CWE-825: Expired Pointer Dereference
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
扩展描述
When a product releases memory, but it maintains a pointer to that memory, then the memory might be re-allocated at a later time. If the original pointer is accessed to read or write data, then this could cause the product to read or modify data that is in use by a different function or process. Depending on how the newly-allocated memory is used, this could lead to a denial of service, information exposure, or code execution.
常见后果
影响范围: Confidentiality
技术影响: Read Memory
说明: If the expired pointer is used in a read operation, an attacker might be able to control data read in by the application.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: If the expired pointer references a memory location that is not accessible to the product, or points to a location that is "malformed" (such as NULL) or larger than expected by a read or write operation, then a crash may occur.
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands
说明: If the expired pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
潜在缓解措施
阶段: Architecture and Design
描述: Choose a language that provides automatic memory management.
阶段: Implementation
描述: When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
观察示例
参考: CVE-2008-5013
access of expired memory address leads to arbitrary code execution
参考: CVE-2010-3257
stale pointer issue leads to denial of service and possibly other consequences
参考: CVE-2008-0062
Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption.
参考: CVE-2007-1211
read of value at an offset into a structure after the offset is no longer valid