CWE-416: Use After Free
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
常见后果
影响范围: Integrity
技术影响: Modify Memory
说明: The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information.
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands
说明: If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.
潜在缓解措施
阶段: Architecture and Design
策略: Language Selection
描述: Choose a language that provides automatic memory management.
阶段: Implementation
策略: Attack Surface Reduction
描述: When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
有效性: Defense in Depth
检测方法
方法: Fuzzing
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
有效性: High
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2022-20141
Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416).
参考: CVE-2022-2621
Chain: two threads in a web browser use the same resource (CWE-366), but one of those threads can destroy the resource before the other has completed (CWE-416).
参考: CVE-2021-0920
Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
参考: CVE-2020-6819
Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
参考: CVE-2010-4168
Use-after-free triggered by closing a connection while data is still being transmitted.
参考: CVE-2010-2941
Improper allocation for invalid data leads to use-after-free.
参考: CVE-2010-2547
certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free
参考: CVE-2010-1772
Timers are not disabled when a related object is deleted
参考: CVE-2010-1437
Access to a "dead" object that is being cleaned up
参考: CVE-2010-1208
object is deleted even with a non-zero reference count, and later accessed
参考: CVE-2010-0629
use-after-free involving request containing an invalid version number
参考: CVE-2010-0378
unload of an object that is currently being accessed by other functionality
参考: CVE-2010-0302
incorrectly tracking a reference count leads to use-after-free
参考: CVE-2010-0249
use-after-free related to use of uninitialized memory
参考: CVE-2010-0050
HTML document with incorrectly-nested tags
参考: CVE-2009-3658
Use after free in ActiveX object by providing a malformed argument to a method
参考: CVE-2009-3616
use-after-free by disconnecting during data transfer, or a message containing incorrect data types
参考: CVE-2009-3553
disconnect during a large data transfer causes incorrect reference count, leading to use-after-free
参考: CVE-2009-2416
use-after-free found by fuzzing
参考: CVE-2009-1837
Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416)
参考: CVE-2009-0749
realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free
参考: CVE-2010-3328
Use-after-free in web browser, probably resultant from not initializing memory.
参考: CVE-2008-5038
use-after-free when one thread accessed memory that was freed by another thread
参考: CVE-2008-0077
assignment of malformed values to certain properties triggers use after free
参考: CVE-2006-4434
mail server does not properly handle a long header.
参考: CVE-2010-2753
chain: integer overflow leads to use-after-free
参考: CVE-2006-4997
freed pointer dereference
参考: CVE-2003-0813
Chain: A multi-threaded race condition (CWE-367) allows attackers to cause two threads to process the same RPC request, which causes a use-after-free (CWE-416) in one thread
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| ISA/IEC 62443 | Part 4-1 | Req SI-1 | - |
| 7 Pernicious Kingdoms | - | Use After Free | - |
| CLASP | - | Using freed memory | - |
| CERT C Secure Coding | MEM00-C | Allocate and free memory in the same module, at the same level of abstraction | - |
| CERT C Secure Coding | MEM01-C | Store a new value in pointers immediately after free() | - |
| CERT C Secure Coding | MEM30-C | Do not access freed memory | Exact |
| Software Fault Patterns | SFP15 | Faulty Resource Use | - |