CWE-772
Missing Release of Resource after Effective Lifetime
BaseDraftLikelihood: High
Description
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-469
CVEs mapped to this weakness (223)
page 2 of 12| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35227 | Hig | 0.53 | — | 0.00 | May 12, 2026 | An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections. | |
| CVE-2001-0830 | Hig | 0.52 | 7.5 | 0.09 | Dec 6, 2001 | 6tunnel 0.08 and earlier does not properly close sockets that were initiated by a client, which allows remote attackers to cause a denial of service (resource exhaustion) by repeatedly connecting to and disconnecting from the server. | |
| CVE-2017-0719 | Hig | 0.51 | 7.8 | 0.00 | Aug 9, 2017 | A remote code execution vulnerability in the Android media framework (mpeg2 decoder). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37273673. | |
| CVE-1999-1127 | Hig | 0.51 | 7.5 | 0.30 | Dec 31, 1999 | Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability. | |
| CVE-2025-65947 | Hig | 0.50 | — | 0.00 | Nov 21, 2025 | thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached. In Apple platforms, the thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using vm_deallocate. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer. This issue has been patched in version 0.2.2. | |
| CVE-2015-7701 | Hig | 0.50 | 7.5 | 0.14 | Aug 7, 2017 | Memory leak in the CRYPTO_ASSOC function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (memory consumption). | |
| CVE-2017-5507 | Hig | 0.50 | 7.5 | 0.11 | Mar 24, 2017 | Memory leak in coders/mpc.c in ImageMagick before 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a denial of service (memory consumption) via vectors involving a pixel cache. | |
| CVE-2026-39455 | Hig | 0.49 | 7.5 | 0.00 | May 13, 2026 | When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |
| CVE-2025-24120 | Hig | 0.49 | 7.5 | 0.00 | Jan 27, 2025 | This issue was addressed by improved management of object lifetimes. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An attacker may be able to cause unexpected app termination. | |
| CVE-2018-14073 | Hig | 0.49 | 7.5 | 0.00 | Jul 15, 2018 | libsixel 1.8.1 has a memory leak in sixel_allocator_new in allocator.c. | |
| CVE-2018-14072 | Hig | 0.49 | 7.5 | 0.00 | Jul 15, 2018 | libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, image_buffer_resize in fromsixel.c, and sixel_decode_raw in fromsixel.c. | |
| CVE-2017-6135 | Hig | 0.49 | 7.5 | 0.01 | Dec 21, 2017 | In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0, a slow memory leak as a result of undisclosed IPv4 or IPv6 packets sent to BIG-IP management port or self IP addresses may lead to out of memory (OOM) conditions. | |
| CVE-2017-2700 | Hig | 0.49 | 7.5 | 0.00 | Nov 22, 2017 | AC6005 with software V200R006C10, AC6605 with software V200R006C10 have a DoS Vulnerability. An attacker can send malformed packets to the device, which causes the device memory leaks, leading to DoS attacks. | |
| CVE-2017-16892 | Hig | 0.49 | 7.5 | 0.00 | Nov 19, 2017 | In Bftpd before 4.7, there is a memory leak in the file rename function. | |
| CVE-2017-15268 | Hig | 0.49 | 7.5 | 0.02 | Oct 12, 2017 | Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. | |
| CVE-2017-15189 | Hig | 0.49 | 7.5 | 0.00 | Oct 10, 2017 | In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements. | |
| CVE-2017-15033 | Hig | 0.49 | 7.5 | 0.00 | Oct 5, 2017 | ImageMagick version 7.0.7-2 contains a memory leak in ReadYUVImage in coders/yuv.c. | |
| CVE-2017-0818 | Hig | 0.49 | 7.5 | 0.00 | Oct 4, 2017 | A vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63581671. | |
| CVE-2017-0813 | Hig | 0.49 | 7.5 | 0.00 | Oct 4, 2017 | A denial of service vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 7.0, 7.1.1, 7.1.2. Android ID: A-36531046. | |
| CVE-2017-13748 | Hig | 0.49 | 7.5 | 0.03 | Aug 29, 2017 | There are lots of memory leaks in JasPer 2.0.12, triggered in the function jas_strdup() in base/jas_string.c, that will lead to a remote denial of service attack. |