Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-14 (编译器移除释放缓冲区的代码) — Vulnerability Class 9

9 vulnerabilities classified as CWE-14 (编译器移除释放缓冲区的代码). AI Chinese analysis included.

CWE-14 represents a critical compiler optimization error where sensitive memory buffers, intended for secure erasure, remain uncleared due to dead store removal. Developers typically attempt to mitigate data leakage by explicitly overwriting secret data, such as cryptographic keys or passwords, with zeros or random values before freeing the memory. However, optimizing compilers may identify these writes as unnecessary if the memory is not subsequently read, effectively removing the scrubbing code to improve performance. This oversight allows attackers to recover sensitive information from memory dumps or core files, leading to severe confidentiality breaches. To prevent this, developers must employ compiler-specific directives, such as volatile qualifiers or intrinsic functions, to force the compiler to retain the clearing operations, ensuring that sensitive data is truly erased from memory before it becomes accessible to malicious actors.

MITRE CWE Description
Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal." This compiler optimization error occurs when: Secret data are stored in memory. The secret data are scrubbed from memory by overwriting its contents. The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently.
Common Consequences (1)
Confidentiality, Access ControlRead Memory, Bypass Protection Mechanism
This weakness will allow data that has not been cleared from memory to be read. If this data contains sensitive password information, then an attacker can read the password and use the information to bypass protection mechanisms.
Mitigations (3)
ImplementationStore the sensitive data in a "volatile" memory location if available.
Build and CompilationIf possible, configure your compiler so that it does not remove dead stores.
Architecture and DesignWhere possible, encrypt sensitive data that are used by a software system.
Examples (1)
The following code reads a password from the user, uses the password to connect to a back-end mainframe, and then attempts to scrub the password from memory using memset().
void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-64646 Multiple Vulnerabilities in IBM Concert Software — Concert 6.2 Medium2026-03-25
CVE-2023-32100 Key duplication in GSDK — Gecko Platform 5.3 Medium2023-05-18
CVE-2023-32099 Key duplication in GSDK — Gecko Platform 5.3 Medium2023-05-18
CVE-2023-32098 Key duplication in GSDK — Gecko Platform 5.3 Medium2023-05-18
CVE-2023-32097 Key duplication in GSDK — Gecko Platform 3.1 Low2023-05-18
CVE-2023-32096 Key duplication in GSDK — Gecko Platform 3.1 Low2023-05-18
CVE-2023-2481 Key duplication in GSDK — Gecko Platform 5.3 Medium2023-05-18
CVE-2023-1132 Key duplication in GSDK — Gecko Platform 5.3 Medium2023-05-18
CVE-2023-0965 Key duplication in GSDK — Gecko Platform 3.1 Low2023-05-18

Vulnerabilities classified as CWE-14 (编译器移除释放缓冲区的代码) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.