Sensitive Information Uncleared Before Release
Weakness ID: 226 (Weakness Base)Status: Draft
+ Description

Description Summary

The software does not fully clear previously used information in a data structure, file, or other resource, before making that resource available to a party in another control sphere.

Extended Description

This typically results from new data that is not as long as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. Failing to clear memory when finished may allow unintended actors to read the data when the memory is reallocated.

+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

Language-independent

+ Observed Examples
ReferenceDescription
CVE-2003-0001Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.
CVE-2003-0291router does not clear information from DHCP packets that have been previously used
CVE-2005-1406Products do not fully clear memory buffers when less data is stored into the buffer than previous.
CVE-2005-1858Products do not fully clear memory buffers when less data is stored into the buffer than previous.
CVE-2005-3180Products do not fully clear memory buffers when less data is stored into the buffer than previous.
CVE-2005-3276Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.
CVE-2002-2077Memory not properly cleared before reuse.
+ Weakness Ordinalities
OrdinalityDescription
Resultant
(where the weakness is typically related to the presence of some other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts1000
ChildOfWeakness BaseWeakness Base459Incomplete Cleanup
Research Concepts (primary)1000
ChildOfCategoryCategory633Weaknesses that Affect Memory
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory729OWASP Top Ten 2004 Category A8 - Insecure Storage
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory742CERT C Secure Coding Section 08 - Memory Management (MEM)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
CanAlsoBeWeakness BaseWeakness Base212Improper Cross-boundary Removal of Sensitive Data
Research Concepts1000
CanAlsoBeCategoryCategory310Cryptographic Issues
Research Concepts1000
ParentOfWeakness VariantWeakness Variant244Failure to Clear Heap Memory Before Release ('Heap Inspection')
Research Concepts (primary)1000
+ Relationship Notes

There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).

+ Research Gaps

Currently frequently found for network packets, but it can also exist in local memory allocation, files, etc.

+ Affected Resources
  • Memory
+ Functional Areas
  • Non-specific
  • memory management
  • networking
+ Causal Nature

Explicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERSensitive Information Uncleared Before Use
CERT C Secure CodingMEM03-CClear sensitive information stored in reusable resources returned for reuse
+ Maintenance Notes

This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective - the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Relationship Notes, Taxonomy Mappings, Weakness Ordinalities
2008-10-14CWE Content TeamMITREInternal
updated Relationships
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-05-27CWE Content TeamMITREInternal
updated Relationships
2009-10-29CWE Content TeamMITREInternal
updated Description, Other Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Sensitive Information Uncleared Before Use