[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248364

 
 

909

 
 

195388

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Sensitive Information Uncleared Before Release

ID: 226Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The software does not fully clear previously used information in a data structure, file, or other resource, before making that resource available to a party in another control sphere.

Extended Description

This typically results from new data that is not as long as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, it may allow unintended actors to read the data when the memory is reallocated.

Applicable Platforms
Language Class: Language-independent

Time Of Introduction

  • Architecture and Design
  • Implementation
  • Operation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 		Read application data
 		 

Detection Methods
None

Potential Mitigations
None

Relationships
There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).

Related CWETypeViewChain
CWE-226 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples
None

Observed Examples

  1. CVE-2003-0001 : Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.
  2. CVE-2003-0291 : router does not clear information from DHCP packets that have been previously used
  3. CVE-2005-1406 : Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  4. CVE-2005-1858 : Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  5. CVE-2005-3180 : Products do not fully clear memory buffers when less data is stored into the buffer than previous.
  6. CVE-2005-3276 : Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.
  7. CVE-2002-2077 : Memory not properly cleared before reuse.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Sensitive Information Uncleared Before Use
 		 
CERT C Secure Coding MEM03-C
 		Clear sensitive information stored in reusable resources returned for reuse
 		 
CERT C++ Secure Coding MEM03-CPP
 		Clear sensitive information stored in returned reusable resources
 		 

References:
None

© SecPod Technologies