For commonly-used APIs and resource types, automated tools often have signatures that can spot this issue.
CWE-1341 Base Incomplete
Multiple Releases of Same Resource or Handle
This vulnerability occurs when a program incorrectly tries to close or release the same system resource—like memory, a file, or a network connection—more than once. This double-free or double-close…
Definition
What is CWE-1341?
This vulnerability occurs when a program incorrectly tries to close or release the same system resource—like memory, a file, or a network connection—more than once. This double-free or double-close violates the API's contract and leads to unpredictable and often dangerous behavior.
Modern software constantly acquires and releases resources such as memory blocks, file handles, and socket connections. APIs like `free()`, `delete()`, or `close()` are designed to manage this lifecycle, but they typically assume the developer will call them exactly once per resource. When the same release function is called a second time on an already-freed resource, the underlying system management structures can become corrupted. This corruption can directly cause crashes, memory leaks, or even create security gaps that attackers might exploit to execute arbitrary code.
To prevent this, developers must carefully manage the state of each resource handle, ensuring release calls are paired one-to-one with successful acquisitions. A common best practice is to set pointers or handles to NULL (or another null-like state) immediately after release, as many safe implementations will check for this and ignore subsequent calls. Reusing the same variable identifier for a different resource before properly closing the first is a major risk, as it can lead to closing the wrong, active resource, compounding the problem.
Real-world impact
Real-world CVEs caused by CWE-1341
-
file descriptor double close can cause the wrong file to be associated with a file descriptor.
-
Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition that leads to a double free (CWE-415).
-
Double free resultant from certain error conditions.
How attackers exploit it
Step-by-step attacker path
- 1
This example attempts to close a file twice. In some cases, the C library fclose() function will catch the error and return an error code. In other implementations, a double-free (CWE-415) occurs, causing the program to fault. Note that the examples presented here are simplistic, and double fclose() calls will frequently be spread around a program, making them more difficult to find during code reviews.
- 2
There are multiple possible fixes. This fix only has one call to fclose(), which is typically the preferred handling of this problem - but this simplistic method is not always possible.
- 3
This fix uses a flag to call fclose() only once. Note that this flag is explicit. The variable "f" could also have been used as it will be either NULL if the file is not able to be opened or a valid pointer if the file was successfully opened. If "f" is replacing "f_flg" then "f" would need to be set to NULL after the first fclose() call so the second fclose call would never be executed.
- 4
The following code shows a simple example of a double free vulnerability.
- 5
Double free vulnerabilities have two common (and sometimes overlapping) causes:
Vulnerable code example
Vulnerable C
This example attempts to close a file twice. In some cases, the C library fclose() function will catch the error and return an error code. In other implementations, a double-free (CWE-415) occurs, causing the program to fault. Note that the examples presented here are simplistic, and double fclose() calls will frequently be spread around a program, making them more difficult to find during code reviews.
char b[2000];
FILE *f = fopen("dbl_cls.c", "r");
if (f)
{
```
b[0] = 0;
fread(b, 1, sizeof(b) - 1, f);
printf("%s\n'", b);
int r1 = fclose(f);
printf("\n-----------------\n1 close done '%d'\n", r1);
int r2 = fclose(f); // Double close
printf("2 close done '%d'\n", r2);
} Secure code example
Secure C
There are multiple possible fixes. This fix only has one call to fclose(), which is typically the preferred handling of this problem - but this simplistic method is not always possible.
char b[2000];
FILE *f = fopen("dbl_cls.c", "r");
if (f)
{
```
b[0] = 0;
fread(b, 1, sizeof(b) - 1, f);
printf("%s\n'", b);
int r = fclose(f);
printf("\n-----------------\n1 close done '%d'\n", r);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-1341
- Implementation Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals.
- Implementation It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However, flag-tracking can increase code complexity and requires diligent compliance by the programmer.
- Implementation When closing a resource, set the resource's associated variable to NULL or equivalent value for the given language. Some APIs will ignore this null value without causing errors. For other APIs, this can lead to application crashes or exceptions, which may still be preferable to corrupting an unintended resource such as memory or data.
Detection signals
How to detect CWE-1341
Some compiler instrumentation tools such as AddressSanitizer (ASan) can indirectly detect some instances of this weakness.
Plexicus auto-detects CWE-1341 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-1341?
How serious is CWE-1341?
What languages or platforms are affected by CWE-1341?
How can I prevent CWE-1341?
How does Plexicus detect and fix CWE-1341?
Where can I learn more about CWE-1341?
Frequently asked questions
What is CWE-1341?
This vulnerability occurs when a program incorrectly tries to close or release the same system resource—like memory, a file, or a network connection—more than once. This double-free or double-close violates the API's contract and leads to unpredictable and often dangerous behavior.
How serious is CWE-1341?
MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.
What languages or platforms are affected by CWE-1341?
MITRE lists the following affected platforms: Java, Rust, C, C++, Not OS-Specific, Not Architecture-Specific, Not Technology-Specific.
How can I prevent CWE-1341?
Change the code's logic so that the resource is only closed once. This might require simplifying or refactoring. This fix can be simple to do in small code blocks, but more difficult when multiple closes are buried within complex conditionals. It can be effective to implement a flag that is (1) set when the resource is opened, (2) cleared when it is closed, and (3) checked before closing. This approach can be useful when there are disparate cases in which closes must be performed. However,…
How does Plexicus detect and fix CWE-1341?
Plexicus's SAST engine matches the data-flow signature for CWE-1341 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-1341?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/1341.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-1341
CWE-675 Parent
Multiple Operations on Resource in Single-Operation Context
This vulnerability occurs when a software component performs the same action on a resource multiple times, even though the action is…
CWE-174 Sibling
Double Decoding of the Same Data
This vulnerability occurs when an application decodes the same piece of data twice in sequence. This double processing can bypass or…
CWE-605 Sibling
Multiple Binds to the Same Port
This vulnerability occurs when a system's socket configuration allows multiple applications to bind to the same network port…
CWE-764 Sibling
Multiple Locks of a Critical Resource
This vulnerability occurs when a critical resource, such as a file, data structure, or connection, is locked more times than the software…
CWE-765 Sibling
Multiple Unlocks of a Critical Resource
This vulnerability occurs when a critical resource, like a lock or semaphore, is unlocked more times than it was locked, putting the…
CWE-672 Can precede
Operation on a Resource after Expiration or Release
This vulnerability occurs when a program continues to use a resource—like memory, a file handle, or a network connection—after it has been…
CWE-415 Child
Double Free
A double free vulnerability occurs when a program mistakenly calls the 'free()' function twice on the same block of memory.
Resources
Further reading
- MITRE — official CWE-1341 https://cwe.mitre.org/data/definitions/1341.html
- close - Perldoc Browser https://perldoc.perl.org/functions/close
- io - Core tools for working with streams — Python 3.9.7 documentation https://docs.python.org/3.9/library/io.html#io.IOBase.close
- FileOutputStream (Java Platform SE 7 ) https://docs.oracle.com/javase/7/docs/api/java/io/FileOutputStream.html
- FileOutputStream (Java SE 11 & JDK 11 ) https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/FileOutputStream.html
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.