CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition

BaseStable

The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.

View on MITRE
Back to CWE Lookup

Extended Description

A device or system frequently employs many power and sleep states during its normal operation (e.g., normal power, additional power, low power, hibernate, deep sleep, etc.). A device also may be operating within a debug condition. State transitions can happen from one power or debug state to another. If there is information available in the previous state which should not be available in the next state and is not properly removed before the transition into the next state, sensitive information may leak from the system.

Technical Details

Structure
Simple

Applicable To

Languages
VHDLVerilogHardware Description Language
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition?+

CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions. A device or system frequently employs many power and sleep states during its normal operation (e.g., normal power, additional power, low power, hibernate, deep sleep, etc.). A device also may be operating within a debug condition. State transitions can happen from one power or debug state to another. If there is information available in the previous state which should not be available in the next state and is not properly removed before the transition into the next state, sensitive information may leak from the system.

What are the security consequences of Sensitive Information Uncleared Before Debug/Power State Transition?+

If exploited, CWE-1272 (Sensitive Information Uncleared Before Debug/Power State Transition) it can compromise Confidentiality, Integrity, Availability, Access Control, Accountability and Authentication, leading to outcomes such as Read Memory and Read Application Data.

How do you prevent or mitigate Sensitive Information Uncleared Before Debug/Power State Transition?+

Recommended mitigations for CWE-1272 include: During state transitions, information not needed in the next state should be removed before the transition to the next state.

How is Sensitive Information Uncleared Before Debug/Power State Transition detected?+

CWE-1272 can be detected using Manual Analysis. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Sensitive Information Uncleared Before Debug/Power State Transition?+

CWE-1272 commonly affects VHDL, Verilog and Hardware Description Language. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Sensitive Information Uncleared Before Debug/Power State Transition?+

MITRE documents real CVEs mapped to CWE-1272, including CVE-2020-12926. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1272 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More