CWE-416:Use After Free
Weakness ID:416
Version:v4.17
Weakness Name:Use After Free
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Stable
Likelihood of Exploit:High
▼Description
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
▼Extended Description
▼Alternate Terms
Dangling pointer
a pointer that no longer points to valid memory, often after it has been freed
UAF
commonly used acronym for Use After Free
Use-After-Free
▼Relationships
Relevant to the view"Research Concepts - (1000)"
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| CanPrecede | Allowed-with-Review | B | 120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CanPrecede | Allowed | B | 123 | Write-what-where Condition |
| ChildOf | Allowed | B | 825 | Expired Pointer Dereference |
| ParentOf | Allowed | B | 1265 | Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls |
| ParentOf | Allowed-with-Review | C | 362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| ParentOf | Allowed | B | 364 | Signal Handler Race Condition |
| ParentOf | Allowed | V | 415 | Double Free |
| ParentOf | Allowed-with-Review | C | 754 | Improper Check for Unusual or Exceptional Conditions |
Nature: CanPrecede
Mapping: Allowed-with-Review
Type: Base
ID: 120
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 1265
Nature: ParentOf
Mapping: Allowed-with-Review
Type: Class
ID: 362
Nature: ParentOf
Mapping: Allowed-with-Review
Type: Class
ID: 754
▼Memberships
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 742
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 876
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 983
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1162
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 1200
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 1337
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 1350
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 1387
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1399
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 1425
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 1430
▼Tags
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | BS | BOSS-274 | High likelihood of exploit |
| MemberOf | Prohibited | BS | BOSS-286 | Attack Surface Reduction Strategy |
| MemberOf | Prohibited | BS | BOSS-288 | Language Selection Strategy |
| MemberOf | Prohibited | BS | BOSS-311 | Execute Unauthorized Code or Commands (impact) |
| MemberOf | Prohibited | BS | BOSS-324 | DoS: Crash, Exit, or Restart (impact) |
| MemberOf | Prohibited | BS | BOSS-331 | Modify Memory (impact) |
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-311
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-324
▼Relevant To View
Relevant to the view"Weaknesses Addressed by the SEI CERT C Coding Standard - (1154)"
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1162 | SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM) |
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1162
Relevant to the view"Seven Pernicious Kingdoms - (700)"
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 398 | 7PK - Code Quality |
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 983 | SFP Secondary Cluster: Faulty Resource Use |
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 983
▼Background Detail
▼Common Consequences
| Scope | Likelihood | Impact | Note |
|---|---|---|---|
| Integrity | N/A | Modify Memory | The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere. |
| Availability | N/A | DoS: Crash, Exit, or Restart | If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information. |
| IntegrityConfidentialityAvailability | N/A | Execute Unauthorized Code or Commands | If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved. |
Scope: Integrity
Likelihood: N/A
Impact: Modify Memory
Note:
The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere.
Scope: Availability
Likelihood: N/A
Impact: DoS: Crash, Exit, or Restart
Note:
If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information.
Scope: Integrity, Confidentiality, Availability
Likelihood: N/A
Impact: Execute Unauthorized Code or Commands
Note:
If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.
▼Potential Mitigations
Phase:Architecture and Design
Mitigation ID:
Strategy: Language Selection
Effectiveness:
Description:
Choose a language that provides automatic memory management.
Note:
Phase:Implementation
Mitigation ID:
Strategy: Attack Surface Reduction
Effectiveness: Defense in Depth
Description:
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
Note:
If a bug causes an attempted access of this pointer, then a NULL dereference could still lead to a crash or other unexpected behavior, but it will reduce or eliminate the risk of code execution.
▼Modes Of Introduction
Phase: Implementation
Note:
N/A
▼Applicable Platforms
Languages
Class: C(Undetermined Prevalence)
Class: C++(Undetermined Prevalence)
▼Demonstrative Examples
Example 1
The following example demonstrates the weakness.
Language: ( code)
N/A
Language: C(Bad code)
#include <stdio.h>
#include <unistd.h>
#define BUFSIZER1 512
#define BUFSIZER2 ((BUFSIZER1/2) - 8)
int main(int argc, char **argv) {
char *buf1R1;
char *buf2R1;
char *buf2R2;
char *buf3R2;
buf1R1 = (char *) malloc(BUFSIZER1);
buf2R1 = (char *) malloc(BUFSIZER1);
free(buf2R1);
buf2R2 = (char *) malloc(BUFSIZER2);
buf3R2 = (char *) malloc(BUFSIZER2);
strncpy(buf2R1, argv[1], BUFSIZER1-1);
free(buf1R1);
free(buf2R2);
free(buf3R2);
}
Example 2
The following code illustrates a use after free error:
Language: ( code)
N/A
Language: C(Bad code)
char* ptr = (char*)malloc (SIZE);
if (err) {
abrt = 1;
free(ptr);
}
...
if (abrt) {
logError("operation aborted before commit", ptr);
}
Language: ( code)
N/A
When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.
▼Observed Examples
| Reference | Description |
|---|---|
| CVE-2022-20141 | Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416). |
| CVE-2022-2621 | Chain: two threads in a web browser use the same resource (CWE-366), but one of those threads can destroy the resource before the other has completed (CWE-416). |
| CVE-2021-0920 | Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV. |
| CVE-2020-6819 | Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV. |
| CVE-2010-4168 | Use-after-free triggered by closing a connection while data is still being transmitted. |
| CVE-2010-2941 | Improper allocation for invalid data leads to use-after-free. |
| CVE-2010-2547 | certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free |
| CVE-2010-1772 | Timers are not disabled when a related object is deleted |
| CVE-2010-1437 | Access to a "dead" object that is being cleaned up |
| CVE-2010-1208 | object is deleted even with a non-zero reference count, and later accessed |
| CVE-2010-0629 | use-after-free involving request containing an invalid version number |
| CVE-2010-0378 | unload of an object that is currently being accessed by other functionality |
| CVE-2010-0302 | incorrectly tracking a reference count leads to use-after-free |
| CVE-2010-0249 | use-after-free related to use of uninitialized memory |
| CVE-2010-0050 | HTML document with incorrectly-nested tags |
| CVE-2009-3658 | Use after free in ActiveX object by providing a malformed argument to a method |
| CVE-2009-3616 | use-after-free by disconnecting during data transfer, or a message containing incorrect data types |
| CVE-2009-3553 | disconnect during a large data transfer causes incorrect reference count, leading to use-after-free |
| CVE-2009-2416 | use-after-free found by fuzzing |
| CVE-2009-1837 | Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416) |
| CVE-2009-0749 | realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free |
| CVE-2010-3328 | Use-after-free in web browser, probably resultant from not initializing memory. |
| CVE-2008-5038 | use-after-free when one thread accessed memory that was freed by another thread |
| CVE-2008-0077 | assignment of malformed values to certain properties triggers use after free |
| CVE-2006-4434 | mail server does not properly handle a long header. |
| CVE-2010-2753 | chain: integer overflow leads to use-after-free |
| CVE-2006-4997 | freed pointer dereference |
| CVE-2003-0813 | Chain: A multi-threaded race condition (CWE-367) allows attackers to cause two threads to process the same RPC request, which causes a use-after-free (CWE-416) in one thread |
Reference: CVE-2022-20141
Description:
Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416).
Reference: CVE-2022-2621
Description:
Chain: two threads in a web browser use the same resource (CWE-366), but one of those threads can destroy the resource before the other has completed (CWE-416).
Reference: CVE-2021-0920
Description:
Chain: mobile platform race condition (CWE-362) leading to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
Reference: CVE-2020-6819
Description:
Chain: race condition (CWE-362) leads to use-after-free (CWE-416), as exploited in the wild per CISA KEV.
Reference: CVE-2010-4168
Description:
Use-after-free triggered by closing a connection while data is still being transmitted.
Reference: CVE-2010-2941
Description:
Improper allocation for invalid data leads to use-after-free.
Reference: CVE-2010-2547
Description:
certificate with a large number of Subject Alternate Names not properly handled in realloc, leading to use-after-free
Reference: CVE-2010-1772
Description:
Timers are not disabled when a related object is deleted
Reference: CVE-2010-1437
Description:
Access to a "dead" object that is being cleaned up
Reference: CVE-2010-1208
Description:
object is deleted even with a non-zero reference count, and later accessed
Reference: CVE-2010-0629
Description:
use-after-free involving request containing an invalid version number
Reference: CVE-2010-0378
Description:
unload of an object that is currently being accessed by other functionality
Reference: CVE-2010-0302
Description:
incorrectly tracking a reference count leads to use-after-free
Reference: CVE-2010-0249
Description:
use-after-free related to use of uninitialized memory
Reference: CVE-2010-0050
Description:
HTML document with incorrectly-nested tags
Reference: CVE-2009-3658
Description:
Use after free in ActiveX object by providing a malformed argument to a method
Reference: CVE-2009-3616
Description:
use-after-free by disconnecting during data transfer, or a message containing incorrect data types
Reference: CVE-2009-3553
Description:
disconnect during a large data transfer causes incorrect reference count, leading to use-after-free
Reference: CVE-2009-2416
Description:
use-after-free found by fuzzing
Reference: CVE-2009-1837
Description:
Chain: race condition (CWE-362) from improper handling of a page transition in web client while an applet is loading (CWE-368) leads to use after free (CWE-416)
Reference: CVE-2009-0749
Description:
realloc generates new buffer and pointer, but previous pointer is still retained, leading to use after free
Reference: CVE-2010-3328
Description:
Use-after-free in web browser, probably resultant from not initializing memory.
Reference: CVE-2008-5038
Description:
use-after-free when one thread accessed memory that was freed by another thread
Reference: CVE-2008-0077
Description:
assignment of malformed values to certain properties triggers use after free
Reference: CVE-2006-4434
Description:
mail server does not properly handle a long header.
Reference: CVE-2010-2753
Description:
chain: integer overflow leads to use-after-free
Reference: CVE-2006-4997
Description:
freed pointer dereference
Reference: CVE-2003-0813
Description:
Chain: A multi-threaded race condition (CWE-367) allows attackers to cause two threads to process the same RPC request, which causes a use-after-free (CWE-416) in one thread
▼Affected Resources
- Memory
▼Functional Areas
▼Weakness Ordinalities
| Ordinality | Description |
|---|---|
| Resultant | If the product accesses a previously-freed pointer, then it means that a separate weakness or error already occurred previously, such as a race condition, an unexpected or poorly handled error condition, confusion over which part of the program is responsible for freeing the memory, performing the free too soon, etc. |
Ordinality: Resultant
Description:
If the product accesses a previously-freed pointer, then it means that a separate weakness or error already occurred previously, such as a race condition, an unexpected or poorly handled error condition, confusion over which part of the program is responsible for freeing the memory, performing the free too soon, etc.
▼Detection Methods
Fuzzing
Detection Method ID:DM-13
Description:
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Effectiveness:High
Note:
N/A
Automated Static Analysis
Detection Method ID:DM-14
Description:
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness:High
Note:
N/A
▼Vulnerability Mapping Notes
Usage:Allowed
Reason:Acceptable-Use
Rationale:
This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments:
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Suggestions:
▼Notes
▼Taxonomy Mappings
| Taxonomy Name | Entry ID | Fit | Entry Name |
|---|---|---|---|
| ISA/IEC 62443 | Part 4-1 | N/A | Req SI-1 |
| 7 Pernicious Kingdoms | N/A | N/A | Use After Free |
| CLASP | N/A | N/A | Using freed memory |
| CERT C Secure Coding | MEM00-C | N/A | Allocate and free memory in the same module, at the same level of abstraction |
| CERT C Secure Coding | MEM01-C | N/A | Store a new value in pointers immediately after free() |
| CERT C Secure Coding | MEM30-C | Exact | Do not access freed memory |
| Software Fault Patterns | SFP15 | N/A | Faulty Resource Use |
Taxonomy Name: ISA/IEC 62443
Entry ID: Part 4-1
Fit: N/A
Entry Name: Req SI-1
Taxonomy Name: 7 Pernicious Kingdoms
Entry ID: N/A
Fit: N/A
Entry Name: Use After Free
Taxonomy Name: CLASP
Entry ID: N/A
Fit: N/A
Entry Name: Using freed memory
Taxonomy Name: CERT C Secure Coding
Entry ID: MEM00-C
Fit: N/A
Entry Name: Allocate and free memory in the same module, at the same level of abstraction
Taxonomy Name: CERT C Secure Coding
Entry ID: MEM01-C
Fit: N/A
Entry Name: Store a new value in pointers immediately after free()
Taxonomy Name: CERT C Secure Coding
Entry ID: MEM30-C
Fit: Exact
Entry Name: Do not access freed memory
Taxonomy Name: Software Fault Patterns
Entry ID: SFP15
Fit: N/A
Entry Name: Faulty Resource Use
▼Related Attack Patterns
| ID | Name |
|---|
▼References
Reference ID: REF-6
Title: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Author: Katrina Tsipenyuk, Brian Chess, Gary McGraw
Section:
Publication:
NIST Workshop on Software Security Assurance Tools Techniques and Metrics
Publisher:NIST
Edition:
URL Date:
Day:07
Month:11
Year:2005
Reference ID: REF-18
Title: The CLASP Application Security Process
Author: Secure Software, Inc.
Section:
Publication:
Publisher:
Edition:
URL Date:2024-11-17
Day:N/A
Month:N/A
Year:2005
Reference ID: REF-44
Title: 24 Deadly Sins of Software Security
Author: Michael Howard, David LeBlanc, John Viega
Section: "Sin 8: C++ Catastrophes." Page 143
Publication:
McGraw-Hill
Publisher:
Edition:
URL:
URL Date:
Day:N/A
Month:N/A
Year:2010
Details not found