1. Home
  2. Weaknesses
  3. CWE-226

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

ID CWE-226
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 9
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

When resources are released, they can be made available for reuse. For example, after memory is de-allocated, an operating system may make the memory available to another process, or disk space may be reallocated when a file is deleted. As removing information requires time and additional resources, operating systems do not usually clear the previously written information.

Even when the resource is reused by the same process, this weakness can arise when new data is not as large as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, the information may be read by less trustworthy parties when the memory is reallocated.

This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels.

Modes of Introduction

Phase Note
Implementation

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific
Technology Not Technology-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-459 Incomplete Cleanup Base Simple Draft
CWE-1000 Research Concepts Draft CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer Base Simple Incomplete
CWE-1000 Research Concepts Draft CWE-201 Insertion of Sensitive Information Into Sent Data Base Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-37 Retrieve Embedded Sensitive Data CWE-226

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date