CWE-626: Null Byte Interaction Error (Poison Null Byte)

VariantDraft

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

View on MITRE
Back to CWE Lookup

Extended Description

A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.

Technical Details

Structure
Simple

Applicable To

Languages
PHPPerlASP.NET
Platforms

Frequently Asked Questions

What is CWE-626: Null Byte Interaction Error (Poison Null Byte)?+

CWE-626: Null Byte Interaction Error (Poison Null Byte) is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly handle null bytes or NUL characters when passing data between different representations or components. A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected. The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.

What are the security consequences of Null Byte Interaction Error (Poison Null Byte)?+

If exploited, CWE-626 (Null Byte Interaction Error (Poison Null Byte)) it can compromise Integrity, leading to outcomes such as Unexpected State.

How do you prevent or mitigate Null Byte Interaction Error (Poison Null Byte)?+

Recommended mitigations for CWE-626 include: Remove null bytes from all incoming strings.

Which programming languages are affected by Null Byte Interaction Error (Poison Null Byte)?+

CWE-626 commonly affects PHP, Perl and ASP.NET. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Null Byte Interaction Error (Poison Null Byte)?+

MITRE documents real CVEs mapped to CWE-626, including CVE-2005-4155 and CVE-2005-3153. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-626 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More