CWE-1330: Remanent Data Readable after Memory Erase | Glexia
CWE-1330 (Remanent Data Readable after Memory Erase) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK context.
Glexia's Take · Automated analysis
CWE-1330: Remanent Data Readable after Memory Erase
Remanent Data Readable after Memory Erase represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Confidentiality: Modify Memory,Read Memory: Confidential data are readable to untrusted agent.
Developer Pattern
CWE-1330 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Automation confidence
high confidence from CWE-1330, 4.20.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Official CWE Definition
CWE-1330: Remanent Data Readable after Memory Erase
Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- Consider a device that uses flash memory for non-volatile-data storage. To optimize flash-access performance or reliable-flash lifetime, the device might limit the number of flash writes/erases by maintaining some state in internal SRAM and only committing changes to flash memory periodically. The device also supports user reset to factory defaults with the expectation that all personal information is erased from the device after this operation. On factory reset, user files are erased using explicit, erase commands supported by the flash device.,In the given, system design, the flash-file system can support performance-optimized erase such that only the file metadata are erased and not the content. If this optimized erase is used for files containing user data during factory-reset flow, then device, flash memory can contain remanent data from these files.,On device-factory reset, the implementation might not erase these copies, since the file organization has changed and the flash file system does not have the metadata to track all previous copies.,A flash-memory region that is used by a flash-file system should be fully erased as part of the factory-reset flow. This should include secure-erase flow for the flash media such as overwriting patterns multiple times followed by erase.
Remediation
- Architecture and Design:
Detection
- Architecture or Design Review:
- Dynamic Analysis with Manual Results Interpretation:
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.
