The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.
Last updated
This weakness can be generally described as mismatching memory management routines, such as: The memory was allocated on the stack (automatically), but it was deallocated using the memory management routine free() (CWE-590), which is intended for explicitly allocated heap memory. The memory was allocated explicitly using one set of memory management functions, and deallocated using a different set. For example, memory might be allocated with malloc() in C++ instead of the new operator, and then deallocated with the delete operator. When the memory management functions are mismatched, the consequences may be as severe as code execution, memory corruption, or program crash. Consequences and ease of exploit will vary depending on the implementation of the routines and the object being managed.
11 recorded CVEs are caused by CWE-762 (Mismatched Memory Management Routines). The highest-severity and most recent are shown first. 1 new CWE-762 CVE has been recorded so far in 2026 (4 in 2025).
Memory management vulnerability in Absolute Secure Access server versions 9.0 to 13.54
Redis vulnerable to integer overflow in certain payloads
Mismatched Memory Management Routines in Wireshark
Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.
Mismatched Memory Management Routines in editcap
Mismatched Memory Management Routines in Wireshark
What can happen when CWE-762 is exploited.
Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands
Affects: Integrity, Availability, Confidentiality
Typically introduced during these phases of the software lifecycle.
Languages
Practical mitigations for CWE-762, grouped by where in the lifecycle they apply.
Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().
Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
For example, glibc in Linux provides protection against free of invalid pointers.
When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, glibc in Linux provides protection against free of invalid pointers.
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518] or valgrind [REF-480].
Effectiveness: Moderate
Illustrative examples from MITRE showing how the weakness appears in code.
This example allocates a BarObj object using the new operator in C++, however, the programmer then deallocates the object using free(), which may lead to unexpected behavior.
Vulnerable example
void foo(){Safe example
void foo(){Instead, the programmer should have either created the object with one of the malloc family functions, or else deleted the object with the delete operator.
In this example, the program does not use matching functions such as malloc/free, new/delete, and new[]/delete[] to allocate/deallocate the resource.
Vulnerable example
class A {In this example, the program calls the delete[] function on non-heap memory.
Vulnerable example
class A{Common questions about CWE-762.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-762 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.
Use a language that provides abstractions for memory allocation and deallocation.