CWE-665
DiscouragedImproper Initialization
Abstraction: Class · Status: Draft
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
425 vulnerabilities reference this CWE, most recent first.
GHSA-H98W-H4HP-R85V
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10Improper initialization in some Intel(R) Graphics Driver before version 27.20.100.9030 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2021-0061"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T13:15:00Z",
"severity": "HIGH"
},
"details": "Improper initialization in some Intel(R) Graphics Driver before version 27.20.100.9030 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-h98w-h4hp-r85v",
"modified": "2022-05-24T19:10:43Z",
"published": "2022-05-24T19:10:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0061"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00508.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HCCR-JQ9J-39MV
Vulnerability from github – Published: 2022-05-27 00:00 – Updated: 2022-06-08 00:00A memory initialization issue was addressed. This issue is fixed in Security Update 2022-004 Catalina, macOS Monterey 12.4, macOS Big Sur 11.6.6. A malicious application may be able to gain root privileges.
{
"affected": [],
"aliases": [
"CVE-2022-26721"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-26T19:15:00Z",
"severity": "HIGH"
},
"details": "A memory initialization issue was addressed. This issue is fixed in Security Update 2022-004 Catalina, macOS Monterey 12.4, macOS Big Sur 11.6.6. A malicious application may be able to gain root privileges.",
"id": "GHSA-hccr-jq9j-39mv",
"modified": "2022-06-08T00:00:30Z",
"published": "2022-05-27T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26721"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213255"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213256"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213257"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HF27-73W2-HW8Q
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43An elevation of privilege vulnerability in the Android media framework (libaudioservice). Product: Android. Versions: 8.0. Android ID A-65280854.
{
"affected": [],
"aliases": [
"CVE-2017-13153"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-06T14:29:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability in the Android media framework (libaudioservice). Product: Android. Versions: 8.0. Android ID A-65280854.",
"id": "GHSA-hf27-73w2-hw8q",
"modified": "2022-05-13T01:43:03Z",
"published": "2022-05-13T01:43:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13153"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-12-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102126"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HF4V-6G3H-XVV3
Vulnerability from github – Published: 2022-05-02 00:02 – Updated: 2024-02-15 21:31The Hash-based Message Authentication Code (HMAC) provider in Java on Apple Mac OS X 10.4.11, 10.5.4, and 10.5.5 uses an uninitialized variable, which allows remote attackers to execute arbitrary code via a crafted applet, related to an "error checking issue."
{
"affected": [],
"aliases": [
"CVE-2008-3637"
],
"database_specific": {
"cwe_ids": [
"CWE-665",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-09-26T16:21:00Z",
"severity": "HIGH"
},
"details": "The Hash-based Message Authentication Code (HMAC) provider in Java on Apple Mac OS X 10.4.11, 10.5.4, and 10.5.5 uses an uninitialized variable, which allows remote attackers to execute arbitrary code via a crafted applet, related to an \"error checking issue.\"",
"id": "GHSA-hf4v-6g3h-xvv3",
"modified": "2024-02-15T21:31:23Z",
"published": "2022-05-02T00:02:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3637"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45396"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00007.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00008.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32018"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT3178"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT3179"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31379"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1020943"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HF76-5HM2-G68J
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15A flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.
{
"affected": [],
"aliases": [
"CVE-2021-20317"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-27T11:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Linux kernel. A corrupted timer tree caused the task wakeup to be missing in the timerqueue_add function in lib/timerqueue.c. This flaw allows a local attacker with special user privileges to cause a denial of service, slowing and eventually stopping the system while running OSP.",
"id": "GHSA-hf76-5hm2-g68j",
"modified": "2022-05-24T19:15:54Z",
"published": "2022-05-24T19:15:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20317"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2005258"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=511885d7061eda3eb1faf3f57dcc936ff75863f1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5096"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HG9C-42V3-C94X
Vulnerability from github – Published: 2022-05-13 01:51 – Updated: 2022-05-13 01:51Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: Attachments / File Upload). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Object Library accessible data. CVSS 3.0 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
{
"affected": [],
"aliases": [
"CVE-2018-2934"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-18T13:29:00Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: Attachments / File Upload). The supported version that is affected is 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Object Library accessible data. CVSS 3.0 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).",
"id": "GHSA-hg9c-42v3-c94x",
"modified": "2022-05-13T01:51:46Z",
"published": "2022-05-13T01:51:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2934"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104836"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041309"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HM9X-FX9W-M295
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2023-03-01 18:31In FreeBSD 11.3-STABLE before r350217, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, due to insufficient initialization of memory copied to userland in the freebsd32_ioctl interface, small amounts of kernel memory may be disclosed to userland processes. This may allow an attacker to leverage this information to obtain elevated privileges either directly or indirectly.
{
"affected": [],
"aliases": [
"CVE-2019-5605"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-26T01:15:00Z",
"severity": "MODERATE"
},
"details": "In FreeBSD 11.3-STABLE before r350217, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, due to insufficient initialization of memory copied to userland in the freebsd32_ioctl interface, small amounts of kernel memory may be disclosed to userland processes. This may allow an attacker to leverage this information to obtain elevated privileges either directly or indirectly.",
"id": "GHSA-hm9x-fx9w-m295",
"modified": "2023-03-01T18:31:00Z",
"published": "2022-05-24T16:51:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5605"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190814-0003"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153749/FreeBSD-Security-Advisory-FreeBSD-SA-19-14.freebsd32.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HQHV-RX9W-CR56
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-28 00:00The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.
{
"affected": [],
"aliases": [
"CVE-2021-28688"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-06T19:15:00Z",
"severity": "MODERATE"
},
"details": "The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn\u0027t use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11.",
"id": "GHSA-hqhv-rx9w-cr56",
"modified": "2022-05-28T00:00:26Z",
"published": "2022-05-24T17:46:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28688"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html"
},
{
"type": "WEB",
"url": "https://xenbits.xenproject.org/xsa/advisory-371.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HQWP-QWFV-MHRX
Vulnerability from github – Published: 2025-06-05 21:30 – Updated: 2025-06-05 21:30The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.
{
"affected": [],
"aliases": [
"CVE-2025-5702"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-05T19:15:31Z",
"severity": "MODERATE"
},
"details": "The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program.",
"id": "GHSA-hqwp-qwfv-mhrx",
"modified": "2025-06-05T21:30:55Z",
"published": "2025-06-05T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5702"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HWQJ-CJW9-27X8
Vulnerability from github – Published: 2025-02-20 00:32 – Updated: 2025-02-20 15:31An issue in Bento4 v1.6.0-641 allows an attacker to trigger a segmentation fault via Ap4Atom.cpp, specifically in AP4_AtomParent::RemoveChild, during the execution of mp4encrypt with a specially crafted MP4 input file.
{
"affected": [],
"aliases": [
"CVE-2025-25947"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-19T23:15:15Z",
"severity": "MODERATE"
},
"details": "An issue in Bento4 v1.6.0-641 allows an attacker to trigger a segmentation fault via Ap4Atom.cpp, specifically in AP4_AtomParent::RemoveChild, during the execution of mp4encrypt with a specially crafted MP4 input file.",
"id": "GHSA-hwqj-cjw9-27x8",
"modified": "2025-02-20T15:31:09Z",
"published": "2025-02-20T00:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25947"
},
{
"type": "WEB",
"url": "https://github.com/axiomatic-systems/Bento4/issues/994"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.