Home/CWE/Improper Control of a Resource Through its Lifetime
Weakness

Improper Control of a Resource Through its Lifetime

CWE-664 · Pillar · Draft

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Extended description

Resources often have explicit instructions on how to be created, used and destroyed. When code does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction.".

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Children (more specific)
ParentOfCWE-118 · Incorrect Access of Indexable Resource ('Range Error')
ParentOfCWE-1229 · Creation of Emergent Resource
ParentOfCWE-1250 · Improper Preservation of Consistency Between Independent Representations of Shared State
ParentOfCWE-1329 · Reliance on Component That is Not Updateable
ParentOfCWE-221 · Information Loss or Omission
ParentOfCWE-372 · Incomplete Internal State Distinction
ParentOfCWE-400 · Uncontrolled Resource Consumption
ParentOfCWE-404 · Improper Resource Shutdown or Release
ParentOfCWE-410 · Insufficient Resource Pool
ParentOfCWE-471 · Modification of Assumed-Immutable Data (MAID)
ParentOfCWE-487 · Reliance on Package-level Scope
ParentOfCWE-495 · Private Data Structure Returned From A Public Method
ParentOfCWE-496 · Public Data Assigned to Private Array-Typed Field
ParentOfCWE-501 · Trust Boundary Violation
ParentOfCWE-580 · clone() Method Without super.clone()
ParentOfCWE-610 · Externally Controlled Reference to a Resource in Another Sphere
ParentOfCWE-662 · Improper Synchronization
ParentOfCWE-665 · Improper Initialization
ParentOfCWE-666 · Operation on Resource in Wrong Phase of Lifetime
ParentOfCWE-668 · Exposure of Resource to Wrong Sphere
ParentOfCWE-669 · Incorrect Resource Transfer Between Spheres
ParentOfCWE-673 · External Influence of Sphere Definition
ParentOfCWE-704 · Incorrect Type Conversion or Cast
ParentOfCWE-706 · Use of Incorrectly-Resolved Name or Reference
ParentOfCWE-911 · Improper Update of Reference Count
ParentOfCWE-913 · Improper Control of Dynamically-Managed Code Resources
ParentOfCWE-922 · Insecure Storage of Sensitive Information

Attack Patterns (CAPEC)

5
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-196Session Credential Falsification through Forging
CAPEC-21Exploitation of Trusted Identifiers
CAPEC-60Reusing Session IDs (aka Session Replay)
CAPEC-61Session Fixation
CAPEC-62Cross Site Request Forgery

CVEs With This Weakness

41
A sample of the 41 CVEs tagged with this weakness.
CVECVE-2026-8582
CVECVE-2026-8517
CVECVE-2025-54621
CVECVE-2025-54619
CVECVE-2025-54613
CVECVE-2025-54612
CVECVE-2025-34226
CVECVE-2025-21593
CVECVE-2024-7889
CVECVE-2024-45383
CVECVE-2024-41169
CVECVE-2024-37139
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin