Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-908 (对未经初始化资源的使用) — Vulnerability Class 129

129 vulnerabilities classified as CWE-908 (对未经初始化资源的使用). AI Chinese analysis included.

CWE-908 represents a critical software weakness where an application accesses or utilizes a resource that has not been properly initialized. This flaw typically arises when developers fail to set default values or allocate necessary memory before first use, leading to unpredictable system behavior. Attackers often exploit this vulnerability by triggering specific code paths that expose uninitialized data, potentially causing application crashes, invalid memory access errors, or information disclosure of sensitive residual data from previous operations. To mitigate this risk, developers must enforce strict initialization protocols, ensuring all variables, pointers, and objects are explicitly assigned valid states before any read or write operations occur. Implementing comprehensive static analysis tools and rigorous code reviews further helps identify these gaps, ensuring robust resource management and preventing the execution of undefined logic that could compromise system stability or security.

MITRE CWE Description
The product uses or accesses a resource that has not been initialized. When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.
Common Consequences (2)
ConfidentialityRead Memory, Read Application Data
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
AvailabilityDoS: Crash, Exit, or Restart
The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
Mitigations (4)
ImplementationExplicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
ImplementationPay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
ImplementationAvoid race conditions (CWE-362) during initialization routines.
Build and CompilationRun or compile the product with settings that generate warnings about uninitialized variables or data.
Examples (2)
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true; public void someMethod() { if (!initialized) { // perform initialization tasks ... initialized = true; }
Bad · Java
The following code intends to limit certain operations to the administrator only.
$username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }
Bad · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2021-31423 Corel Parallels Desktop 缓冲区错误漏洞 — Desktop 6.0 -2021-04-29
CVE-2021-31418 Corel Parallels Desktop 缓冲区错误漏洞 — Desktop 6.5 -2021-04-29
CVE-2021-31419 Corel Parallels Desktop 缓冲区错误漏洞 — Desktop 6.5 -2021-04-29
CVE-2021-31417 Corel Parallels Desktop 缓冲区错误漏洞 — Desktop 6.5 -2021-04-29
CVE-2020-35494 GNU Binutils 安全漏洞 — binutils 6.1 -2021-01-04
CVE-2020-26266 Uninitialized memory access in Eigen types in TensorFlow — tensorflow 4.4 Medium2020-12-10
CVE-2020-15193 Memory corruption in Tensorflow — tensorflow 7.1 High2020-09-25
CVE-2020-10732 Linux kernel 信息泄露漏洞 — kernel 3.3 Low2020-06-12
CVE-2019-0006 Junos OS: EX, QFX and MX series: Packet Forwarding Engine manager (FXPC) process crashes due to a crafted HTTP packet in a Virtual Chassis configuration — Junos OS 9.8 -2019-01-15

Vulnerabilities classified as CWE-908 (对未经初始化资源的使用) represent 129 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.