CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.
扩展描述
When a file descriptor or handle is not released after use (typically by explicitly closing it), attackers can cause a denial of service by consuming all available file descriptors/handles, or otherwise preventing other system processes from obtaining their own file descriptors/handles.
常见后果
影响范围: Availability
技术影响: DoS: Resource Consumption (Other)
说明: An attacker that can influence the allocation of resources that are not properly released could deplete the available resource pool and prevent all other processes from accessing the same type of resource.
潜在缓解措施
阶段: Operation Architecture and Design
策略: Resource Limitation
观察示例
参考: CVE-2007-0897
Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CERT C Secure Coding | FIO42-C | Close files when they are no longer needed | CWE More Abstract |
| Software Fault Patterns | SFP14 | Failure to Release Resource | - |