CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE-226: Sensitive Information in Resource Not Removed Before Reuse (4.17)  
ID

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

Weakness ID: 226
Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities
Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.
View customized information:
For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.
×

Edit Custom Filter


+ Description
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
+ Extended Description

When resources are released, they can be made available for reuse. For example, after memory is de-allocated, an operating system may make the memory available to another process, or disk space may be reallocated when a file is deleted. As removing information requires time and additional resources, operating systems do not usually clear the previously written information.

Even when the resource is reused by the same process, this weakness can arise when new data is not as large as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, the information may be read by less trustworthy parties when the memory is reallocated.

This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels.

+ Common Consequences
Section HelpThis table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Impact Details

Read Application Data

Scope: Confidentiality

+ Potential Mitigations
Phase(s) Mitigation

Architecture and Design; Implementation
During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state.

Effectiveness: High

Architecture and Design; Implementation
When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though "logical" file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer.

Effectiveness: High
+ Relationships
Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
+ Relevant to the view "Research Concepts" (View-1000)
Nature Type ID Name
ChildOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 212 Improper Removal of Sensitive Information Before Storage or Transfer
ChildOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 459 Incomplete Cleanup
ParentOf Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. 244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
ParentOf Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. 1239 Improper Zeroization of Hardware Register
ParentOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 1272 Sensitive Information Uncleared Before Debug/Power State Transition
ParentOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 1301 Insufficient or Incomplete Data Removal within Hardware Component
ParentOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 1342 Information Exposure through Microarchitectural State after Transient Execution
CanPrecede Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 201 Insertion of Sensitive Information Into Sent Data
+ Relevant to the view "Hardware Design" (View-1194)
Nature Type ID Name
MemberOf Category Category - a CWE entry that contains a set of other entries that share a common characteristic. 1202 Memory and Storage Issues
ParentOf Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. 1239 Improper Zeroization of Hardware Register
ParentOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 1342 Information Exposure through Microarchitectural State after Transient Execution
+ Modes Of Introduction
Section HelpThe different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
Phase Note
Implementation
+ Applicable Platforms
Section HelpThis listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
Languages

Class: Not Language-Specific (Undetermined Prevalence)

Technologies

Class: Not Technology-Specific (Undetermined Prevalence)

+ Demonstrative Examples

Example 1


This example shows how an attacker can take advantage of an incorrect state transition.

Suppose a device is transitioning from state A to state B. During state A, it can read certain private keys from the hidden fuses that are only accessible in state A but not in state B. The device reads the keys, performs operations using those keys, then transitions to state B, where those private keys should no longer be accessible.

(bad code)
Example Language: Other 

During the transition from A to B, the device does not scrub the memory.

After the transition to state B, even though the private keys are no longer accessible directly from the fuses in state B, they can be accessed indirectly by reading the memory that contains the private keys.

(good code)
Example Language: Other 
For transition from state A to state B, remove information which should not be available once the transition is complete.


Example 2


The following code calls realloc() on a buffer containing sensitive data:

(bad code)
Example Language:
cleartext_buffer = get_secret();...
cleartext_buffer = realloc(cleartext_buffer, 1024);
...
scrub_memory(cleartext_buffer, 1024);

There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data.



Example 3


The following example code is excerpted from the AES wrapper/interface, aes0_wrapper, module of one of the AES engines (AES0) in the Hack@DAC'21 buggy OpenPiton System-on-Chip (SoC). Note that this SoC contains three distinct AES engines. Within this wrapper module, four 32-bit registers are utilized to store the message intended for encryption, referred to as p_c[i]. Using the AXI Lite interface, these registers are filled with the 128-bit message to be encrypted.

(bad code)
Example Language: Verilog 

module aes0_wrapper #(...)(...);
...
always @(posedge clk_i)
begin
if(~(rst_ni && ~rst_1)) //clear p_c[i] at reset
begin
start <= 0;
p_c[0] <= 0;
p_c[1] <= 0;
p_c[2] <= 0;
p_c[3] <= 0;
...
end
else if(en && we)
case(address[8:3])
0:
start <= reglk_ctrl_i[1] ? start : wdata[0];
1:
p_c[3] <= reglk_ctrl_i[3] ? p_c[3] : wdata[31:0];
2:
p_c[2] <= reglk_ctrl_i[3] ? p_c[2] : wdata[31:0];
3:
p_c[1] <= reglk_ctrl_i[3] ? p_c[1] : wdata[31:0];
4:
p_c[0] <= reglk_ctrl_i[3] ? p_c[0] : wdata[31:0];
...
endcase
end // always @ (posedge wb_clk_i)
endmodule

The above code snippet [REF-1402] illustrates an instance of a vulnerable implementation of the AES wrapper module, where p_c[i] registers are cleared at reset. Otherwise, p_c[i]registers either maintain their old values (if reglk_ctrl_i[3]is true) or get filled through the AXI signal wdata. Note that p_c[i]registers can be read through the AXI Lite interface (not shown in snippet). However, p_c[i] registers are never cleared after their usage once the AES engine has completed the encryption process of the message. In a multi-user or multi-process environment, not clearing registers may result in the attacker process accessing data left by the victim, leading to data leakage or unintentional information disclosure.

To fix this issue, it is essential to ensure that these internal registers are cleared in a timely manner after their usage, i.e., the encryption process is complete. This is illustrated below by monitoring the assertion of the cipher text valid signal, ct_valid [REF-1403].

(good code)
Example Language: Verilog 

module aes0_wrapper #(...)(...);
...
always @(posedge clk_i)
begin
if(~(rst_ni && ~rst_1)) //clear p_c[i] at reset
...
else if(ct_valid) //encryption process complete, clear p_c[i]
begin
p_c[0] <= 0;
p_c[1] <= 0;
p_c[2] <= 0;
p_c[3] <= 0;
end
else if(en && we)
case(address[8:3])
...
endcase
end // always @ (posedge wb_clk_i)
endmodule



+ Selected Observed Examples

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Reference Description
Cryptography library does not clear heap memory before release
Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.
router does not clear information from DHCP packets that have been previously used
Products do not fully clear memory buffers when less data is stored into the buffer than previous.
Products do not fully clear memory buffers when less data is stored into the buffer than previous.
Products do not fully clear memory buffers when less data is stored into the buffer than previous.
Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.
Memory not properly cleared before reuse.
+ Weakness Ordinalities
Ordinality Description
Primary
(where the weakness exists independent of other weaknesses)
+ Detection Methods
Method Details

Manual Analysis
Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.

Effectiveness: High

Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High
+ Functional Areas
  • Memory Management
  • Networking
+ Affected Resources
  • Memory
+ Memberships
Section HelpThis MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
Nature Type ID Name
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 729 OWASP Top Ten 2004 Category A8 - Insecure Storage
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 742 CERT C Secure Coding Standard (2008) Chapter 9 - Memory Management (MEM)
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 876 CERT C++ Secure Coding Section 08 - Memory Management (MEM)
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 963 SFP Secondary Cluster: Exposed Data
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1416 Comprehensive Categorization: Resource Lifecycle Management
+ Vulnerability Mapping Notes
Usage ALLOWED
(this CWE ID may be used to map to real-world vulnerabilities)
Reason Acceptable-Use

Rationale

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
+ Notes

Relationship

There is a close association between CWE-226 and CWE-212. The difference is partially that of perspective. CWE-226 is geared towards the final stage of the resource lifecycle, in which the resource is deleted, eliminated, expired, or otherwise released for reuse. Technically, this involves a transfer to a different control sphere, in which the original contents of the resource are no longer relevant. CWE-212, however, is intended for sensitive data in resources that are intentionally shared with others, so they are still active. This distinction is useful from the perspective of the CWE research view (CWE-1000).

Research Gap

This is frequently found for network packets, but it can also exist in local memory allocation, files, etc.

Maintenance

This entry needs modification to clarify the differences with CWE-212. The description also combines two problems that are distinct from the CWE research perspective: the inadvertent transfer of information to another sphere, and improper initialization/shutdown. Some of the associated taxonomy mappings reflect these different uses.
+ Taxonomy Mappings
Mapped Taxonomy Name Node ID Fit Mapped Node Name
PLOVER Sensitive Information Uncleared Before Use
CERT C Secure Coding MEM03-C Clear sensitive information stored in reusable resources returned for reuse
Software Fault Patterns SFP23 Exposed Data
+ Content History
+ Submissions
Submission Date Submitter Organization
2006-07-19
(CWE Draft 3, 2006-07-19) 		PLOVER
+ Contributions
Contribution Date Contributor Organization
2023-11-29
(CWE 4.14, 2024-02-29) 		Rahul Kande, Chen Chen, Jeyavijayan Rajendran Texas A&M University
suggested demonstrative example
2023-11-29
(CWE 4.14, 2024-02-29) 		Mohamadreza Rostami, Shaza Zeitouni, Ahmad-Reza Sadeghi Technical University of Darmstadt
suggested demonstrative example
+ Modifications
Modification Date Modifier Organization
2025-04-03
(CWE 4.17, 2025-04-03) 		CWE Content Team MITRE
updated Demonstrative_Examples
2024-02-29
(CWE 4.14, 2024-02-29) 		CWE Content Team MITRE
updated Demonstrative_Examples, Observed_Examples, References
2023-06-29 CWE Content Team MITRE
updated Mapping_Notes
2023-04-27 CWE Content Team MITRE
updated Detection_Factors, Relationships, Time_of_Introduction
2021-10-28 CWE Content Team MITRE
updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Relationships, Research_Gaps
2020-08-20 CWE Content Team MITRE
updated Description, Name, Related_Attack_Patterns, Relationships
2020-02-24 CWE Content Team MITRE
updated Applicable_Platforms, Description, Name, Relationships, Time_of_Introduction, Weakness_Ordinalities
2017-11-08 CWE Content Team MITRE
updated Causal_Nature, Functional_Areas, Relationships, Taxonomy_Mappings
2014-07-30 CWE Content Team MITRE
updated Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team MITRE
updated Relationships, Taxonomy_Mappings
2011-09-13 CWE Content Team MITRE
updated Relationships, Taxonomy_Mappings
2011-06-01 CWE Content Team MITRE
updated Common_Consequences, Relationships, Taxonomy_Mappings
2010-12-13 CWE Content Team MITRE
updated Description
2010-09-27 CWE Content Team MITRE
updated Relationships
2010-02-16 CWE Content Team MITRE
updated Applicable_Platforms, Maintenance_Notes, Relationship_Notes
2009-10-29 CWE Content Team MITRE
updated Description, Other_Notes
2009-05-27 CWE Content Team MITRE
updated Relationships
2009-03-10 CWE Content Team MITRE
updated Relationships
2008-11-24 CWE Content Team MITRE
updated Relationships, Taxonomy_Mappings
2008-10-14 CWE Content Team MITRE
updated Relationships
2008-09-08 CWE Content Team MITRE
updated Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-07-01 Eric Dalci Cigital
updated Time_of_Introduction
+ Previous Entry Names
Change Date Previous Entry Name
2008-04-11 Sensitive Information Uncleared Before Use
2020-02-24 Sensitive Information Uncleared Before Release
2020-08-20 Sensitive Information Uncleared in Resource Before Release for Reuse
Page Last Updated: April 03, 2025
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.