CWE-1091: Use of Object without Invoking Destructor Method
The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.
Last updated
Overview
CWE-1091 (Use of Object without Invoking Destructor Method) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
1 recorded CVEs are caused by CWE-1091 (Use of Object without Invoking Destructor Method). The highest-severity and most recent are shown first. 1 new CWE-1091 CVE has been recorded so far in 2026.
Common consequences
What can happen when CWE-1091 is exploited.
Reduce Performance
Affects: Other
This issue can make the product perform more slowly by retaining memory and/or other resources longer than necessary. If the relevant code is reachable by an attacker, then this performance problem might introduce a vulnerability.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Terminology & mappings
Mapped taxonomies
- OMG ASCPEM (ASCPEM-PRF-15)
Frequently asked questions
Common questions about CWE-1091.
- What is CWE-1091?
- The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.
- What CVEs are caused by CWE-1091?
- 1 recorded CVEs are attributed to CWE-1091, including CVE-2026-3537.
- How is CWE-1091 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1091?
- Exploiting CWE-1091 can lead to: Reduce Performance.
- Is CWE-1091 actively exploited?
- 1 recorded CVEs are caused by CWE-1091; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1091) (opens in a new tab)
- CWE-1091 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1091
Get alerted the moment a new CWE-1091 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.