CWE-14
Compiler Removal of Code to Clear Buffers
Extended description
This compiler optimization error occurs when: Secret data are stored in memory. The secret data are scrubbed from memory by overwriting its contents. The source code is compiled using an optimizing compiler, which identifies and removes the function that overwrites the contents as a dead store because the memory is not used subsequently.
Common consequences1
- ConfidentialityAccess ControlRead MemoryBypass Protection Mechanism
This weakness will allow data that has not been cleared from memory to be read. If this data contains sensitive password information, then an attacker can read the password and use the information to bypass protection mechanisms.
Potential mitigations3
- Implementation
Store the sensitive data in a "volatile" memory location if available.
- Build and Compilation
If possible, configure your compiler so that it does not remove dead stores.
- Architecture and Design
Where possible, encrypt sensitive data that are used by a software system.
Relationships1
- ChildOfCWE-733
CVEs referencing this CWE10
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2023-32099 | Compiler removal of buffer clearing in sli_se_sign_hash in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. | HIGH7.5 | 0.53%p40 | 2025-01-21 | |
| CVE-2023-32098 | Compiler removal of buffer clearing in sli_se_sign_message in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. | HIGH7.5 | 0.53%p40 | 2025-01-21 | |
| CVE-2023-32100 | Compiler removal of buffer clearing in sli_se_driver_mac_compute in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. | HIGH7.5 | 0.48%p38 | 2025-01-21 | |
| CVE-2023-32097 | Compiler removal of buffer clearing in sli_crypto_transparent_aead_decrypt_tag in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. | HIGH7.5 | 0.48%p38 | 2025-01-21 | |
| CVE-2023-32096 | Compiler removal of buffer clearing in sli_crypto_transparent_aead_encrypt_tag in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. | HIGH7.5 | 0.48%p38 | 2025-01-21 | |
| CVE-2023-2481 | Compiler removal of buffer clearing in sli_se_opaque_import_key in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. | HIGH7.5 | 0.48%p38 | 2025-01-21 | |
| CVE-2023-1132 | Compiler removal of buffer clearing in sli_se_driver_key_agreement in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. | HIGH7.5 | 0.48%p38 | 2025-01-22 | |
| CVE-2023-0965 | Compiler removal of buffer clearing in sli_cryptoacc_transparent_key_agreement in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. | HIGH7.5 | 0.48%p38 | 2025-01-22 | |
| CVE-2025-64646 | IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources. | MEDIUM5.5 | 0.17%p7 | 2026-03-26 | |
| CVE-2026-48984 | pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper). | MEDIUM4.7 | no EPSS | 2026-06-18 |