CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information
The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.
Last updated
Overview
Security sensitive values, keys, intermediate steps of cryptographic operations, etc. are stored in temporary registers in the hardware. If these values are not cleared when debug mode is entered they may be accessed by a debugger allowing sensitive information to be accessible by untrusted parties.
Real-world CVEs
12 recorded CVEs are caused by CWE-1258 (Exposure of Sensitive System Information Due to Uncleared Debug Information). The highest-severity and most recent are shown first. 4 new CWE-1258 CVEs have been recorded so far in 2026 (2 in 2025).
- CVE-2024-36913
Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails
High · CVSS 8.1 · EPSS 56th2024-05-30 - CVE-2024-36912High · CVSS 8.1 · EPSS 56th2024-05-30
- CVE-2026-52696
WordPress JetBlog plugin <= 2.4.8 - Sensitive Data Exposure vulnerability
High · CVSS 7.5 · EPSS 15th2026-06-17 - CVE-2022-39292
Exposure of sensitive Slack webhook URLs in debug logs and traces
High · CVSS 7.5 · EPSS 48th2022-10-10 - CVE-2022-31162High · CVSS 7.5 · EPSS 50th2022-07-21
- CVE-2023-48308Medium · CVSS 6.5 · EPSS 42th2023-12-21
- CVE-2022-43666Medium · CVSS 5.5 · EPSS 12th2023-11-14
- CVE-2025-32257
WordPress 1 Click WordPress Migration plugin <= 2.5.7 - Sensitive Data Exposure vulnerability
Medium · CVSS 5.3 · EPSS 52th2025-04-04 - CVE-2026-26948Medium · CVSS 4.9 · EPSS 21th2026-03-18
- CVE-2025-26482Medium · CVSS 4.9 · EPSS 20th2025-09-25
- CVE-2025-14551
Senstive information disclosure was affecting subiquity
Low · CVSS 2.7 · EPSS 20th2026-04-09 - CVE-2025-15480
Senstive information disclosure was affecting ubuntu-desktop-provision
Low · CVSS 2.7 · EPSS 23th2026-04-09
Common consequences
What can happen when CWE-1258 is exploited.
Read Memory
Affects: Confidentiality
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1258, grouped by where in the lifecycle they apply.
Whenever debug mode is enabled, all registers containing sensitive assets must be cleared.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
A cryptographic core in a System-On-a-Chip (SoC) is used for cryptographic acceleration and implements several cryptographic operations (e.g., computation of AES encryption and decryption, SHA-256, HMAC, etc.). The keys for these operations or the intermediate values are stored in registers internal to the cryptographic core. These internal registers are in the Memory Mapped Input Output (MMIO) space and are blocked from access by software and other untrusted agents on the SoC. These registers are accessible through the debug and test interface.
The following code example is extracted from the AES wrapper module, aes1_wrapper, of the Hack@DAC'21 buggy OpenPiton System-on-Chip (SoC). Within this wrapper module are four memory-mapped registers: core_key, core_key0, core_key1, and core_key2. Core_key0, core_key1, and core_key2 hold encryption/decryption keys. The core_key register selects a key and sends it to the underlying AES module to execute encryption/decryption operations.
Debug mode in processors and SoCs facilitates design debugging by granting access to internal signal/register values, including physical pin values of peripherals/core, fabric bus data transactions, and inter-peripheral registers. Debug mode allows users to gather detailed, low-level information about the design to diagnose potential issues. While debug mode is beneficial for diagnosing processors or SoCs, it also introduces a new attack surface for potential attackers. For instance, if an attacker gains access to debug mode, they could potentially read any content transmitted through the fabric bus or access encryption/decryption keys stored in cryptographic peripherals.
Therefore, it is crucial to clear the contents of secret registers upon entering debug mode. In the provided example of flawed code below, when debug_mode_i is activated, the register core_key0 is set to zero to prevent AES key leakage during debugging. However, this protective measure is not applied to the core_key1 register [REF-1435], leaving its contents uncleared during debug mode. This oversight enables a debugger to access sensitive information. Failing to clear sensitive data during debug mode may lead to unauthorized access to secret keys and compromise system security.
Vulnerable example
assign core_key0 = debug_mode_i ? 'b0 : {Safe example
assign core_key0 = debug_mode_i ? 'b0 : {To address the issue, it is essential to ensure that the register is cleared and zeroized after activating debug mode on the SoC. In the correct implementation illustrated in the good code below, core_keyx registers are set to zero when debug mode is activated [REF-1436].
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-33080 — Uncleared debug information in memory accelerator for SSD product exposes sensitive system information
- CVE-2022-31162 — Rust library leaks Oauth client details in application debug logs
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1258.
- What is CWE-1258?
- The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.
- What CVEs are caused by CWE-1258?
- 12 recorded CVEs are attributed to CWE-1258, including CVE-2024-36913, CVE-2024-36912, CVE-2026-52696.
- How do you prevent CWE-1258?
- Whenever debug mode is enabled, all registers containing sensitive assets must be cleared.
- What are the consequences of CWE-1258?
- Exploiting CWE-1258 can lead to: Read Memory, Bypass Protection Mechanism.
- Is CWE-1258 actively exploited?
- 12 recorded CVEs are caused by CWE-1258; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1258) (opens in a new tab)
- CWE-1258 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1258
Get alerted the moment a new CWE-1258 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.