Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-226 (在释放前未清除敏感信息) — Vulnerability Class 27

27 vulnerabilities classified as CWE-226 (在释放前未清除敏感信息). AI Chinese analysis included.

CWE-226 represents a resource management weakness where sensitive data remains in memory or files after they are released for reuse. This flaw typically allows attackers to exploit residual information by accessing the recycled resource before it is overwritten, thereby retrieving confidential credentials, encryption keys, or personal data that should have been discarded. Developers can prevent this vulnerability by implementing rigorous zeroization procedures, ensuring that all sensitive contents are explicitly cleared or overwritten with neutral values immediately before releasing the resource. Additionally, adopting secure coding standards that mandate automatic cleanup during object destruction or using memory-safe languages can significantly reduce the risk of accidental data leakage, ensuring that critical state transitions do not expose previously held information to unauthorized entities.

MITRE CWE Description
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. When resources are released, they can be made available for reuse. For example, after memory is de-allocated, an operating system may make the memory available to another process, or disk space may be reallocated when a file is deleted. As removing information requires time and additional resources, operating systems do not usually clear the previously written information. Even when the resource is reused by the same process, this weakness can arise when new data is not as large as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, the information may be read by less trustworthy parties when the memory is reallocated. This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (2)
Architecture and Design, ImplementationDuring critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state.
Effectiveness: High
Architecture and Design, ImplementationWhen releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though "logical" file positions are contiguous at the application …
Effectiveness: High
Examples (2)
This example shows how an attacker can take advantage of an incorrect state transition.
During the transition from A to B, the device does not scrub the memory.
Bad · Other
For transition from state A to state B, remove information which should not be available once the transition is complete.
Good · Other
The following code calls realloc() on a buffer containing sensitive data:
cleartext_buffer = get_secret();... cleartext_buffer = realloc(cleartext_buffer, 1024); ... scrub_memory(cleartext_buffer, 1024);
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-32960 Silex SD-330AC和Silex AMC Manager 安全漏洞 — SD-330AC 6.5 Medium2026-04-20
CVE-2026-5795 Eclipse Jetty 授权问题漏洞 — Eclipse Jetty 7.4 High2026-04-08
CVE-2025-14858 Semtech LR11xx Encrypted Firmware Disclosure — LR1110 4.6AIMediumAI2026-04-07
CVE-2019-25657 AnyBurn 4.3 x86 Denial of Service via Image Conversion — AnyBurn x86 5.5 Medium2026-04-05
CVE-2019-25645 WinAVI iPod 3GP MP4 PSP Converter 4.4.2 Denial of Service — WinAVI iPod/3GP/MP4/PSP Converter 6.2 Medium2026-03-24
CVE-2019-25617 Ease Audio Converter 5.30 Denial of Service via Audio Cutter — Ease Audio Converter 6.2 Medium2026-03-22
CVE-2019-25571 MediaMonkey 4.1.23 Denial of Service via Malformed URL — MediaMonkey 6.2 Medium2026-03-21
CVE-2019-25563 PCHelpWareV2 1.0.0.5 Denial of Service via SC Creation — PCHelpWareV2 6.2 Medium2026-03-21
CVE-2019-25560 Lyric Video Creator 2.1 Denial of Service via MP3 File — Lyric Video Creator 7.5 High2026-03-21
CVE-2019-25553 CEWE PHOTO IMPORTER 6.4.3 Denial of Service via Malformed Image — CEWE PHOTO IMPORTER 6.2 Medium2026-03-21
CVE-2025-0647 ARM CPU 安全漏洞 — Neoverse-N2 7.3AIHighAI2026-01-14
CVE-2025-33200 NVIDIA DGX Spark 安全漏洞 — DGX Spark 2.3 Low2025-11-25
CVE-2025-33198 NVIDIA DGX Spark 安全漏洞 — DGX Spark 3.3 Low2025-11-25
CVE-2025-33196 NVIDIA DGX Spark 安全漏洞 — DGX Spark 4.4 Medium2025-11-25
CVE-2025-11602 Untargeted information leak in Bolt protocol handshake — Enterprise Edition 5.3 -2025-10-31
CVE-2025-2522 Lack of buffer clearing before reuse may result in incorrect system behavior. — C300 PCNT02 6.5 Medium2025-07-10
CVE-2025-48066 wire-webapp has no database deletion on client logout — wire-webapp 6.0 Medium2025-05-22
CVE-2024-7883 CMSE secure state may leak from stack to floating-point registers — Arm Compiler for Embedded 3.7 Low2024-10-31
CVE-2024-38275 moodle: HTTP authorization header is preserved between "emulated redirects" — Moodle 6.1AIMediumAI2024-06-18
CVE-2024-32036 SixLabors.ImageSharp vulnerable to data leakage — ImageSharp 5.3 Medium2024-04-15
CVE-2023-41138 AppsAnywhere macOS 安全漏洞 — AppsAnywhere Client 7.5 High2023-11-09
CVE-2023-3006 Linux kernel 安全漏洞 — Kernel 5.1 -2023-05-31
CVE-2023-1637 Linux kernel 安全漏洞 — Kernel 7.1 -2023-03-27
CVE-2022-39393 Wasmtime vulnerable to data leakage between instances in the pooling allocator — wasmtime 8.6 High2022-11-10
CVE-2020-27218 Eclipse Jetty 安全漏洞 — Eclipse Jetty 4.8 -2020-11-28
CVE-2019-1573 Information Disclosure in GlobalProtect Agent — GlobalProtect Agent 2.5 Low2019-04-09
CVE-2018-7166 Joyent Node.js 缓冲区错误漏洞 — Node.js 7.5 -2018-08-21

Vulnerabilities classified as CWE-226 (在释放前未清除敏感信息) represent 27 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.