Resource Management Errors

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be ...

If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving ...

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descript...

The product allows user input to control or influence paths or file names that are used in filesystem operations.

The product does not properly restrict reading from or writing to dynamically-identified variables.

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the am...

The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but...

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) l...

The product does not initialize a critical resource.

The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

The product releases a resource that is still intended to be used by itself or another actor.

The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.

The product uses or accesses a file descriptor after it has been closed.

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes ...

The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.

The product uses or accesses a resource that has not been initialized.

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...