...
Note that manual clearing of the buffer data is mandatory because direct buffers are not subject to garbage collection.
Exceptions
EX1: This guideline may be violated iff:
1. It can be proved that the code is free from other errors that can expose the sensitive data.
2. An attacker does not have physical access to the target machine.
Risk Assessment
Failure to limit the lifetime of sensitive data can lead to sensitive information leaks.
...