CWE-626 (空字节交互错误) — Vulnerability Class 3

CWE-626 represents a critical input validation weakness where software fails to properly handle null bytes during data transitions between different programming languages or system components. This vulnerability arises because null bytes serve as string terminators in C-based libraries but are treated as valid characters in languages like PHP or Perl. Attackers typically exploit this discrepancy by injecting null bytes into user-controlled input to truncate expected string processing, thereby bypassing security checks or manipulating file path resolutions. For instance, an attacker might append a null byte to a filename to trick a C-based backend into ignoring a malicious extension that a PHP frontend validated. To mitigate this risk, developers must implement strict input sanitization that explicitly rejects or escapes null bytes before processing. Additionally, using consistent data handling libraries and avoiding mixed-language interfaces where possible reduces the likelihood of representation mismatches that lead to such poisoning errors.