1. Home
  2. CWE Database
  3. CWE-244
Variant · Low-Medium

CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

CWE-244 · Variant Level ·1 CVEs

Description

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a "heap inspection" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed.

Potential Impact

Confidentiality, Other

Read Memory, Other

Demonstrative Examples

The following code calls realloc() on a buffer containing sensitive data:
Bad
cleartext_buffer = get_secret();...cleartext_buffer = realloc(cleartext_buffer, 1024);...scrub_memory(cleartext_buffer, 1024);
There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2019-3733Cryptography library does not clear heap memory before release

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not cle...

CWE-669: Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior ...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Heap Inspection
  • CERT C Secure Coding: MEM03-C — Clear sensitive information stored in reusable resources returned for reuse
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-244?

CWE-244 (Improper Clearing of Heap Memory Before Release ('Heap Inspection')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

How can CWE-244 be exploited?

Attackers can exploit CWE-244 (Improper Clearing of Heap Memory Before Release ('Heap Inspection')) to read memory, other. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-244?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-244?

CWE-244 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.