CERT C++ Secure Coding Section 08 - Memory Management (MEM)
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be...
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.
The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.
The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the so...
The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process th...
The program does not release or incorrectly releases a resource before it is made available for re-use.
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the ...
The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used t...
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
The application stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on di...
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in th...
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to in...
The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer der...
The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
Deprecated or Obsolete
CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being ac...