Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-908 (对未经初始化资源的使用) — Vulnerability Class 129

129 vulnerabilities classified as CWE-908 (对未经初始化资源的使用). AI Chinese analysis included.

CWE-908 represents a critical software weakness where an application accesses or utilizes a resource that has not been properly initialized. This flaw typically arises when developers fail to set default values or allocate necessary memory before first use, leading to unpredictable system behavior. Attackers often exploit this vulnerability by triggering specific code paths that expose uninitialized data, potentially causing application crashes, invalid memory access errors, or information disclosure of sensitive residual data from previous operations. To mitigate this risk, developers must enforce strict initialization protocols, ensuring all variables, pointers, and objects are explicitly assigned valid states before any read or write operations occur. Implementing comprehensive static analysis tools and rigorous code reviews further helps identify these gaps, ensuring robust resource management and preventing the execution of undefined logic that could compromise system stability or security.

MITRE CWE Description
The product uses or accesses a resource that has not been initialized. When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.
Common Consequences (2)
ConfidentialityRead Memory, Read Application Data
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
AvailabilityDoS: Crash, Exit, or Restart
The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
Mitigations (4)
ImplementationExplicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
ImplementationPay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
ImplementationAvoid race conditions (CWE-362) during initialization routines.
Build and CompilationRun or compile the product with settings that generate warnings about uninitialized variables or data.
Examples (2)
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true; public void someMethod() { if (!initialized) { // perform initialization tasks ... initialized = true; }
Bad · Java
The following code intends to limit certain operations to the administrator only.
$username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }
Bad · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2026-7141 vllm KV Block kv_cache_interface.py has_mamba_layers uninitialized resource — vllm 5.6 Medium2026-04-27
CVE-2026-26175 Windows Boot Manager Security Feature Bypass Vulnerability — Windows 10 Version 1607 4.6 Medium2026-04-14
CVE-2026-34543 OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl) — openexr 5.5AIMediumAI2026-04-01
CVE-2026-27496 n8n has In-Process Memory Disclosure in its Task Runner — n8n 6.5 -2026-03-25
CVE-2025-12736 multimedia_audio_standard has an insecure storage of sensitive information vulnerability — OpenHarmony 6.5 Medium2026-03-16
CVE-2026-3497 OpenSSH 安全漏洞 — openssh 9.1AICriticalAI2026-03-12
CVE-2026-2044 GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability — GIMP 7.8AIHighAI2026-02-20
CVE-2025-12474 libjxl: Uninitialized memory read in decoder due to incorrect optimization in patch handling — libjxl 4.3 -2026-02-11
CVE-2025-15281 wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory — glibc 7.5AIHighAI2026-01-20
CVE-2026-0915 getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler — glibc 7.5AIHighAI2026-01-15
CVE-2026-20962 Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability — Windows 10 Version 1809 4.4 Medium2026-01-13
CVE-2025-40829 Siemens Simcenter Femap 安全漏洞 — Simcenter Femap 7.8 High2025-12-12
CVE-2025-62472 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability — Windows 10 Version 1607 7.8 High2025-12-09
CVE-2025-31649 Dell ControlVault3 ControlVault WBDI Driver hard-coded password vulnerability — BCM5820X 8.7 High2025-11-17
CVE-2025-31361 Dell ControlVault3 ControlVault WBDI Driver Broadcom Storage Adapter privilege escalation vulnerability — BCM5820X 8.7 High2025-11-17
CVE-2025-9640 Samba: vfs_streams_xattr uninitialized memory write possible 4.3 Medium2025-10-15
CVE-2025-59194 Windows Kernel Elevation of Privilege Vulnerability — Windows 11 version 22H2 7.0 High2025-10-14
CVE-2025-59204 Windows Management Services Information Disclosure Vulnerability — Windows 10 Version 1809 5.5 Medium2025-10-14
CVE-2025-59964 Junos OS: SRX4700: When forwarding-options sampling is enabled any traffic destined to the RE will cause the forwarding line card to crash and restart — Junos OS 7.5 High2025-10-09
CVE-2025-53799 Windows Imaging Component Information Disclosure Vulnerability — Microsoft Office for Android 5.5 Medium2025-09-09
CVE-2025-55198 Helm May Panic Due To Incorrect YAML Content — helm 6.5 Medium2025-08-13
CVE-2025-50157 Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability — Windows Server 2008 R2 Service Pack 1 5.7 Medium2025-08-12
CVE-2025-53719 Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability — Windows Server 2008 R2 Service Pack 1 5.7 Medium2025-08-12
CVE-2025-53153 Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability — Windows Server 2008 R2 Service Pack 1 5.7 Medium2025-08-12
CVE-2025-53148 Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability — Windows Server 2008 R2 Service Pack 1 5.7 Medium2025-08-12
CVE-2025-53138 Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability — Windows Server 2008 R2 Service Pack 1 5.7 Medium2025-08-12
CVE-2025-50156 Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability — Windows Server 2008 R2 Service Pack 1 5.7 Medium2025-08-12
CVE-2025-53759 Microsoft Excel Remote Code Execution Vulnerability — Microsoft 365 Apps for Enterprise 7.8 High2025-08-12
CVE-2025-2329 High traffic causes corrupt SPI packets in OpenThread leading to denial of service — OpenThread 7.5 -2025-07-25
CVE-2025-41239 vSockets information-disclosure vulnerability — ESXi 7.1 High2025-07-15

Vulnerabilities classified as CWE-908 (对未经初始化资源的使用) represent 129 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.