Missing Reference to Active Allocated Resource
Weakness ID: 771 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The software does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

Extended Description

This does not necessarily apply in languages or frameworks that automatically perform garbage collection, since the removal of all references may act as a signal that the resource is ready to be reclaimed.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences

When allocating resources without limits, an attacker could prevent all other processes from accessing the same type of resource.

+ Likelihood of Exploit

Medium to High

+ Potential Mitigations

Phase: Implementation

For system resources, consider using the getrlimit() function included in the sys/resources library in order to determine how many files are currently allowed to be opened for the process.

(Good Code)
Example Language:
#include <sys/resource.h>
int return_value;
struct rlimit rlp;
return_value = getrlimit(RLIMIT_NOFILE, &rlp);

Phase: Operation

Use resource-limiting settings provided by the operating system or environment. For example, setrlimit() can be used to set limits for certain types of resources. However, this is not available on all operating systems.

Ensure that your application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base400Uncontrolled Resource Consumption ('Resource Exhaustion')
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant773Missing Reference to Active File Descriptor or Handle
Research Concepts (primary)1000
+ Theoretical Notes

Vulnerability theory is largely about how behaviors and resources interact. "Resource exhaustion" can be regarded as either a consequence or an attack, depending on the perspective. This entry is an attempt to reflect one of the underlying weaknesses that enable these attacks (or consequences) to take place.

+ Maintenance Notes

"Resource exhaustion" (CWE-400) is currently treated as a weakness, although it is more like a category of weaknesses that all have the same type of consequence. While this entry treats CWE-400 as a parent in view 1000, the relationship is probably more appropriately described as a chain.

+ Content History
Submission DateSubmitterOrganizationSource
2009-05-13Internal CWE Team
Modification DateModifierOrganizationSource
2009-07-27CWE Content TeamMITREInternal
updated Relationships