CWE-1045: Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
Learn about CWE-1045 (Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor), its security impact, exploitation methods, and prevention guidelines.
What is Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor?
• Overview:
- CWE-1045 involves a situation where a parent class has a virtual destructor, but its child class does not. This can cause issues during object destruction because the child class might not have its destructor called properly, leading to resource cleanup problems.
• Exploitation Methods:
- An attacker could exploit this vulnerability by forcing the program to delete objects of the child class through a pointer to the parent class, leading to incomplete destruction.
- Common attack patterns include memory leak exploitation and resource depletion attacks.
• Security Impact:
- Direct consequences include memory leaks where resources allocated by the child class are not freed.
- Potential cascading effects can lead to memory exhaustion, program instability, or crashes over time.
- Business impact might involve increased operational costs due to resource wastage and potential downtime or degraded service performance.
• Prevention Guidelines:
- Ensure that all destructors in derived classes are declared virtual if the base class destructor is virtual.
- Regularly review and test code for proper inheritance and destructor behavior.
- Use static analysis tools to detect and resolve such issues early in the development process.
- Consider using smart pointers and RAII (Resource Acquisition Is Initialization) patterns to manage resource cleanup automatically.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified