CWE-672: Operation on a Resource after Expiration or Release
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Last updated
Overview
CWE-672 (Operation on a Resource after Expiration or Release) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
45 recorded CVEs are caused by CWE-672 (Operation on a Resource after Expiration or Release). The highest-severity and most recent are shown first. 13 new CWE-672 CVEs have been recorded so far in 2026 (12 in 2025).
- CVE-2024-47571Critical · CVSS 9.8 · EPSS 55th2025-01-14
- CVE-2020-12043Critical · CVSS 9.8 · EPSS 79th2020-06-29
- CVE-2026-43585
OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution
Critical · CVSS 9.2 · EPSS 42th2026-05-06 - CVE-2013-10075
Apache::Session versions through 1.94 for Perl re-creates deleted sessions
Critical · CVSS 9.1 · EPSS 28th2026-05-08 - CVE-2025-39698
io_uring/futex: ensure io_futex_wait() cleans up properly on failure
High · CVSS 8.8 · EPSS 8th2025-09-05 - CVE-2022-22755High · CVSS 8.8 · EPSS 44th2022-12-22
- CVE-2025-55669
BIG-IP HTTP/2 vulnerability
High · CVSS 8.7 · EPSS 28th2025-10-15 - CVE-2026-2379
Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled
High · CVSS 8.2 · EPSS 13th2026-06-05 - CVE-2026-31875
Parse Server MFA recovery codes not consumed after use
High · CVSS 8.2 · EPSS 36th2026-03-11 - CVE-2020-11027High · CVSS 8.1 · EPSS 96th2020-04-30
- CVE-2023-1901
HCI send_sync Dangling Semaphore Reference Re-use
High · CVSS 8.0 · EPSS 45th2023-07-10 - CVE-2023-1902High · CVSS 8.0 · EPSS 45th2023-07-10
Showing 12 of 45 recorded CWE-672 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-672 vulnerabilitiesCommon consequences
What can happen when CWE-672 is exploited.
Modify Application Data, Read Application Data
Affects: Integrity, Confidentiality
If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity.
Other, DoS: Crash, Exit, or Restart
Affects: Other, Availability
When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code shows a simple example of a use after free error:
Vulnerable example
char* ptr = (char*)malloc (SIZE);When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.
The following code shows a simple example of a double free error:
Vulnerable example
char* ptr = (char*)malloc (SIZE);In the following C/C++ example the method processMessage is used to process a message received in the input array of char arrays. The input message array contains two char arrays: the first is the length of the message and the second is the body of the message. The length of the message is retrieved and used to allocate enough memory for a local char array, messageBody, to be created for the message body. The messageBody is processed in the method processMessageBody that will return an error if an error occurs while processing. If an error occurs then the return result variable is set to indicate an error and the messageBody char array memory is released using the method free and an error message is sent to the logError method.
Vulnerable example
#define FAIL 0However, the call to the method logError includes the messageBody after the memory for messageBody has been released using the free method. This can cause unexpected results and may lead to system crashes. A variable should never be used after its memory resources have been released.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2009-3547 — Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
Terminology & mappings
Mapped taxonomies
- Software Fault Patterns: Faulty Resource Use (SFP15)
- CERT C Secure Coding: Do not access a closed file (FIO46-C) — CWE More Abstract fit
- CERT C Secure Coding: Do not access freed memory (MEM30-C) — CWE More Abstract fit
- OMG ASCSM (ASCSM-CWE-672)
Frequently asked questions
Common questions about CWE-672.
- What is CWE-672?
- The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
- What CVEs are caused by CWE-672?
- 45 recorded CVEs are attributed to CWE-672, including CVE-2024-47571, CVE-2020-12043, CVE-2026-43585.
- How is CWE-672 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-672?
- Exploiting CWE-672 can lead to: Modify Application Data, Read Application Data, Other, DoS: Crash, Exit, or Restart.
- Is CWE-672 actively exploited?
- 45 recorded CVEs are caused by CWE-672; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-672) (opens in a new tab)
- CWE-672 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-672
Get alerted the moment a new CWE-672 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.