CWE-226: Sensitive Information Uncleared Before Release
Weakness ID: 226
The software does not fully clear previously used information in a data structure, file, or other resource, before making that resource available to a party in another control sphere.
This typically results from new data that is not as long as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, it may allow unintended actors to read the data when the memory is reallocated.
There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).
Currently frequently found for network packets, but it can also exist in
local memory allocation, files, etc.
Mapped Taxonomy Name
Mapped Node Name
Sensitive Information Uncleared Before Use
CERT C Secure Coding
Clear sensitive information stored in reusable resources
returned for reuse
CERT C++ Secure Coding
Clear sensitive information stored in returned reusable
Software Fault Patterns
This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective - the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.