE-2018-14073 | Hig | 0.49 | 7.5 | 0.01 | Jul 15, 2018 | libsixel 1.8.1 has a memory leak in sixel_allocator_new in allocator.c. | ||
| CVE-2018-14072 | Hig | 0.49 | 7.5 | 0.01 | Jul 15, 2018 | libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, image_buffer_resize in fromsixel.c, and sixel_decode_raw in fromsixel.c. | ||
| CVE-2018-13843 | Hig | 0.49 | 7.5 | 0.01 | Jul 10, 2018 | An issue has been found in HTSlib 1.8. It is a memory leak in bgzf_getline in bgzf.c. NOTE: the software maintainer's position is that the "failure to free memory" can be fixed in applications that use the HTSlib library (such as test/test_bgzf.c in the original report) and is… | ||
| CVE-2018-13420 | Hig | 0.49 | 7.5 | 0.02 | Jul 7, 2018 | Google gperftools 2.7 has a memory leak in malloc_extension.cc, related to MallocExtension::Register and InitModule. NOTE: the software maintainer indicates that this is not a bug; it is only a false-positive report from the LeakSanitizer program |
- risk 0.56cvss 8.6epss 0.02
A vulnerability in SSL traffic decryption for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause depletion of system memory, aka a Firepower Detection Engine SSL Decryption Memory Consumption Denial of Service vulnerability. If…
- risk 0.54cvss 7.8epss 0.01
A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
- risk 0.53cvss —epss 0.00
An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections.
- risk 0.52cvss 7.5epss 0.06
6tunnel 0.08 and earlier does not properly close sockets that were initiated by a client, which allows remote attackers to cause a denial of service (resource exhaustion) by repeatedly connecting to and disconnecting from the server.
- risk 0.51cvss 7.8epss 0.00
In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, an invalid input of firmware size (negative value) from user space can potentially lead to the memory leak or buffer overflow during the WLAN cal data store operation.
- risk 0.51cvss 7.8epss 0.01
A remote code execution vulnerability in the Android media framework (mpeg2 decoder). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37273673.
- risk 0.50cvss —epss 0.00
thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function calls CreateToolhelp32Snapshot but fails…
- risk 0.50cvss 7.5epss 0.18
Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability.
- risk 0.49cvss 7.5epss 0.00
When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. Note: Software versions which have reached End of Technical…
- risk 0.49cvss 7.5epss 0.01
A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and…
- risk 0.49cvss 7.5epss 0.01
This issue was addressed by improved management of object lifetimes. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An attacker may be able to cause unexpected app termination.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
- risk 0.49cvss 7.5epss 0.02
A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.
- risk 0.49cvss 7.5epss 0.02
Dave Gamble cJSON version 1.7.6 and earlier contains a CWE-772 vulnerability in cJSON library that can result in Denial of Service (DoS). This attack appear to be exploitable via If the attacker can force the data to be printed and the system is in low memory it can force a leak…
- risk 0.49cvss 7.5epss 0.01
Some Huawei products IPS Module V500R001C50; NGFW Module V500R001C50; V500R002C10; NIP6300 V500R001C50; NIP6600 V500R001C50; NIP6800 V500R001C50; Secospace USG6600 V500R001C50; USG9500 V500R001C50 have a memory leak vulnerability. The software does not release allocated memory…
- risk 0.49cvss 7.5epss 0.02
A remote attacker via undisclosed measures, may be able to exploit an F5 BIG-IP APM 13.0.0-13.1.0.7 or 12.1.0-12.1.3.5 virtual server configured with an APM per-request policy object and cause a memory leak in the APM module.
- risk 0.49cvss 7.5epss 0.01
libsixel 1.8.1 has a memory leak in sixel_allocator_new in allocator.c.
- risk 0.49cvss 7.5epss 0.01
libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, image_buffer_resize in fromsixel.c, and sixel_decode_raw in fromsixel.c.
- risk 0.49cvss 7.5epss 0.01
An issue has been found in HTSlib 1.8. It is a memory leak in bgzf_getline in bgzf.c. NOTE: the software maintainer's position is that the "failure to free memory" can be fixed in applications that use the HTSlib library (such as test/test_bgzf.c in the original report) and is…
- risk 0.49cvss 7.5epss 0.02
Google gperftools 2.7 has a memory leak in malloc_extension.cc, related to MallocExtension::Register and InitModule. NOTE: the software maintainer indicates that this is not a bug; it is only a false-positive report from the LeakSanitizer program