Our Data Weaknesses Attack Patterns About Us Blog Pricing Book a Demo

Log inLog in

RadicalNotion.AI

We do not sell or share your personal information

Company

About us
Privacy
Terms

Resources

Pricing
Blog
Data Sources
CWE Directory
CAPEC Directory

Get Started

Sign up
Book a demo
Log in

CWE-568: finalize() Method Without super.finalize() | RadicalNotion.AI

Home
Weaknesses (CWE)
CWE-568

Variant weakness

Draft

CWE-568: finalize() Method Without super.finalize()

The product contains a finalize() method that does not call super.finalize().

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize().

Common consequences

What can happen when CWE-568 is exploited.

Quality Degradation

Affects: Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

Applies to

Languages

Java

How to prevent it

Practical mitigations for CWE-568, grouped by where in the lifecycle they apply.

Implementation

Call the super.finalize() method.

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following method omits the call to super.finalize().

Vulnerable example

java

protected void finalize() {

Related weaknesses

How this weakness relates to others in the CWE hierarchy.

Parent

CWE-459: Incomplete Cleanup
CWE-573: Improper Following of Specification by Caller

Terminology & mappings

Mapped taxonomies

The CERT Oracle Secure Coding Standard for Java (2011): Do not use finalizers (MET12-J)
Software Fault Patterns: Unexpected access points (SFP28)

Frequently asked questions

Common questions about CWE-568.

What is CWE-568?

The product contains a finalize() method that does not call super.finalize().

How do you prevent CWE-568?

Call the super.finalize() method.

How is CWE-568 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-568?

Exploiting CWE-568 can lead to: Quality Degradation.

References

MITRE CWE definition (CWE-568) (opens in a new tab)
CWE-568 vulnerabilities on NVD (opens in a new tab)

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-568

Get alerted the moment a new CWE-568 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

On this page

Overview
Common consequences
How it happens
How to prevent it
How to detect it
Code examples
Related weaknesses
Terminology & mappings
FAQ
References