目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-789 未经控制的内存分配 类漏洞列表 114

CWE-789 未经控制的内存分配 类弱点 114 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-789 属于内存分配漏洞,指程序基于不可信的大数值分配内存,却未验证其是否在预期范围内。攻击者通常利用此缺陷提交超大尺寸值,导致系统分配过量内存,进而引发拒绝服务或内存耗尽。开发者应避免此类风险,在分配内存前严格校验输入参数,确保其处于合理且安全的阈值范围内,从而防止资源被恶意滥用。

MITRE CWE 官方描述
CWE:CWE-789 使用过大值进行内存分配(Memory Allocation with Excessive Size Value) 英文:该产品基于不受信任的大尺寸值分配内存,但未确保该尺寸在预期限制范围内,从而导致可以分配任意数量的内存。
常见影响 (1)
AvailabilityDoS: Resource Consumption (Memory)
Not controlling memory allocation can result in a request for too much system memory, possibly leading to a crash of the application due to out-of-memory conditions, or the consumption of a large amount of memory on the system.
缓解措施 (2)
Implementation, Architecture and DesignPerform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
OperationRun your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
代码示例 (2)
Consider the following code, which accepts an untrusted size value and allocates a buffer to contain a string of the given size.
unsigned int size = GetUntrustedInt(); /* ignore integer overflow (CWE-190) for this example */ unsigned int totBytes = size * sizeof(char); char *string = (char *)malloc(totBytes); InitializeString(string);
Bad · C
Consider the following code, which accepts an untrusted size value and uses the size as an initial capacity for a HashMap.
unsigned int size = GetUntrustedInt(); HashMap list = new HashMap(size);
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-9538 archive-tar-new 安全漏洞 — Archive::Tar--2026-05-26
CVE-2018-25378 StokedOnIt Notebook Pro 安全漏洞 — Notebook Pro 6.2 Medium2026-05-25
CVE-2018-25368 Nord VPN 安全漏洞 — NordVPN 7.5 High2026-05-25
CVE-2026-5740 Mattermost 安全漏洞 — Mattermost 7.5 High2026-05-22
CVE-2026-8485 Progress Software MOVEit 安全漏洞 — MOVEit Automation 5.9 Medium2026-05-20
CVE-2026-47313 SAMSUNG Escargot 安全漏洞 — Escargot 5.5 Medium2026-05-19
CVE-2026-6340 Mattermost 安全漏洞 — Mattermost 4.3 Medium2026-05-18
CVE-2021-47973 WordPress plugin Sticky Notes Widget 安全漏洞 — Sticky Notes Widget 7.5 High2026-05-16
CVE-2021-47972 WordPress plugin Sticky Notes Color Widgets 安全漏洞 — Sticky Notes Color Widgets 7.5 High2026-05-16
CVE-2021-47971 My Notes Safe 安全漏洞 — My Notes Safe 7.5 High2026-05-16
CVE-2021-47970 Macaron Notes 安全漏洞 — Macaron Notes 7.5 High2026-05-16
CVE-2021-47969 Social & Mobile Color Notes 安全漏洞 — Color Notes 7.5 High2026-05-16
CVE-2026-44375 Nerdbank.MessagePack 安全漏洞 — Nerdbank.MessagePack 7.5 High2026-05-14
CVE-2026-42946 F5 NGINX Plus和F5 NGINX Open Source 安全漏洞 — NGINX Plus 6.5 Medium2026-05-13
CVE-2026-42348 OpenTelemetry .NET Contrib 安全漏洞 — opentelemetry-dotnet-contrib 5.9 Medium2026-05-12
CVE-2021-47944 memono Notepad 安全漏洞 — Notepad 7.5 High2026-05-10
CVE-2026-42241 ParquetSharp 安全漏洞 — ParquetSharp 5.3 Medium2026-05-07
CVE-2026-43868 Apache Thrift 安全漏洞 — Apache Thrift 9.1 -2026-05-05
CVE-2026-42146 CImg 安全漏洞 — CImg 5.5 Medium2026-05-04
CVE-2026-42440 Apache OpenNLP 安全漏洞 — Apache OpenNLP 7.5 -2026-05-04
CVE-2018-25295 Ambient ObserverIP Scan Tool 安全漏洞 — ObserverIP Scan Tool 6.2 Medium2026-04-26
CVE-2018-25279 jiNa OCR Image to Text 安全漏洞 — jiNa OCR Image to Text 6.2 Medium2026-04-26
CVE-2018-25274 InfraRecorder 安全漏洞 — InfraRecorder 6.2 Medium2026-04-26
CVE-2026-33524 zserio 安全漏洞 — zserio 7.5 High2026-04-24
CVE-2026-40894 OpenTelemetry .NET 安全漏洞 — opentelemetry-dotnet 5.3 Medium2026-04-23
CVE-2026-40891 OpenTelemetry .NET 安全漏洞 — opentelemetry-dotnet 5.3 Medium2026-04-23
CVE-2026-40182 OpenTelemetry .NET 安全漏洞 — opentelemetry-dotnet 5.3 Medium2026-04-23
CVE-2026-41314 pypdf 安全漏洞 — pypdf 6.5AIMediumAI2026-04-22
CVE-2026-41312 pypdf 安全漏洞 — pypdf 6.5AIMediumAI2026-04-22
CVE-2026-35633 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-09

CWE-789(未经控制的内存分配) 是常见的弱点类别,本平台收录该类弱点关联的 114 条 CVE 漏洞。