CWE-666: Operation on Resource in Wrong Phase of Lifetime
Official CWE-666 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-666: Operation on Resource in Wrong Phase of Lifetime
Operation on Resource in Wrong Phase of Lifetime represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Other: Other
Developer Pattern
CWE-666 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-666, 4.20.
Official CWE Definition
CWE-666: Operation on Resource in Wrong Phase of Lifetime
The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
A resource's lifecycle includes several phases: initialization, use, and release. For each phase, it is important to follow the specifications outlined for how to operate on the resource and to ensure that the resource is in the expected phase. Otherwise, if a resource is in one phase but the operation is not valid for that phase (i.e., an incorrect phase of the resource's lifetime), then this can produce resultant weaknesses. For example, using a resource before it has been fully initialized could cause corruption or incorrect data to be used.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- The following code shows a simple example of a double free vulnerability. Double free vulnerabilities have two common (and sometimes overlapping) causes:,[object Object],Although some double free vulnerabilities are not much more complicated than this example, most are spread out across hundreds of lines of code or even different files. Programmers seem particularly susceptible to freeing global variables more than once.
Remediation
- Architecture and Design: Follow the resource's lifecycle from creation to release.
Detection
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-415: Double Free
- CWE-593: Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
- CWE-605: Multiple Binds to the Same Port
- CWE-664: Improper Control of a Resource Through its Lifetime
- CWE-672: Operation on a Resource after Expiration or Release
- CWE-826: Premature Release of Resource During Expected Lifetime
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.