Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-244 (在释放前清理堆内存不恰当(堆检查)) — Vulnerability Class 15

15 vulnerabilities classified as CWE-244 (在释放前清理堆内存不恰当(堆检查)). AI Chinese analysis included.

CWE-244 represents a memory management weakness where sensitive data, such as passwords or encryption keys, remains exposed in heap memory after being resized or released. This vulnerability typically arises when developers use functions like realloc() without explicitly clearing the original memory buffer, leaving residual data accessible to attackers. Malicious actors exploit this by performing heap inspection attacks, utilizing memory dumps or core dumps to retrieve the lingering sensitive information. To mitigate this risk, developers must ensure that all sensitive data is securely wiped from memory before any allocation is freed or resized. Implementing explicit zeroing routines, such as memset_s, or using secure memory allocation libraries that automatically clear buffers upon release are effective strategies. By rigorously managing memory lifecycle and ensuring no residual traces remain, organizations can prevent unauthorized access to critical secrets stored in volatile memory.

MITRE CWE Description
Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a "heap inspection" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed.
Common Consequences (1)
Confidentiality, OtherRead Memory, Other
Be careful using vfork() and fork() in security sensitive code. The process state will not be cleaned up and will contain traces of data from past use.
Examples (1)
The following code calls realloc() on a buffer containing sensitive data:
cleartext_buffer = get_secret();... cleartext_buffer = realloc(cleartext_buffer, 1024); ... scrub_memory(cleartext_buffer, 1024);
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-20039 Cisco Adaptive Security Appliance and Firepower Threat Defense Software SSL VPN Authentication Denial of Service Vulnerability — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 8.6 High2026-03-04
CVE-2025-33101 Multiple Vulnerabilities in IBM Concert Software. — Concert 5.9 Medium2026-02-17
CVE-2025-1722 Multiple Vulnerabilities in IBM Concert Software — Concert 5.9 Medium2026-01-20
CVE-2025-1719 Multiple Vulnerabilities in IBM Concert Software — Concert 5.9 Medium2026-01-20
CVE-2025-1721 BM Concert Software Improper Clearing of Heap Memory Before Release. — Concert 5.9 Medium2025-12-26
CVE-2025-36118 IBM Storage Virtualize Information Disclosure — Storage Virtualize 7.5 High2025-11-17
CVE-2025-36083 Multiple Vulnerabilities in IBM Concert Software. — Concert Software 6.2 Medium2025-10-28
CVE-2025-1759 IBM Concert Software information disclosure — Concert Software 5.9 Medium2025-08-18
CVE-2025-33013 IBM MQ Operator information disclosure — MQ Operator 6.2 Medium2025-07-24
CVE-2025-5105 TOZED ZLT W51 Service Port 7777 heap inspection — ZLT W51 7.3 High2025-05-23
CVE-2023-20070 Cisco Firepower Threat Defense 安全漏洞 — Cisco Firepower Threat Defense Software 4.0 Medium2023-11-01
CVE-2023-20031 Cisco Firepower Threat Defense 安全漏洞 — Cisco Firepower Threat Defense Software 4.0 Medium2023-11-01
CVE-2023-20177 Cisco Firepower Threat Defense 安全漏洞 — Cisco Firepower Threat Defense Software 4.0 Medium2023-11-01
CVE-2022-20943 多款Cisco产品安全漏洞 — Cisco Firepower Threat Defense Software 5.8 Medium2022-11-10
CVE-2022-20922 多款Cisco产品安全漏洞 — Cisco Firepower Threat Defense Software 5.8 Medium2022-11-10

Vulnerabilities classified as CWE-244 (在释放前清理堆内存不恰当(堆检查)) represent 15 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.