CWE-226: Sensitive Information in Resource Not Removed Before Reuse
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
Last updated
Overview
When resources are released, they can be made available for reuse. For example, after memory is de-allocated, an operating system may make the memory available to another process, or disk space may be reallocated when a file is deleted. As removing information requires time and additional resources, operating systems do not usually clear the previously written information. Even when the resource is reused by the same process, this weakness can arise when new data is not as large as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, the information may be read by less trustworthy parties when the memory is reallocated. This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels.
Real-world CVEs
31 recorded CVEs are caused by CWE-226 (Sensitive Information in Resource Not Removed Before Reuse). The highest-severity and most recent are shown first. 13 new CWE-226 CVEs have been recorded so far in 2026 (7 in 2025).
- CVE-2019-25560
Lyric Video Creator 2.1 Denial of Service via MP3 File
High · CVSS 8.7 · EPSS 38th2026-03-21 - CVE-2022-39393High · CVSS 8.6 · EPSS 47th2022-11-10
- CVE-2024-21850High · CVSS 8.3 · EPSS 10th2024-11-13
- CVE-2025-0647High · CVSS 7.9 · EPSS 5th2026-01-14
- CVE-2025-13108
Fixes to common vulnerabilities found in IBM Db2 Merge Backup for Linux, UNIX and Windows
High · CVSS 7.5 · EPSS 8th2026-02-17 - CVE-2024-38275High · CVSS 7.5 · EPSS 36th2024-06-18
- CVE-2023-41138High · CVSS 7.5 · EPSS 7th2023-11-09
- CVE-2018-7166High · CVSS 7.5 · EPSS 87th2018-08-21
- CVE-2026-5795High · CVSS 7.4 · EPSS 41th2026-04-08
- CVE-2026-32960High · CVSS 7.1 · EPSS 17th2026-04-20
- CVE-2019-25645
WinAVI iPod 3GP MP4 PSP Converter 4.4.2 Denial of Service
Medium · CVSS 6.9 · EPSS 7th2026-03-24 - CVE-2019-25617
Ease Audio Converter 5.30 Denial of Service via Audio Cutter
Medium · CVSS 6.9 · EPSS 3th2026-03-22
Showing 12 of 31 recorded CWE-226 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-226 vulnerabilitiesCommon consequences
What can happen when CWE-226 is exploited.
Read Application Data
Affects: Confidentiality
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-226, grouped by where in the lifecycle they apply.
During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state.
Effectiveness: High
When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though "logical" file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer.
Effectiveness: High
How to detect it
Manual Analysis
Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.
Effectiveness: High
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This example shows how an attacker can take advantage of an incorrect state transition.
The following code calls realloc() on a buffer containing sensitive data:
Vulnerable example
cleartext_buffer = get_secret();...There is an attempt to scrub the sensitive data from memory, but realloc() is used, so it could return a pointer to a different part of memory. The memory that was originally allocated for cleartext_buffer could still contain an uncleared copy of the data.
The following example code is excerpted from the AES wrapper/interface, aes0_wrapper, module of one of the AES engines (AES0) in the Hack@DAC'21 buggy OpenPiton System-on-Chip (SoC). Note that this SoC contains three distinct AES engines. Within this wrapper module, four 32-bit registers are utilized to store the message intended for encryption, referred to as p_c[i]. Using the AXI Lite interface, these registers are filled with the 128-bit message to be encrypted.
Vulnerable example
beginSafe example
beginThe above code snippet [REF-1402] illustrates an instance of a vulnerable implementation of the AES wrapper module, where p_c[i] registers are cleared at reset. Otherwise, p_c[i]registers either maintain their old values (if reglk_ctrl_i[3]is true) or get filled through the AXI signal wdata. Note that p_c[i]registers can be read through the AXI Lite interface (not shown in snippet). However, p_c[i] registers are never cleared after their usage once the AES engine has completed the encryption process of the message. In a multi-user or multi-process environment, not clearing registers may result in the attacker process accessing data left by the victim, leading to data leakage or unintentional information disclosure.
To fix this issue, it is essential to ensure that these internal registers are cleared in a timely manner after their usage, i.e., the encryption process is complete. This is illustrated below by monitoring the assertion of the cipher text valid signal, ct_valid [REF-1403].
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2019-3733 — Cryptography library does not clear heap memory before release
- CVE-2003-0001 — Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets.
- CVE-2003-0291 — router does not clear information from DHCP packets that have been previously used
- CVE-2005-1406 — Products do not fully clear memory buffers when less data is stored into the buffer than previous.
- CVE-2005-1858 — Products do not fully clear memory buffers when less data is stored into the buffer than previous.
- CVE-2005-3180 — Products do not fully clear memory buffers when less data is stored into the buffer than previous.
- CVE-2005-3276 — Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory.
- CVE-2002-2077 — Memory not properly cleared before reuse.
Terminology & mappings
Mapped taxonomies
- PLOVER: Sensitive Information Uncleared Before Use
- CERT C Secure Coding: Clear sensitive information stored in reusable resources returned for reuse (MEM03-C)
- Software Fault Patterns: Exposed Data (SFP23)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-226.
- What is CWE-226?
- The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
- What CVEs are caused by CWE-226?
- 31 recorded CVEs are attributed to CWE-226, including CVE-2019-25560, CVE-2022-39393, CVE-2024-21850.
- How do you prevent CWE-226?
- During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state.
- How is CWE-226 detected?
- Manual Analysis: Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated.
- What are the consequences of CWE-226?
- Exploiting CWE-226 can lead to: Read Application Data.
- Is CWE-226 actively exploited?
- 31 recorded CVEs are caused by CWE-226; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-226) (opens in a new tab)
- CWE-226 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-226
Get alerted the moment a new CWE-226 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.