目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-456 变量未经初始化 类漏洞列表 7

CWE-456 变量未经初始化 类弱点 7 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-456属于变量初始化缺失漏洞,指程序未对关键变量赋予初始值,导致其使用未定义或随机的内存数据。攻击者可利用此缺陷读取敏感内存信息或引发不可预测的程序行为,进而可能导致信息泄露或系统崩溃。开发者应确保所有变量在声明时即被明确初始化,或在首次使用前强制赋值,以消除不确定性,保障程序逻辑的确定性与安全性。

MITRE CWE 官方描述
CWE:CWE-456 变量未初始化(Missing Initialization of a Variable) 英文:产品未对关键变量进行初始化,导致执行环境使用了非预期的值。
常见影响 (1)
Integrity, OtherUnexpected State, Quality Degradation, Varies by Context
The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.
缓解措施 (2)
ImplementationEnsure that critical variables are initialized before first use [REF-1485].
RequirementsChoose a language that is not susceptible to these issues.
代码示例 (2)
This function attempts to extract a pair of numbers from a user-supplied string.
void parse_data(char *untrusted_input){ int m, n, error; error = sscanf(untrusted_input, "%d:%d", &m, &n); if ( EOF == error ){ die("Did not specify integer value. Die evil hacker!\n"); } /* proceed assuming n and m are initialized correctly */ }
Bad · C
123:
Attack
Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.
private User user; public void someMethod() { // Do something interesting. ... // Throws NPE if user hasn't been properly initialized. String username = user.getName(); }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2024-9780 Wireshark 安全漏洞 — Wireshark 7.8 High2024-10-10
CVE-2024-32878 Llama.cpp 安全漏洞 — llama.cpp 7.1 High2024-04-26
CVE-2023-20226 Cisco IOS XE Software 安全漏洞 — Cisco IOS XE Software 8.6 High2023-09-27
CVE-2021-40403 Gerbv 安全漏洞 — Gerbv 5.5 -2022-02-04
CVE-2021-34703 Cisco IOS XE Software 安全漏洞 — Cisco IOS 6.8 Medium2021-09-23
CVE-2019-3836 GnuTLS 缓冲区错误漏洞 — gnutls 9.1 -2019-04-01
CVE-2018-14641 Linux kernel 安全漏洞 — kernel 5.9 -2018-09-18

CWE-456(变量未经初始化) 是常见的弱点类别,本平台收录该类弱点关联的 7 条 CVE 漏洞。