Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-908 (对未经初始化资源的使用) — Vulnerability Class 129

129 vulnerabilities classified as CWE-908 (对未经初始化资源的使用). AI Chinese analysis included.

CWE-908 represents a critical software weakness where an application accesses or utilizes a resource that has not been properly initialized. This flaw typically arises when developers fail to set default values or allocate necessary memory before first use, leading to unpredictable system behavior. Attackers often exploit this vulnerability by triggering specific code paths that expose uninitialized data, potentially causing application crashes, invalid memory access errors, or information disclosure of sensitive residual data from previous operations. To mitigate this risk, developers must enforce strict initialization protocols, ensuring all variables, pointers, and objects are explicitly assigned valid states before any read or write operations occur. Implementing comprehensive static analysis tools and rigorous code reviews further helps identify these gaps, ensuring robust resource management and preventing the execution of undefined logic that could compromise system stability or security.

MITRE CWE Description
The product uses or accesses a resource that has not been initialized. When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.
Common Consequences (2)
ConfidentialityRead Memory, Read Application Data
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
AvailabilityDoS: Crash, Exit, or Restart
The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
Mitigations (4)
ImplementationExplicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
ImplementationPay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
ImplementationAvoid race conditions (CWE-362) during initialization routines.
Build and CompilationRun or compile the product with settings that generate warnings about uninitialized variables or data.
Examples (2)
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true; public void someMethod() { if (!initialized) { // perform initialization tasks ... initialized = true; }
Bad · Java
The following code intends to limit certain operations to the administrator only.
$username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }
Bad · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2023-24941 Windows Network File System Remote Code Execution Vulnerability — Windows Server 2019 9.8 Critical2023-05-09
CVE-2023-24886 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability — Windows 10 Version 1809 8.8 High2023-04-11
CVE-2023-27598 OpenSIPS has vulnerability in the parse_via() function — opensips 7.5 High2023-03-15
CVE-2023-23413 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability — Windows 10 Version 1809 8.8 High2023-03-14
CVE-2021-32845 Moby HyperKit uninitialized memory use vtrnd pci_vtrnd_notify — hyperkit 7.7 High2023-02-17
CVE-2021-32846 Moby HyperKit uninitialized memory use in virtio-sock pci_vtsock_proc_tx — hyperkit 7.7 High2023-02-17
CVE-2023-22281 BIG-IP AFM vulnerability — BIG-IP 7.5 High2023-02-01
CVE-2023-21753 Event Tracing for Windows Information Disclosure Vulnerability — Windows 10 Version 1809 5.5 Medium2023-01-10
CVE-2020-36617 ewxrjk sftpserver parse.c sftp_parse_path uninitialized pointer — sftpserver 4.6 Medium2022-12-18
CVE-2022-2949 Altair HyperView Player 安全漏洞 — HyperView Player 7.8 High2022-12-13
CVE-2022-2950 Altair HyperView Player 安全漏洞 — HyperView Player 7.8 High2022-12-13
CVE-2022-39282 RDP client: Read of uninitialized memory with parallel port redirection — FreeRDP 3.5 Low2022-10-12
CVE-2022-29240 Uninitialized memory read in LZ4 decompression leads to authentication bypass in Scylla — scylla 8.1 High2022-09-15
CVE-2020-27795 radare2 安全漏洞 — radare2 7.5 -2022-08-19
CVE-2021-3435 L2CAP: Information leakage in le_ecred_conn_req() — zephyr 4.0 Medium2022-06-28
CVE-2022-31026 Use of Uninitialized Variable in trilogy — trilogy 5.9 Medium2022-06-06
CVE-2022-29205 Segfault due to missing support for quantized types in TensorFlow — tensorflow 5.5 Medium2022-05-20
CVE-2022-26370 F5 BIG-IP 安全漏洞 — BIG-IP 5.9 Medium2022-05-05
CVE-2022-0433 Linux kernel 代码问题漏洞 — kernel 5.5 -2022-03-09
CVE-2022-23573 Uninitialized variable access in Tensorflow — tensorflow 7.6 High2022-02-04
CVE-2021-43848 Unititialized memory access in h2o — h2o 7.4 High2022-02-01
CVE-2021-41225 A use of uninitialized value vulnerability in Tensorflow — tensorflow 5.5 Medium2021-11-05
CVE-2021-34855 Corel Parallels Desktop 信息泄露漏洞 — Desktop 6.5 -2021-10-25
CVE-2021-21781 Linux kernel安全漏洞 — Linux Kernel 4.3 -2021-08-18
CVE-2021-37682 Use of unitialized value in TensorFlow Lite — tensorflow 4.4 Medium2021-08-12
CVE-2021-3545 QEMU 信息泄露漏洞 — QEMU 6.5 -2021-06-02
CVE-2018-25014 libwebp 安全漏洞 — libwebp 9.8 -2021-05-21
CVE-2021-29580 Undefined behavior and `CHECK`-fail in `FractionalMaxPoolGrad` — tensorflow 2.5 Low2021-05-14
CVE-2021-29581 Segfault in `CTCBeamSearchDecoder` — tensorflow 2.5 Low2021-05-14
CVE-2021-29623 Uninitialized variable bug in Exiv2 — exiv2 3.6 Low2021-05-13

Vulnerabilities classified as CWE-908 (对未经初始化资源的使用) represent 129 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.