CWE-1239 - Improper Zeroization of Hardware Register

• Abstraction:
• Variant

• Structure:
• Simple

• Status:
• Draft

Weakness Name

Improper Zeroization of Hardware Register

Description

The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.

Hardware logic operates on data stored in registers local to the hardware block. Most hardware IPs, including cryptographic accelerators, rely on registers to buffer I/O, store intermediate values, and interface with software. The result of this is that sensitive information, such as passwords or encryption keys, can exist in locations not transparent to the user of the hardware logic. When a different entity obtains access to the IP due to a change in operating mode or conditions, the new entity can extract information belonging to the previous user if no mechanisms are in place to clear register contents. It is important to clear information stored in the hardware if a physical attack on the product is detected, or if the user of the hardware block changes. The process of clearing register contents in a hardware IP is referred to as zeroization in standards for cryptographic hardware modules such as FIPS-140-2 [REF-267].

Common Consequences

Scope: Confidentiality

Impact: Varies by Context

Notes: The consequences will depend on the information disclosed due to the vulnerability.

Related Weaknesses

CWE-226Sensitive Information in Resource Not Removed Before Reuse

• Release Date:
• 2020-02-24

• Latest Modification Date:
• 2024-02-29

Latest Security News

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25

Credential Theft Becomes Cybercriminals' Favorite Target

Ferret Malware Added to 'Contagious Interview' Campaign

Zyxel won’t patch newly exploited flaws in end-of-life routers

Google Play, Apple App Store apps caught stealing crypto wallets

Cybercriminals Court Traitorous Insiders via Ransom Notes

Chinese 'Infrastructure Laundering' Abuses AWS, Microsoft Cloud

Cyber agencies share security guidance for network edge devices

Top Alert List

Content Security Policy (CSP) Header Not Set

CSP

MediumMissing Anti-clickjacking Header

MediumAbsence of Anti-CSRF Tokens

InformationalInformation Disclosure - Suspicious Comments

MediumContent Security Policy (CSP) Header Not Set

InformationalModern Web Application

LowCross-Domain JavaScript Source File Inclusion

InformationalRe-examine Cache-control Directives

LowX-Content-Type-Options Header Missing

Top CVE List

CVE-2024-49138 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability

CVE-2025-24085 Apple Multiple Products Use-After-Free Vulnerability

CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability

CVE-2015-6175 Microsoft Windows Kernel Privilege Escalation Vulnerability

CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

CVE-2024-38217 Microsoft Windows Mark of the Web (MOTW) Protection Mechanism Failure Vulnerability

CVE-2024-55591 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

CVE-2025-21335 Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability

CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability

CVE-2012-5076 Oracle Java SE Sandbox Bypass Vulnerability

Common CWEs

MediumCWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-793 Only Filtering One Instance of a Special Element

CWE-830 Inclusion of Web Functionality from an Untrusted Source

CWE-109 Struts: Validator Turned Off

CWE-207 Observable Behavioral Discrepancy With Equivalent Products

CWE-653 Improper Isolation or Compartmentalization

CWE-1121 Excessive McCabe Cyclomatic Complexity

HighCWE-681 Incorrect Conversion between Numeric Types

CWE-792 Incomplete Filtering of One or More Instances of Special Elements

CWE-412 Unrestricted Externally Accessible Lock