CWE · MITRE source
CWE-226Sensitive Information in Resource Not Removed Before Reuse
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
When resources are released, they can be made available for reuse. For example, after memory is de-allocated, an operating system may make the memory available to another process, or disk space may be reallocated when a file is deleted. As removing information requires time and additional resources, operating systems do not usually clear the previously written information. Even when the resource is reused by the same process, this weakness can arise when new data is not as large as the old data, which leaves portions of the old data still available. Equivalent errors can occur in other situations where the length of data is variable but the associated data structure is not. If memory is not cleared after use, the information may be read by less trustworthy parties when the memory is reallocated. This weakness can apply in hardware, such as when a device or system switches between power, sleep, or debug states during normal operation, or when execution changes to different users or privilege levels.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (10)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
MP-1 | Policy and Procedures | MP | Procedures include sanitization, overwriting, and disposal requirements to remove sensitive data before media reuse or release. |
MP-6 | Media Sanitization | MP | Requiring sanitization prior to reuse directly ensures sensitive information is removed from resources before they are reused by others. |
MP-8 | Media Downgrading | MP | Downgrading enables reuse of media at lower security levels, and the mandated process ensures sensitive information is removed beforehand to prevent exposure on reused resources. |
SI-12 | Information Management and Retention | SI | Explicit retention limits and destruction rules reduce the persistence of sensitive information in reusable resources. |
SI-18 | Personally Identifiable Information Quality Operations | SI | Periodic quality checks and deletion ensure sensitive PII is removed from resources prior to reuse or retention beyond its valid lifetime. |
SI-21 | Information Refresh | SI | Periodic refresh or explicit deletion before reuse prevents sensitive information from remaining in a reusable resource. |
IR-9 | Information Spillage Response | IR | The eradication and cross-system identification steps ensure sensitive information is removed before resources are reused or further accessed. |
MA-2 | Controlled Maintenance | MA | Requiring sanitization of media prior to removal for off-site maintenance ensures sensitive information is removed before the resource is reused or accessed externally. |
SC-4 | Information in Shared System Resources | SC | Directly requires removal of sensitive data from resources before reuse or reallocation to another subject, eliminating residual information transfer. |
SR-12 | Component Disposal | SR | Mandates sanitization of resources before they are released or discarded, preventing residual sensitive information from being recovered. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-39393 | 1.7 | 8.6 | 0.0033 | 2022-11-10 |
CVE-2018-7166 | 1.6 | 7.5 | 0.0086 | 2018-08-21 |
CVE-2025-0647 | 1.6 | 7.9 | 0.0001 | 2026-01-14 |
CVE-2023-41138 | 1.5 | 7.5 | 0.0002 | 2023-11-09 |
CVE-2024-38275 | 1.5 | 7.5 | 0.0055 | 2024-06-18 |
CVE-2019-25560 | 1.5 | 7.5 | 0.0008 | 2026-03-21 |
CVE-2026-5795 | 1.5 | 7.4 | 0.0002 | 2026-04-08 |
CVE-2025-2522 | 1.3 | 6.5 | 0.0026 | 2025-07-10 |
CVE-2026-32960 | 1.3 | 6.5 | 0.0002 | 2026-04-20 |
CVE-2024-21850 | 1.2 | 6.0 | 0.0004 | 2024-11-13 |
CVE-2025-48066 | 1.2 | 6.0 | 0.0004 | 2025-05-22 |
CVE-2019-25553 | 1.2 | 6.2 | 0.0002 | 2026-03-21 |
CVE-2019-25563 | 1.2 | 6.2 | 0.0002 | 2026-03-21 |
CVE-2019-25571 | 1.2 | 6.2 | 0.0002 | 2026-03-21 |
CVE-2019-25617 | 1.2 | 6.2 | 0.0002 | 2026-03-22 |
CVE-2019-25645 | 1.2 | 6.2 | 0.0002 | 2026-03-24 |
CVE-2023-1637 | 1.1 | 5.5 | 0.0001 | 2023-03-27 |
CVE-2023-3006 | 1.1 | 5.5 | 0.0001 | 2023-05-31 |
CVE-2024-32036 | 1.1 | 5.3 | 0.0041 | 2024-04-15 |
CVE-2025-13108 | 1.1 | 5.5 | 0.0003 | 2026-02-17 |
CVE-2019-25657 | 1.1 | 5.5 | 0.0002 | 2026-04-05 |
CVE-2020-27218 | 1.0 | 4.8 | 0.0060 | 2020-11-28 |
CVE-2025-33196 | 0.9 | 4.4 | 0.0001 | 2025-11-25 |
CVE-2024-7883 | 0.8 | 3.7 | 0.0037 | 2024-10-31 |
CVE-2025-20622 | 0.8 | 3.8 | 0.0002 | 2025-11-11 |