VNX-244 – Improper Clearing of Heap Memory Before Release

Overview

Dynamic memory containing passwords, cryptographic keys, or session tokens should be zeroed before free(). The heap allocator may immediately reuse freed memory, exposing the sensitive data to other parts of the application or to a subsequent attacker-controlled allocation. This maps to CWE-244: Improper Clearing of Heap Memory Before Release.

Severity: Medium | CWE: CWE-244

Remediation

// SAFE: zero then free
explicit_bzero(password, password_len);
free(password);

// Or: memset_s (C11, not optimized away)
memset_s(key, key_len, 0, key_len);
free(key);

Note: plain memset() may be optimized away by the compiler when the buffer is about to be freed. Use memset_s(), explicit_bzero(), or SecureZeroMemory() (Windows).

References

• CWE-244