Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-665 (初始化不恰当) — Vulnerability Class 81

81 vulnerabilities classified as CWE-665 (初始化不恰当). AI Chinese analysis included.

CWE-665 represents a critical initialization weakness where software fails to properly set up a resource, leaving it in an unpredictable state upon access. This flaw is typically exploited when attackers leverage uninitialized variables, such as authentication flags or memory buffers, to bypass security controls or trigger undefined behavior. For instance, an uninitialized boolean flag might default to a permissive value, allowing unauthorized access without valid credentials. To mitigate this risk, developers must enforce strict initialization practices, ensuring all variables and resources are explicitly assigned safe default values before use. Implementing compiler warnings for uninitialized variables, conducting thorough code reviews, and adopting secure coding standards like OWASP guidelines further reduce the likelihood of this vulnerability. By guaranteeing that every resource starts in a known, secure state, organizations can prevent attackers from manipulating unexpected conditions to compromise system integrity.

MITRE CWE Description
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.
Common Consequences (3)
ConfidentialityRead Memory, Read Application Data
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
Access ControlBypass Protection Mechanism
If security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.
AvailabilityDoS: Crash, Exit, or Restart
The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a…
Mitigations (5)
RequirementsUse a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initializat…
Architecture and DesignIdentify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
ImplementationExplicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
ImplementationPay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
ImplementationAvoid race conditions (CWE-362) during initialization routines.
Examples (2)
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true; public void someMethod() { if (!initialized) { // perform initialization tasks ... initialized = true; }
Bad · Java
The following code intends to limit certain operations to the administrator only.
$username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }
Bad · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2023-1047 TechPowerUp RealTemp WinRing0x64.sys initialization — RealTemp 5.3 Medium2023-02-26
CVE-2023-23555 BIG-IP Virtual Edition vulnerability — BIG-IP 7.5 High2023-02-01
CVE-2023-22466 Tokio's reject_remote_clients configuration may get dropped when creating a Windows named pipe — tokio 5.4 Medium2023-01-04
CVE-2022-3259 Red Hat OpenShift 安全漏洞 — OpenShift 7.4 -2022-12-09
CVE-2022-46164 Account takeover via prototype vulnerability — NodeBB 9.4 Critical2022-12-05
CVE-2022-39384 OpenZeppelin Contracts initializer reentrancy may lead to double initialization — openzeppelin-contracts 5.6 Medium2022-11-04
CVE-2022-39284 Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter4 — CodeIgniter4 2.6 Low2022-10-06
CVE-2022-2472 Improper Initialization vulnerability in local server authentication logic — CS-C6N-A0-1C2WFR 7.6 High2022-09-15
CVE-2022-36061 Elrond go can execute on same context checks in VM — elrond-go 6.5 Medium2022-09-06
CVE-2021-4218 Linux kernel 安全漏洞 — kernel 5.5 -2022-08-24
CVE-2022-36364 Apache Calcite Avatica JDBC driver `httpclient_impl` connection property can be used as an RCE vector — Apache Calcite Avatica 8.8 -2022-07-28
CVE-2022-0947 Arctic Wireless Gateway Firewall vulnerability — ABB ARG600 Wireless Gateway series 9.0 Critical2022-05-10
CVE-2022-22186 Junos OS: EX4650 Series: Certain traffic received by the Junos OS device on the management interface may be forwarded to egress interfaces instead of discarded — Junos OS 7.2 High2022-04-14
CVE-2022-1122 OpenJPEG 安全漏洞 — openjpeg2 6.5 -2022-03-29
CVE-2022-22719 mod_lua Use of uninitialized value of in r:parsebody — Apache HTTP Server 7.5 -2022-03-14
CVE-2022-0847 Linux kernel 安全漏洞 — kernel 7.8 -2022-03-07
CVE-2022-24316 Interactive Graphical SCADA System Data Server 安全漏洞 — Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) 7.5 -2022-02-09
CVE-2022-22164 Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. — Junos OS Evolved 6.5 Medium2022-01-19
CVE-2021-36319 DELL Dell Networking OS10 信息泄露漏洞 — Dell Networking OS10 3.3 Low2021-11-20
CVE-2021-26312 AMD Platform Security Processor安全漏洞 — EPYC™ Processors 7.1 -2021-11-16
CVE-2021-26326 AMD 多款产品安全漏洞 — 3rd Gen AMD EPYC™ 7.8 -2021-11-16
CVE-2021-41264 UUPSUpgradeable vulnerability in OpenZeppelin Contracts — openzeppelin-contracts 9.8 Critical2021-11-12
CVE-2021-20317 Linux kernel 安全漏洞 — kernel 4.4 -2021-09-27
CVE-2021-34697 Cisco IOS XE Software Protection Against Distributed Denial of Service Attacks Feature Vulnerability — Cisco IOS XE Software 5.8 Medium2021-09-23
CVE-2021-0280 Junos OS: PTX Series, QFX10K Series: Upon receipt of specific packets BFD sessions might flap due to DDoS policer implementation in Packet Forwarding Engine — Junos OS 7.5 High2021-07-15
CVE-2021-3565 tpm2-tools 信任管理问题漏洞 — tpm2-tools 5.9 -2021-06-04
CVE-2021-29609 Incomplete validation in `SparseAdd` — tensorflow 5.3 Medium2021-05-14
CVE-2021-29610 Invalid validation in `QuantizeAndDequantizeV2` — tensorflow 3.6 Low2021-05-14
CVE-2021-29611 Incomplete validation in `SparseReshape` — tensorflow 3.6 Low2021-05-14
CVE-2021-29613 Incomplete validation in `tf.raw_ops.CTCLoss` — tensorflow 6.3 Medium2021-05-14

Vulnerabilities classified as CWE-665 (初始化不恰当) represent 81 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.