Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-456 (变量未经初始化) — Vulnerability Class 7

7 vulnerabilities classified as CWE-456 (变量未经初始化). AI Chinese analysis included.

CWE-456 represents a critical initialization weakness where software fails to assign initial values to variables before their first use, leaving them populated with unpredictable memory contents. This oversight typically allows attackers to exploit undefined behavior by triggering code paths that read these uninitialized variables, potentially leading to information disclosure of sensitive kernel or heap data, or causing application crashes that facilitate denial-of-service attacks. In more severe scenarios, such as in C or C++ environments, this can result in arbitrary code execution if the uninitialized value influences control flow or pointer arithmetic. Developers prevent this vulnerability by rigorously initializing all variables at declaration, employing static analysis tools to detect uninitialized reads during the build process, and adopting secure coding standards that mandate explicit initialization for every variable scope, thereby ensuring deterministic program behavior and eliminating reliance on residual memory states.

MITRE CWE Description
The product does not initialize critical variables, which causes the execution environment to use unexpected values.
Common Consequences (1)
Integrity, OtherUnexpected State, Quality Degradation, Varies by Context
The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.
Mitigations (2)
ImplementationEnsure that critical variables are initialized before first use [REF-1485].
RequirementsChoose a language that is not susceptible to these issues.
Examples (2)
This function attempts to extract a pair of numbers from a user-supplied string.
void parse_data(char *untrusted_input){ int m, n, error; error = sscanf(untrusted_input, "%d:%d", &m, &n); if ( EOF == error ){ die("Did not specify integer value. Die evil hacker!\n"); } /* proceed assuming n and m are initialized correctly */ }
Bad · C
123:
Attack
Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.
private User user; public void someMethod() { // Do something interesting. ... // Throws NPE if user hasn't been properly initialized. String username = user.getName(); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-9780 Missing Initialization of a Variable in Wireshark — Wireshark 7.8 High2024-10-10
CVE-2024-32878 Use of Uninitialized Variable Vulnerability in llama.cpp — llama.cpp 7.1 High2024-04-26
CVE-2023-20226 Cisco IOS XE Software 安全漏洞 — Cisco IOS XE Software 8.6 High2023-09-27
CVE-2021-40403 Gerbv 安全漏洞 — Gerbv 5.5 -2022-02-04
CVE-2021-34703 Cisco IOS and IOS XE Software Link Layer Discovery Protocol Denial of Service Vulnerability — Cisco IOS 6.8 Medium2021-09-23
CVE-2019-3836 GnuTLS 缓冲区错误漏洞 — gnutls 9.1 -2019-04-01
CVE-2018-14641 Linux kernel 安全漏洞 — kernel 5.9 -2018-09-18

Vulnerabilities classified as CWE-456 (变量未经初始化) represent 7 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.