1. Home
  2. CWE Database
  3. CWE-226
Base · Medium

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product per...

CWE-226 · Base Level ·8 CVEs ·2 Mitigations

Description

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

When resources are released, they can be made available for reuse. For example, after memory is de-allocated, an operating system may make the memory available to another process, or disk space may be reallocated when a file is deleted. As removing information requires time and additional resources, operating systems do not usually clear the previously written information. Even when the resource is reused by the same process, this weakness can arise when new data is not as large as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, the information may be read by less trustworthy parties when the memory is reallocated. This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

This example shows how an attacker can take advantage of an incorrect state transition.
Bad
During the transition from A to B, the device does not scrub the memory.
Good
For transition from state A to state B, remove information which should not be available once the transition is complete.
The following code calls realloc() on a buffer containing sensitive data:
Bad
cleartext_buffer = get_secret();...cleartext_buffer = realloc(cleartext_buffer, 1024);...scrub_memory(cleartext_buffer, 1024);
There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data.
The following example code is excerpted from the AES wrapper/interface, aes0_wrapper, module of one of the AES engines (AES0) in the Hack@DAC'21 buggy OpenPiton System-on-Chip (SoC). Note that this SoC contains three distinct AES engines. Within this wrapper module, four 32-bit registers are utilized to store the message intended for encryption, referred to as p_c[i]. Using the AXI Lite interface, these registers are filled with the 128-bit message to be encrypted.
Bad
module aes0_wrapper #(...)(...);
		   ...
		   always @(posedge clk_i)
		   
			 begin
			 
			   if(~(rst_ni && ~rst_1)) //clear p_c[i] at reset
			   
				 begin
				 
                   start <= 0;
                   p_c[0] <= 0;
                   p_c[1] <= 0;
                   p_c[2] <= 0;
                   p_c[3] <= 0;
                   ...
				 
				 end
			   
			   else if(en && we)
			   
				 case(address[8:3])
				 
                   0:
				   
                     start  <= reglk_ctrl_i[1] ? start  : wdata[0];
				   
                   1:
				   
                     p_c[3] <= reglk_ctrl_i[3] ? p_c[3] : wdata[31:0];
				   
                   2:
				   
                     p_c[2] <= reglk_ctrl_i[3] ? p_c[2] : wdata[31:0];
				   
                   3:
				   
                     p_c[1] <= reglk_ctrl_i[3] ? p_c[1] : wdata[31:0];
				   
                   4:
				   
                     p_c[0] <= reglk_ctrl_i[3] ? p_c[0] : wdata[31:0];
				   
                   ...
				 
				 endcase
			   
			   end // always @ (posedge wb_clk_i)
			 
			 endmodule
Good
module aes0_wrapper #(...)(...);
		   ...
		   always @(posedge clk_i)
		   
			 begin
			 
			   if(~(rst_ni && ~rst_1)) //clear p_c[i] at reset
			   
				 ...
			   
			   else if(ct_valid) //encryption process complete, clear p_c[i]
			   
				 begin
				 
				   p_c[0] <= 0;
				   p_c[1] <= 0;
				   p_c[2] <= 0;
				   p_c[3] <= 0;
				 
				 end
			   
			   else if(en && we)
			   
				 case(address[8:3])
				 ...
				 endcase
			   
			   end // always @ (posedge wb_clk_i)
			 
			 endmodule

Mitigations & Prevention

Architecture and DesignImplementation High

During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state.

Architecture and DesignImplementation High

When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though "logical" file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying

Detection Methods

  • Manual Analysis High — Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and th
  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2019-3733Cryptography library does not clear heap memory before release
CVE-2003-0001Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.
CVE-2003-0291router does not clear information from DHCP packets that have been previously used
CVE-2005-1406Products do not fully clear memory buffers when less data is stored into the buffer than previous.
CVE-2005-1858Products do not fully clear memory buffers when less data is stored into the buffer than previous.
CVE-2005-3180Products do not fully clear memory buffers when less data is stored into the buffer than previous.
CVE-2005-3276Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.
CVE-2002-2077Memory not properly cleared before reuse.

CWE-459: Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove...

CWE-201: Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be ac...

Taxonomy Mappings

  • PLOVER: — Sensitive Information Uncleared Before Use
  • CERT C Secure Coding: MEM03-C — Clear sensitive information stored in reusable resources returned for reuse
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-226?

CWE-226 (Sensitive Information in Resource Not Removed Before Reuse) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product per...

How can CWE-226 be exploited?

Attackers can exploit CWE-226 (Sensitive Information in Resource Not Removed Before Reuse) to read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-226?

Key mitigations include: During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next sta

What is the severity of CWE-226?

CWE-226 is classified as a Base-level weakness (Medium abstraction). It has been observed in 8 real-world CVEs.