CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')

VariantDraft

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

View on MITRE
Back to CWE Lookup

Extended Description

When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a "heap inspection" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed.

Technical Details

Structure
Simple

Applicable To

Languages
CC++
Platforms

Frequently Asked Questions

What is CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')?+

CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory. When sensitive data such as a password or an encryption key is not removed from memory, it could be exposed to an attacker using a "heap inspection" attack that reads the sensitive data using memory dumps or other methods. The realloc() function is commonly used to increase the size of a block of allocated memory. This operation often requires copying the contents of the old memory block into a new and larger block. This operation leaves the contents of the original block intact but inaccessible to the program, preventing the program from being able to scrub sensitive data from memory. If an attacker can later examine the contents of a memory dump, the sensitive data could be exposed.

What are the security consequences of Improper Clearing of Heap Memory Before Release ('Heap Inspection')?+

If exploited, CWE-244 (Improper Clearing of Heap Memory Before Release ('Heap Inspection')) it can compromise Confidentiality and Other, leading to outcomes such as Read Memory and Other.

Which programming languages are affected by Improper Clearing of Heap Memory Before Release ('Heap Inspection')?+

CWE-244 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Clearing of Heap Memory Before Release ('Heap Inspection')?+

MITRE documents real CVEs mapped to CWE-244, including CVE-2019-3733. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-244 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More