Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Clear Discarded Storage that Contained Secrets and Do Not Read Uninitialized Storage

Author(s): William L. Fithen Maturity Levels and Audience Indicators: L4  / D/P  SDLC Life Cycles: Implementation  Copyright: Copyright © Carnegie Mellon University 2005-2012.


Failing to initialize storage can introduce vulnerability.


When allocated, storage may not have been initialized, meaning that whatever was left in storage from its previous use is still there. If that storage might contain leftover secrets, like passwords, then accidentally disclosing that data amounts to a security leak—of information from the previous user.

When your system, in turn, deallocates storage that contains secrets, it may be leaking those secrets to the next user of the storage.


CitationBibliographic Entry
[Thompson 05]

Thompson, Herbert & Chase, Scott. The Software Vulnerability Guide. Charles River Media, 211-222. 2005.


Lanza, Jeffrey P. Network device drivers reuse old frame buffer data to pad packets. 2003.