Authentication cookies handled by `ipc::Cookie` are stored in a plain `Vec<u8>`. The type never zeroises its buffer when dropped, and the cookie data is freely cloned (e.g. when extracting from files or sockets). As a result, once an authentication cookie is read or generated, the secret remains in process memory indefinitely, even after the cookie is cleared from disk.【F:ipc/src/lib.rs†L470-L528】 ```rust /// Cookies are used to authenticate clients. struct Cookie(Vec<u8>); use rand::RngCore; use rand::rngs::OsRng; impl Cookie { const SIZE: usize = 32; /// Make a new cookie. fn new() -> Self { let mut c = vec![0; Cookie::SIZE]; OsRng.fill_bytes(&mut c); Cookie(c) } /// Make a new cookie from a slice. fn from(buf: &[u8]) -> Option<Self> { if buf.len() == Cookie::SIZE { let mut c = Vec::with_capacity(Cookie::SIZE); c.extend_from_slice(buf); Some(Cookie(c)) } else { None } } ``` An attacker able to dump the address space of the daemon (through a crash dump, swap inspection, or a side-channel) can recover active authentication cookies, which then allows replaying privileged operations against the IPC endpoint. Last commint hash \`05e6707ad2c68fa52a30c3c9a21d54dc00089919\`