1. Home
  2. CWE Database
  3. CWE-626
Variant · Low-Medium

CWE-626: Null Byte Interaction Error (Poison Null Byte)

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

CWE-626 · Variant Level ·2 CVEs ·1 Mitigations

Description

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.

Potential Impact

Integrity

Unexpected State

Mitigations & Prevention

Implementation

Remove null bytes from all incoming strings.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2005-4155NUL byte bypasses PHP regular expression check
CVE-2005-3153inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection

CWE-147: Improper Neutralization of Input Terminators

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special ele...

CWE-436: Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its p...

Frequently Asked Questions

What is CWE-626?

CWE-626 (Null Byte Interaction Error (Poison Null Byte)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

How can CWE-626 be exploited?

Attackers can exploit CWE-626 (Null Byte Interaction Error (Poison Null Byte)) to unexpected state. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-626?

Key mitigations include: Remove null bytes from all incoming strings.

What is the severity of CWE-626?

CWE-626 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 2 real-world CVEs.