CWE · MITRE source
CWE-664Improper Control of a Resource Through its Lifetime
The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Resources often have explicit instructions on how to be created, used and destroyed. When code does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states. Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 21 mapping(s) from 4 framework(s): ATT&CK 13 (mostly) · CAPEC 5 (partial) · STIG windows server 2016 2 (mostly) · STIG windows server 2019 1 (partial)
NIST 800-53 r5 controls that address this weakness (3)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SA-15 | Development Process, Standards, and Tools | SA | Requires a managed development lifecycle process with integrity controls on changes, improving control of resources throughout their lifetime. |
SA-24 | Design For Cyber Resiliency | SA | Requires designing resource lifetime controls that anticipate, withstand, and recover from stresses or attacks, mitigating improper resource control. |
SI-14 | Non-persistence | SI | Directly enforces limited resource lifetime by requiring initiation from a known state and explicit termination, shrinking the window any long-lived resource weakness can be exploited. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-27518 KEV | 10.0 | 9.8 | 0.0693 | 2022-12-13 |
CVE-2016-8763 | 5.5 | 7.8 | 0.0075 | 2017-04-02 |
CVE-2019-5816 | 5.5 | 8.8 | 0.0165 | 2019-06-27 |
CVE-2020-3175 | 5.5 | 8.6 | 0.0163 | 2020-02-26 |
CVE-2022-2048 | 5.5 | 7.5 | 0.0182 | 2022-07-07 |
CVE-2022-2191 | 5.5 | 7.5 | 0.0167 | 2022-07-07 |
CVE-2022-20856 | 5.5 | 8.6 | 0.0108 | 2022-09-30 |
CVE-2022-32846 | 5.5 | 7.5 | 0.0061 | 2023-02-27 |
CVE-2023-44288 | 5.5 | 7.5 | 0.0070 | 2023-12-05 |
CVE-2023-52387 | 5.5 | 7.5 | 0.0034 | 2024-02-18 |
CVE-2024-7889 | 5.5 | 7.3 | 0.0025 | 2024-09-11 |
CVE-2024-41169 UPD | 5.5 | 7.5 | 0.0056 | 2025-07-12 |
CVE-2026-8517 UPD | 5.5 | 8.8 | 0.0050 | 2026-05-14 |
CVE-2026-43503 UPD | 5.5 | 8.8 | 0.0014 | 2026-05-23 |
CVE-2019-16779 | 3.5 | 5.8 | 0.0140 | 2019-12-16 |
CVE-2020-1620 | 3.5 | 5.5 | 0.0030 | 2020-04-08 |
CVE-2020-1621 | 3.5 | 5.5 | 0.0030 | 2020-04-08 |
CVE-2020-1622 | 3.5 | 5.5 | 0.0030 | 2020-04-08 |
CVE-2021-1592 | 3.5 | 4.3 | 0.0103 | 2021-08-25 |
CVE-2022-20748 | 3.5 | 5.3 | 0.0121 | 2022-05-03 |
CVE-2022-27512 | 3.5 | 5.3 | 0.0093 | 2022-06-16 |
CVE-2022-31153 | 3.5 | 6.5 | 0.0112 | 2022-07-15 |
CVE-2022-22249 | 3.5 | 6.5 | 0.0045 | 2022-10-18 |
CVE-2022-22250 | 3.5 | 6.5 | 0.0030 | 2022-10-18 |
CVE-2022-46144 | 3.5 | 6.5 | 0.0087 | 2022-12-13 |