Improper Control of a Resource Through its Lifetime
Draft Pillar
Structure: Simple
Description
The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Resources often have explicit instructions on how to be created, used and destroyed. When code does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."
Common Consequences 1
Scope: Other
Impact: Other
Potential Mitigations 1
Phase: Testing
Use Static analysis tools to check for unreleased resources.
Observed Examples 2
CVE-2018-1000613Cryptography API uses unsafe reflection when deserializing a private key
CVE-2019-19911Chain: Python library does not limit the resources used to process images that specify a very large number of bands (Improper Validation of Specified Quantity in Input), leading to excessive memory consumption (Memory Allocation with Excessive Size Value) or an integer overflow (Integer Overflow or Wraparound).
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Implementation
Taxonomy Mapping
- CERT C Secure Coding
Notes
MaintenanceMore work is needed on this entry and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (Improper Resource Shutdown or Release, Improper Initialization), while other children are independent of lifecycle, such as Uncontrolled Resource Consumption. Others do not specify as many bases or variants, such as Incorrect Type Conversion or Cast, which primarily covers numbers at this stage.