Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.
CWE-226 Base Draft
Sensitive Information in Resource Not Removed Before Reuse
This vulnerability occurs when a system releases a resource like memory or a file for reuse but fails to erase the sensitive data it previously contained. The old information remains accessible when…
Definition
What is CWE-226?
This vulnerability occurs when a system releases a resource like memory or a file for reuse but fails to erase the sensitive data it previously contained. The old information remains accessible when the resource is allocated to a new process or used in a different context.
When an operating system or application frees resources—such as deallocating memory or deleting a file—it typically doesn't automatically wipe the stored data for performance reasons. This leftover information can then be exposed if the resource is reused by another part of the system or a different user. The risk also appears within the same process, like when new variable-length data doesn't fully overwrite older, larger data, leaving remnants in memory structures or on disk.
This flaw extends to hardware states, such as transitions between power, sleep, or debug modes, where residual data might leak across privilege boundaries. Proactively clearing sensitive data before reuse is a key defense. While SAST tools can detect these patterns, Plexicus uses AI to not only identify the issue but also generate the specific code fixes—like zeroizing memory or securely wiping files—saving significant manual remediation effort across your application portfolio.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-226
-
Cryptography library does not clear heap memory before release
-
Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.
-
router does not clear information from DHCP packets that have been previously used
-
Products do not fully clear memory buffers when less data is stored into the buffer than previous.
-
Products do not fully clear memory buffers when less data is stored into the buffer than previous.
-
Products do not fully clear memory buffers when less data is stored into the buffer than previous.
-
Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.
-
Memory not properly cleared before reuse.
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
This example shows how an attacker can take advantage of an incorrect state transition.
- 2
Suppose a device is transitioning from state A to state B. During state A, it can read certain private keys from the hidden fuses that are only accessible in state A but not in state B. The device reads the keys, performs operations using those keys, then transitions to state B, where those private keys should no longer be accessible.
- 3
After the transition to state B, even though the private keys are no longer accessible directly from the fuses in state B, they can be accessed indirectly by reading the memory that contains the private keys.
- 4
The following code calls realloc() on a buffer containing sensitive data:
- 5
There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data.
Verwundbares Codebeispiel
Vulnerable Other
Suppose a device is transitioning from state A to state B. During state A, it can read certain private keys from the hidden fuses that are only accessible in state A but not in state B. The device reads the keys, performs operations using those keys, then transitions to state B, where those private keys should no longer be accessible.
During the transition from A to B, the device does not scrub the memory. Sicheres Codebeispiel
Secure Other
After the transition to state B, even though the private keys are no longer accessible directly from the fuses in state B, they can be accessed indirectly by reading the memory that contains the private keys.
For transition from state A to state B, remove information which should not be available once the transition is complete. What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-226
- Architecture and Design / Implementation During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state.
- Architecture and Design / Implementation When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though "logical" file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer.
Erkennungssignale
How to detect CWE-226
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Plexicus erkennt CWE-226 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-226?
Wie gravierend ist CWE-226?
Welche Sprachen oder Plattformen sind von CWE-226 betroffen?
Wie kann ich CWE-226 verhindern?
Wie erkennt und behebt Plexicus CWE-226?
Wo erfahre ich mehr über CWE-226?
Frequently asked questions
Was ist CWE-226?
This vulnerability occurs when a system releases a resource like memory or a file for reuse but fails to erase the sensitive data it previously contained. The old information remains accessible when the resource is allocated to a new process or used in a different context.
Wie gravierend ist CWE-226?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-226 betroffen?
MITRE lists the following affected platforms: Not Technology-Specific.
Wie kann ich CWE-226 verhindern?
During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state. When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into…
Wie erkennt und behebt Plexicus CWE-226?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-226 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-226?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/226.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-226
CWE-459 Parent
Incomplete Cleanup
This vulnerability occurs when an application fails to properly remove temporary files, data structures, or system resources after they…
CWE-460 Sibling
Improper Cleanup on Thrown Exception
This vulnerability occurs when a program fails to properly restore its state or release resources after an exception is thrown, leaving…
CWE-568 Sibling
finalize() Method Without super.finalize()
This vulnerability occurs when a Java class overrides the finalize() method but fails to call super.finalize() within it.
CWE-201 Kann vorausgehen
Insertion of Sensitive Information Into Sent Data
This vulnerability occurs when an application sends data to an external party, but accidentally includes sensitive information—like…
CWE-1239 Child
Improper Zeroization of Hardware Register
This vulnerability occurs when a hardware component fails to properly erase sensitive data from its internal registers before a new user…
CWE-1272 Child
Sensitive Information Uncleared Before Debug/Power State Transition
This vulnerability occurs when a device changes its power mode or enters a debug state but fails to wipe sensitive data that should become…
CWE-1301 Child
Insufficient or Incomplete Data Removal within Hardware Component
The product's data removal process fails to completely erase all data from hardware components, potentially leaving sensitive information…
CWE-1342 Child
Information Exposure through Microarchitectural State after Transient Execution
This vulnerability occurs when a CPU fails to completely erase temporary data traces left behind by speculative execution or error…
CWE-244 Child
Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Using realloc() to resize buffers containing secrets like passwords or keys can leave that sensitive data exposed in memory, as the…
Ressourcen
Further reading
- MITRE — offizielle CWE-226 https://cwe.mitre.org/data/definitions/226.html
- aes0_wrapper.sv https://github.com/HACK-EVENT/hackatdac21/blob/65d0ffdab7426da4509c98d62e163bcce642f651/piton/design/chip/tile/ariane/src/aes0/aes0_wrapper.sv#L84C2-L90C29
- Fix for aes0_wrapper https://github.com/HACK-EVENT/hackatdac21/blob/0034dff6852365a8c4e36590a47ea8b088d725ae/piton/design/chip/tile/ariane/src/aes0/aes0_wrapper.sv#L96C1-L102C16
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.