CWE-626: Null Byte Interaction Error (Poison Null Byte)
The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
Last updated
Overview
A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.
Real-world CVEs
4 recorded CVEs are caused by CWE-626 (Null Byte Interaction Error (Poison Null Byte)). The highest-severity and most recent are shown first. 1 new CWE-626 CVE has been recorded so far in 2026.
Common consequences
What can happen when CWE-626 is exploited.
Unexpected State
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-626, grouped by where in the lifecycle they apply.
Remove null bytes from all incoming strings.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2005-4155 — NUL byte bypasses PHP regular expression check
- CVE-2005-3153 — inserting SQL after a NUL byte bypasses allowlist regexp, enabling SQL injection
Frequently asked questions
Common questions about CWE-626.
- What is CWE-626?
- The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
- What CVEs are caused by CWE-626?
- 4 recorded CVEs are attributed to CWE-626, including CVE-2019-11936, CVE-2019-17137, CVE-2020-10773.
- How do you prevent CWE-626?
- Remove null bytes from all incoming strings.
- How is CWE-626 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-626?
- Exploiting CWE-626 can lead to: Unexpected State.
- Is CWE-626 actively exploited?
- 4 recorded CVEs are caused by CWE-626; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-626) (opens in a new tab)
- CWE-626 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-626
Get alerted the moment a new CWE-626 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.