CWE-401

Missing Release of Memory after Effective Lifetime. [Improper-Control-Of-A-Resource-Through-Its-Lifetime]

Required inputs: IR, StaticSemanticAnalysis

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
Demonstrative Examples Functional Areas
Example 1

The following C function leaks a block of allocated memory if the call to read() does not return the expected number of bytes:

Example Language:C
    char* getBlock(int fd) {
        char* buf = (char*) malloc(BLOCK_SIZE);
        if (!buf) {
            return NULL;
        }
        if (read(fd, buf, BLOCK_SIZE) != BLOCK_SIZE) {
            return NULL;
        }
        return buf;
    }
Demonstrative Examples Functional Areas
  • Memory Management
Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key

Text

Severity

Disabled

memory_leak

Call allocates leaking memory

None

False

possible_memory_leak

Call allocates possibly leaking memory

None

False

Options

resources

resources : set[str] = {'C++ArrayHeapMemory', 'C++HeapMemory', 'HeapMemory'}

Set of resources to be checked (selection of rules in the Resources group).
 

witness_paths

witness_paths : bool = True

Whether witness paths should be determined and included in the issue.
 

witness_should_include_exception_handling

witness_should_include_exception_handling : bool = False

Whether to only accept witness paths that include some kind of exception handling.