Cyber Resilience

CWE · MITRE source

CWE-664Improper Control of a Resource Through its Lifetime

Abstraction: Pillar · CVEs in our corpus: 42

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Resources often have explicit instructions on how to be created, used and destroyed. When code does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 21 mapping(s) from 4 framework(s): ATT&CK 13 (mostly) · CAPEC 5 (partial) · STIG windows server 2016 2 (mostly) · STIG windows server 2019 1 (partial)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (3)AI

Control Title Family Why it addresses this CWE
SA-15Development Process, Standards, and ToolsSARequires a managed development lifecycle process with integrity controls on changes, improving control of resources throughout their lifetime.
SA-24Design For Cyber ResiliencySARequires designing resource lifetime controls that anticipate, withstand, and recover from stresses or attacks, mitigating improper resource control.
SI-14Non-persistenceSIDirectly enforces limited resource lifetime by requiring initiation from a known state and explicit termination, shrinking the window any long-lived resource weakness can be exploited.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2022-27518 KEV10.09.80.06932022-12-13
CVE-2016-87635.57.80.00752017-04-02
CVE-2019-58165.58.80.01652019-06-27
CVE-2020-31755.58.60.01632020-02-26
CVE-2022-20485.57.50.01822022-07-07
CVE-2022-21915.57.50.01672022-07-07
CVE-2022-208565.58.60.01082022-09-30
CVE-2022-328465.57.50.00612023-02-27
CVE-2023-442885.57.50.00702023-12-05
CVE-2023-523875.57.50.00342024-02-18
CVE-2024-78895.57.30.00252024-09-11
CVE-2024-41169 UPD5.57.50.00562025-07-12
CVE-2026-8517 UPD5.58.80.00502026-05-14
CVE-2026-43503 UPD5.58.80.00142026-05-23
CVE-2019-167793.55.80.01402019-12-16
CVE-2020-16203.55.50.00302020-04-08
CVE-2020-16213.55.50.00302020-04-08
CVE-2020-16223.55.50.00302020-04-08
CVE-2021-15923.54.30.01032021-08-25
CVE-2022-207483.55.30.01212022-05-03
CVE-2022-275123.55.30.00932022-06-16
CVE-2022-311533.56.50.01122022-07-15
CVE-2022-222493.56.50.00452022-10-18
CVE-2022-222503.56.50.00302022-10-18
CVE-2022-461443.56.50.00872022-12-13