CWE-664: Improper Control of a Resource Through its Lifetime
The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Last updated
Overview
Resources often have explicit instructions on how to be created, used and destroyed. When code does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."
Real-world CVEs
38 recorded CVEs are caused by CWE-664 (Improper Control of a Resource Through its Lifetime), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 4 new CWE-664 CVEs have been recorded so far in 2026 (6 in 2025).
- CVE-2022-27518CISA KEV
Unauthenticated remote arbitrary code execution
Critical · CVSS 9.3 · EPSS 93th2022-12-13 - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-transfer helpers
High · CVSS 8.8 · EPSS 3th2026-05-23 - CVE-2026-8517High · CVSS 8.8 · EPSS 39th2026-05-14
- CVE-2022-20856High · CVSS 8.6 · EPSS 62th2022-09-30
- CVE-2020-3175High · CVSS 8.6 · EPSS 74th2020-02-26
- CVE-2023-44295High · CVSS 8.1 · EPSS 28th2023-12-05
- CVE-2024-23639High · CVSS 7.8 · EPSS 18th2024-02-09
- CVE-2026-20158
Cisco RoomOS Security Hardening Release - Resource Lifetime Management Vulnerabilities
High · CVSS 7.5 · EPSS 16th2026-07-15 - CVE-2024-41169
Apache Zeppelin: raft directory listing and file read
High · CVSS 7.5 · EPSS 43th2025-07-12 - CVE-2023-52387High · CVSS 7.5 · EPSS 26th2024-02-18
- CVE-2023-44288High · CVSS 7.5 · EPSS 49th2023-12-05
- CVE-2022-32846High · CVSS 7.5 · EPSS 45th2023-02-27
Showing 12 of 38 recorded CWE-664 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-664 vulnerabilitiesCommon consequences
What can happen when CWE-664 is exploited.
Other
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Use Static analysis tools to check for unreleased resources.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code allocates a socket and forks each time it receives a new connection.
Vulnerable example
sock=socket(AF_INET, SOCK_STREAM, 0);The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2018-1000613 — Cryptography API uses unsafe reflection when deserializing a private key
- CVE-2019-19911 — Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190).
Terminology & mappings
Mapped taxonomies
- CERT C Secure Coding: Do not alternately input and output from a stream without an intervening flush or positioning call (FIO39-C) — CWE More Abstract fit
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-664.
- What is CWE-664?
- The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
- What CVEs are caused by CWE-664?
- 38 recorded CVEs are attributed to CWE-664, including CVE-2022-27518, CVE-2026-43503, CVE-2026-8517. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How is CWE-664 detected?
- Automated Static Analysis: Use Static analysis tools to check for unreleased resources.
- What are the consequences of CWE-664?
- Exploiting CWE-664 can lead to: Other.
- Is CWE-664 actively exploited?
- Yes. 1 CWE-664 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 38 recorded CVEs.
References
- MITRE CWE definition (CWE-664) (opens in a new tab)
- CWE-664 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-664
Get alerted the moment a new CWE-664 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.