Sensitive Information Uncleared Before Release
Description The software does not fully clear previously used information in a data structure, file, or other resource, before making that resource available to a party in another control sphere. Extended DescriptionThis typically results from new data that is not as long as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, it may allow unintended actors to read the data when the memory is reallocated. Applicable PlatformsLanguage Class: Language-independent Time Of Introduction
Common Consequences
Detection MethodsNone Potential MitigationsNone RelationshipsThere is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).
Demonstrative ExamplesNone Observed Examples
White Box Definitions None Black Box Definitions None Taxynomy Mappings
References:None |