目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-909 资源初始化缺失 类漏洞列表 11

CWE-909 资源初始化缺失 类弱点 11 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-909 属于资源初始化缺失漏洞,指程序在使用关键资源前未进行正确初始化。攻击者常利用此缺陷,通过读取包含不可预测或过期数据的内存区域,获取敏感信息或触发异常行为,从而破坏系统完整性。开发者应避免此类问题,确保在分配资源后立即执行严格的初始化操作,验证默认值的有效性,并防止未初始化状态被恶意利用,以保障数据的安全性与一致性。

MITRE CWE 官方描述
CWE:CWE-909 Missing Initialization of Resource(资源缺少初始化) 英文:The product does not initialize a critical resource.(产品未初始化关键资源。) Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.(许多资源在使用前需要初始化。如果资源未初始化,它可能包含不可预测或已过期的数据,或者可能被初始化为无效的默认值。当资源预期具有某些属性或值时,这可能会带来安全影响。)
常见影响 (2)
ConfidentialityRead Memory, Read Application Data
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
AvailabilityDoS: Crash, Exit, or Restart
The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
缓解措施 (4)
ImplementationExplicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
ImplementationPay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
ImplementationAvoid race conditions (CWE-362) during initialization routines.
Build and CompilationRun or compile your product with settings that generate warnings about uninitialized variables or data.
代码示例 (2)
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
private boolean initialized = true; public void someMethod() { if (!initialized) { // perform initialization tasks ... initialized = true; }
Bad · Java
The following code intends to limit certain operations to the administrator only.
$username = GetCurrentUser(); $state = GetStateData($username); if (defined($state)) { $uid = ExtractUserID($state); } # do stuff if ($uid == 0) { DoAdminThings(); }
Bad · Perl
CVE ID标题CVSS风险等级Published
CVE-2026-40687 Exim<4.99.2越界写入与堆内存泄露漏洞 — Exim 4.8 Medium2026-04-30
CVE-2025-8117 Polska Akademia Dostępności CMS 安全漏洞 — PAD CMS 9.1AICriticalAI2025-09-30
CVE-2025-54410 Moby 安全漏洞 — moby 3.3 Low2025-07-30
CVE-2025-54388 Moby 安全漏洞 — moby--2025-07-30
CVE-2024-32945 Mattermost Mobile Apps 安全漏洞 — Mattermost 2.6 Low2024-07-15
CVE-2022-0175 virglrenderer 安全漏洞 — virglrenderer 5.5 -2022-08-26
CVE-2022-0382 Linux kernel 信息泄露漏洞 — kernel 3.3 -2022-02-11
CVE-2021-3655 Linux kernel 输入验证错误漏洞 — kernel 3.3 -2021-08-05
CVE-2021-28167 Eclipse OpenJ9 安全漏洞 — Eclipse OpenJ9 5.3 -2021-04-21
CVE-2020-12523 Phoenix Contact mGuard Devices 安全漏洞 — TC MGUARD RS4000 4G VZW VPN (1010461) 5.4 Medium2020-12-17
CVE-2019-3804 Cockpit 安全漏洞 — cockpit 7.5 -2019-03-26

CWE-909(资源初始化缺失) 是常见的弱点类别,本平台收录该类弱点关联的 11 条 CVE 漏洞。