VYPR

CWE-226

Sensitive Information in Resource Not Removed Before Reuse

BaseDraft

Description

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (16)

  • CVE-2019-25560HigMar 21, 2026
    risk 0.49cvss 7.5epss 0.00

    Lyric Video Creator 2.1 contains a denial of service vulnerability that allows attackers to crash the application by processing malformed MP3 files. Attackers can create a crafted MP3 file with an oversized buffer and trigger the crash by opening the file through the Browse song…

  • CVE-2018-7166HigAug 21, 2018
    risk 0.49cvss 7.5epss 0.03

    In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a…

  • CVE-2026-5795HigApr 8, 2026
    risk 0.48cvss 7.4epss 0.00

    In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.…

  • CVE-2026-32960MedApr 20, 2026
    risk 0.42cvss 6.5epss 0.00

    SD-330AC and AMC Manager provided by silex technology, Inc. contain an issue with a sensitive information in resource not removed before reuse. An attacker may login to the device without knowing the password by sending a crafted packet.

  • CVE-2025-2522MedJul 10, 2025
    risk 0.42cvss 6.5epss 0.00

    The Honeywell Experion PKS and OneWireless WDM contains Sensitive Information in Resource vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result…

  • CVE-2025-11602MedOct 31, 2025
    risk 0.41cvss epss 0.00

    Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses.

  • CVE-2019-25617MedMar 22, 2026
    risk 0.40cvss 6.2epss 0.00

    Ease Audio Converter 5.30 contains a denial of service vulnerability in the Audio Cutter function that allows local attackers to crash the application by processing malformed MP4 files. Attackers can create a crafted MP4 file containing an oversized buffer and load it through…

  • CVE-2019-25553MedMar 21, 2026
    risk 0.40cvss 6.2epss 0.00

    CEWE PHOTO IMPORTER 6.4.3 contains a denial of service vulnerability that allows local attackers to crash the application by importing a specially crafted image file. Attackers can create a malformed JPG file with an oversized buffer and trigger the crash through the import…

  • CVE-2024-21850MedNov 13, 2024
    risk 0.39cvss 6.0epss 0.00

    Sensitive information in resource not removed before reuse in some Intel(R) TDX Seamldr module software before version 1.5.02.00 may allow a privileged user to potentially enable escalation of privilege via local access.

  • CVE-2019-25657MedApr 5, 2026
    risk 0.36cvss 5.5epss 0.00

    AnyBurn 4.3 x86 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the image conversion function. Attackers can paste a large buffer into the source or destination image file fields and click…

  • CVE-2025-14858MedApr 7, 2026
    risk 0.33cvss epss 0.00

    The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided…

  • CVE-2025-20622LowNov 11, 2025
    risk 0.25cvss 3.8epss 0.00

    Sensitive information uncleared in resource before release for reuse for some Intel(R) NPU Drivers for Windows before version 32.0.100.4023 within Ring 3: User Applications may allow an information disclosure. Unprivileged software adversary with an authenticated user combined…

  • CVE-2024-38275Jun 18, 2024
    risk 0.00cvss epss 0.00

    The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

  • CVE-2024-32036Apr 15, 2024
    risk 0.00cvss epss 0.01

    ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information…

  • CVE-2022-39393Nov 10, 2022
    risk 0.00cvss epss 0.01

    Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be…

  • CVE-2020-27218Nov 28, 2020
    risk 0.00cvss epss 0.08

    In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request…