CWE-415 双重释放

admin 2022年1月5日20:59:37评论73 views字数 4531阅读15分6秒阅读模式

CWE-415 双重释放

Double Free

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: High


The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.


When a program calls free() twice with the same argument, the program's memory management data structures become corrupted. This corruption can cause the program to crash or, in some circumstances, cause two later calls to malloc() to return the same pointer. If malloc() returns the same value twice and the program later gives the attacker control over the data that is written into this doubly-allocated memory, the program becomes vulnerable to a buffer overflow attack.


  • cwe_Nature: ChildOf cwe_CWE_ID: 825 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1003 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 666 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 675 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 416 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 416 cwe_View_ID: 699

  • cwe_Nature: PeerOf cwe_CWE_ID: 123 cwe_View_ID: 1000


Language: [{'cwe_Name': 'C', 'cwe_Prevalence': 'Undetermined'}, {'cwe_Name': 'C++', 'cwe_Prevalence': 'Undetermined'}]


范围 影响 注释
['Integrity', 'Confidentiality', 'Availability'] Execute Unauthorized Code or Commands Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.


Architecture and Design


Choose a language that provides automatic memory management.



Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.



Use a static analysis tool to find double free instances.


The following code shows a simple example of a double free vulnerability.

bad C

char ptr = (char)malloc (SIZE);
if (abrt) {



Double free vulnerabilities have two common (and sometimes overlapping) causes:


Although some double free vulnerabilities are not much more complicated than the previous example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.

While contrived, this code should be exploitable on Linux distributions which do not ship with heap-chunk check summing turned on.

bad C

#define BUFSIZE1 512
#define BUFSIZE2 ((BUFSIZE1/2) - 8)

int main(int argc, char argv) {

char buf1R1;
char buf2R1;
char buf1R2;
buf1R1 = (char
) malloc(BUFSIZE2);
buf2R1 = (char ) malloc(BUFSIZE2);
buf1R2 = (char
) malloc(BUFSIZE1);
strncpy(buf1R2, argv[1], BUFSIZE1-1);



标识 说明 链接
CVE-2006-5051 Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).
CVE-2004-0642 Double free resultant from certain error conditions.
CVE-2004-0772 Double free resultant from certain error conditions.
CVE-2005-1689 Double free resultant from certain error conditions.
CVE-2003-0545 Double free from invalid ASN.1 encoding.
CVE-2003-1048 Double free from malformed GIF.
CVE-2005-0891 Double free from malformed GIF.
CVE-2002-0059 Double free from malformed compressed data.


This is usually resultant from another weakness, such as an unhandled error or race condition between threads. It could also be primary to weaknesses such as buffer overflows.
It could be argued that Double Free would be most appropriately located as a child of "Use after Free", but "Use" and "Release" are considered to be distinct operations within vulnerability theory, therefore this is more accurately "Release of a Resource after Expiration or Release", which doesn't exist yet.


映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER DFREE - Double-Free Vulnerability
7 Pernicious Kingdoms Double Free
CLASP Doubly freeing memory
CERT C Secure Coding MEM00-C Allocate and free memory in the same module, at the same level of abstraction
CERT C Secure Coding MEM01-C Store a new value in pointers immediately after free()
CERT C Secure Coding MEM30-C CWE More Specific Do not access freed memory
CERT C Secure Coding MEM31-C Free dynamically allocated memory exactly once
Software Fault Patterns SFP12 Faulty Memory Release



特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2022年1月5日20:59:37
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-415 双重释放


匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: