CWE-1087: Class with Virtual Method without a Virtual Destructor
Learn about CWE-1087 (Class with Virtual Method without a Virtual Destructor), its security impact, exploitation methods, and prevention guidelines.
What is Class with Virtual Method without a Virtual Destructor?
• Overview: A class with a virtual method should also have a virtual destructor to ensure proper cleanup of resources. Without a virtual destructor, derived class destructors might not be called, leading to resource leaks or undefined behavior.
• Exploitation Methods:
- Attackers could exploit this by forcing the program into an undefined state, potentially crashing it or causing unexpected behavior.
- Common attack patterns involve manipulating object lifecycles, especially in scenarios involving dynamic polymorphism and object slicing.
• Security Impact:
- Direct consequences include resource leaks, such as memory leaks, which can degrade system performance or stability.
- Potential cascading effects involve undefined behavior, which could be leveraged to bypass security controls.
- Business impact includes increased maintenance costs, system downtime, and potential data integrity issues.
• Prevention Guidelines:
- Specific code-level fixes include declaring destructors as virtual in any base class with virtual methods.
- Security best practices involve regularly reviewing and updating code to ensure all polymorphic base classes have virtual destructors.
- Recommended tools and frameworks include static analysis tools that check for virtual destructor presence, such as Clang Static Analyzer or Cppcheck.
Corgea can automatically detect and fix Class with Virtual Method without a Virtual Destructor in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified