Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.1)  

CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Weakness ID: 401
Abstraction: Base
Structure: Simple
Status: Draft
Presentation Filter:
+ Description
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
+ Extended Description
This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions.
+ Alternate Terms
Memory Leak
+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
ChildOfBaseBase - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention. More general than a Variant weakness, but more specific than a Class weakness.772Missing Release of Resource after Effective Lifetime
CanFollowClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.390Detection of Error Condition Without Action
+ Relevant to the view "Development Concepts" (CWE-699)
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.399Resource Management Errors
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Architecture and Design

Memory leaks have two common and sometimes overlapping causes:

  • Error conditions and other exceptional circumstances
  • Confusion over which part of the program is responsible for freeing the memory
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.


C (Undetermined Prevalence)

C++ (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.


Technical Impact: DoS: Crash, Exit, or Restart; DoS: Instability; DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory)

Most memory leaks result in general software reliability problems, but if an attacker can intentionally trigger a memory leak, the attacker might be able to launch a denial of service attack (by crashing or hanging the program) or take advantage of other unexpected program behavior resulting from a low memory condition.
+ Likelihood Of Exploit
+ Demonstrative Examples

Example 1

The following C function leaks a block of allocated memory if the call to read() does not return the expected number of bytes:

(bad code)
Example Language:
char* getBlock(int fd) {
char* buf = (char*) malloc(BLOCK_SIZE);
if (!buf) {
return NULL;
if (read(fd, buf, BLOCK_SIZE) != BLOCK_SIZE) {

return NULL;
return buf;

Example 2

Here the problem is that every time a connection is made, more memory is allocated. So if one just opened up more and more connections, eventually the machine would run out of memory.

(bad code)
Example Language:
bar connection(){
foo = malloc(1024);
return foo;
endConnection(bar foo) {

int main() {

while(1) //thread 1
//On a connection
foo=connection(); //thread 2
//When the connection ends
+ Observed Examples
Memory leak because function does not free() an element of a data structure.
Memory leak when counter variable is not decremented.
chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets.
Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code.
Memory leak via unknown manipulations as part of protocol test suite.
Memory leak via a series of the same command.
+ Potential Mitigations

Phase: Implementation

Strategy: Libraries or Frameworks

Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.

For example, glibc in Linux provides protection against free of invalid pointers.

When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].

To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.

Phase: Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Phases: Architecture and Design; Build and Compilation

The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code.
Note: This is not a complete solution as it is not 100% effective.
+ Functional Areas
  • Memory Management
+ Affected Resources
  • Memory
+ Memberships
This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.3987PK - Code Quality
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.730OWASP Top Ten 2004 Category A9 - Denial of Service
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.861CERT Java Secure Coding Section 49 - Miscellaneous (MSC)
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.982SFP Secondary Cluster: Failure to Release Resource
+ Notes


This is often a resultant weakness due to improper handling of malformed data or early termination of sessions.


"memory leak" has sometimes been used to describe other kinds of issues, e.g. for information leaks in which the contents of memory are inadvertently leaked (CVE-2003-0400 is one such example of this terminology conflict).
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERMemory leak
7 Pernicious KingdomsMemory Leak
CLASPFailure to deallocate data
OWASP Top Ten 2004A9CWE More SpecificDenial of Service
CERT C Secure CodingMEM31-CExactFree dynamically allocated memory when no longer needed
CERT Java Secure CodingMSC04-JDo not leak memory
Software Fault PatternsSFP14Failure to release resource
+ References
[REF-390] J. Whittaker and H. Thompson. "How to Break Software Security". Addison Wesley. 2003.
[REF-391] iOS Developer Library. "Transitioning to ARC Release Notes". 2013-08-08. <>.
+ Content History
Submission DateSubmitterOrganization
Modification DateModifierOrganization
2008-07-01Eric DalciCigital
updated Time_of_Introduction
2008-08-01KDM Analytics
added/updated white box definitions
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITRE
updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, References, Relationship_Notes, Taxonomy_Mappings, Terminology_Notes
2008-10-14CWE Content TeamMITRE
updated Description
2009-03-10CWE Content TeamMITRE
updated Other_Notes
2009-05-27CWE Content TeamMITRE
updated Name
2009-07-17KDM Analytics
Improved the White_Box_Definition
2009-07-27CWE Content TeamMITRE
updated White_Box_Definitions
2009-10-29CWE Content TeamMITRE
updated Modes_of_Introduction, Other_Notes
2010-02-16CWE Content TeamMITRE
updated Relationships
2010-06-21CWE Content TeamMITRE
updated Other_Notes, Potential_Mitigations
2010-12-13CWE Content TeamMITRE
updated Demonstrative_Examples, Name
2011-03-29CWE Content TeamMITRE
updated Alternate_Terms
2011-06-01CWE Content TeamMITRE
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITRE
updated Relationships, Taxonomy_Mappings
2012-10-30CWE Content TeamMITRE
updated Potential_Mitigations
2013-02-21CWE Content TeamMITRE
updated Observed_Examples
2014-02-18CWE Content TeamMITRE
updated Potential_Mitigations, References
2014-07-30CWE Content TeamMITRE
updated Relationships, Taxonomy_Mappings
2017-11-08CWE Content TeamMITRE
updated References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Memory Leak
2009-05-27Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
2010-12-13Failure to Release Memory Before Removing Last Reference ('Memory Leak')

More information is available — Please select a different filter.
Page Last Updated: March 29, 2018