CWE-226: Sensitive Information in Resource Not Removed Before Reuse
low-riskThe product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
Common Consequences
Detection Methods
Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2018-7166 | 7.5 | 0.9% | — |
| CVE-2020-27218 | 4.8 | 0.6% | — |
| CVE-2024-38275 | 7.5 | 0.5% | — |
| CVE-2024-32036 | 5.3 | 0.4% | — |
| CVE-2024-7883 | 3.7 | 0.4% | — |
| CVE-2022-39393 | 8.6 | 0.3% | — |
| CVE-2019-1573 | 2.5 | 0.2% | — |
| CVE-2025-2522 | 6.5 | 0.1% | — |
| CVE-2019-25560 | 7.5 | 0.1% | — |
| CVE-2024-21850 | 6.0 | 0.0% | — |