CWE-1325: Improperly Controlled Sequential Memory Allocation
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.
常见后果
影响范围: Availability
技术影响: DoS: Resource Consumption (Memory)
说明: Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.
潜在缓解措施
阶段: Implementation
描述: Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
阶段: Operation
描述: Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
观察示例
参考: CVE-2020-36049
JavaScript-based packet decoder uses concatenation of many small strings, causing out-of-memory (OOM) condition
参考: CVE-2019-20176
Product allocates a new buffer on the stack for each file in a directory, allowing stack exhaustion
参考: CVE-2013-1591
Chain: an integer overflow (CWE-190) in the image size calculation causes an infinite loop (CWE-835) which sequentially allocates buffers without limits (CWE-1325) until the stack is full.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |