CWE-14: Compiler Removal of Code to Clear Buffers

VariantDraft

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

View on MITRE
Back to CWE Lookup

Extended Description

This compiler optimization error occurs when: Secret data are stored in memory. The secret data are scrubbed from memory by overwriting its contents. The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently.

Technical Details

Structure
Simple

Applicable To

Languages
CC++
Platforms

Frequently Asked Questions

What is CWE-14: Compiler Removal of Code to Clear Buffers?+

CWE-14: Compiler Removal of Code to Clear Buffers is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal." This compiler optimization error occurs when: Secret data are stored in memory. The secret data are scrubbed from memory by overwriting its contents. The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently.

What are the security consequences of Compiler Removal of Code to Clear Buffers?+

If exploited, CWE-14 (Compiler Removal of Code to Clear Buffers) it can compromise Confidentiality and Access Control, leading to outcomes such as Read Memory and Bypass Protection Mechanism.

How do you prevent or mitigate Compiler Removal of Code to Clear Buffers?+

Recommended mitigations for CWE-14 include: Store the sensitive data in a "volatile" memory location if available. If possible, configure your compiler so that it does not remove dead stores. Where possible, encrypt sensitive data that are used by a software system.

How is Compiler Removal of Code to Clear Buffers detected?+

CWE-14 can be detected using Black Box and White Box. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Compiler Removal of Code to Clear Buffers?+

CWE-14 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-14 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More