CWE-665
DiscouragedImproper Initialization
Abstraction: Class · Status: Draft
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
425 vulnerabilities reference this CWE, most recent first.
GHSA-MX54-9G2J-8G2M
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2024-01-01 00:30An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0928, CVE-2020-1033, CVE-2020-1589, CVE-2020-16854.
{
"affected": [],
"aliases": [
"CVE-2020-1592"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-11T17:15:00Z",
"severity": "LOW"
},
"details": "An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka \u0027Windows Kernel Information Disclosure Vulnerability\u0027. This CVE ID is unique from CVE-2020-0928, CVE-2020-1033, CVE-2020-1589, CVE-2020-16854.",
"id": "GHSA-mx54-9g2j-8g2m",
"modified": "2024-01-01T00:30:42Z",
"published": "2022-05-24T17:28:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1592"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1592"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MXMQ-W35F-5FR4
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Improper initialization in a subsystem in the Intel(R) CSME versions before 11.8.86, 11.12.86, 11.22.86, 12.0.81, 13.0.47, 13.30.17, 14.1.53, 14.5.32, 13.50.11 and 15.0.22 may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2020-24507"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T19:15:00Z",
"severity": "MODERATE"
},
"details": "Improper initialization in a subsystem in the Intel(R) CSME versions before 11.8.86, 11.12.86, 11.22.86, 12.0.81, 13.0.47, 13.30.17, 14.1.53, 14.5.32, 13.50.11 and 15.0.22 may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-mxmq-w35f-5fr4",
"modified": "2022-05-24T19:04:29Z",
"published": "2022-05-24T19:04:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24507"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210611-0004"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00459.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P2FM-M9QC-J6X3
Vulnerability from github – Published: 2023-12-30 03:30 – Updated: 2025-04-17 21:30Improper initialization of x87 and SSE floating-point configuration registers in the __scone_entry component of SCONE before 5.8.0 for Intel SGX allows a local attacker to compromise the execution integrity of floating-point operations in an enclave or access sensitive information via side-channel analysis.
{
"affected": [],
"aliases": [
"CVE-2022-46487"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-30T03:15:08Z",
"severity": "HIGH"
},
"details": "Improper initialization of x87 and SSE floating-point configuration registers in the __scone_entry component of SCONE before 5.8.0 for Intel SGX allows a local attacker to compromise the execution integrity of floating-point operations in an enclave or access sensitive information via side-channel analysis.",
"id": "GHSA-p2fm-m9qc-j6x3",
"modified": "2025-04-17T21:30:39Z",
"published": "2023-12-30T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15107"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46487"
},
{
"type": "WEB",
"url": "https://jovanbulck.github.io/files/acsac20-fpu.pdf"
},
{
"type": "WEB",
"url": "https://jovanbulck.github.io/files/oakland24-pandora.pdf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0561#vulnCurrentDescriptionTitle"
},
{
"type": "WEB",
"url": "https://sconedocs.github.io/release5.7"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html#inpage-nav-3-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P346-P3V9-5QQ8
Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-25 00:00Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via physical access.
{
"affected": [],
"aliases": [
"CVE-2022-32579"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-18T21:15:00Z",
"severity": "HIGH"
},
"details": "Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via physical access.",
"id": "GHSA-p346-p3v9-5qq8",
"modified": "2022-08-25T00:00:26Z",
"published": "2022-08-19T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32579"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00712.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P387-C589-X473
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43UnrealIRCd 4.0.13 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command. NOTE: the vendor indicates that there is no common or recommended scenario in which a root script would execute this kill command.
{
"affected": [],
"aliases": [
"CVE-2017-13649"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-23T21:29:00Z",
"severity": "MODERATE"
},
"details": "UnrealIRCd 4.0.13 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command. NOTE: the vendor indicates that there is no common or recommended scenario in which a root script would execute this kill command.",
"id": "GHSA-p387-c589-x473",
"modified": "2022-05-13T01:43:11Z",
"published": "2022-05-13T01:43:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13649"
},
{
"type": "WEB",
"url": "https://bugs.unrealircd.org/view.php?id=4990"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100507"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P3J3-7Q7C-3G53
Vulnerability from github – Published: 2024-04-10 21:30 – Updated: 2024-04-19 21:31In the Linux kernel, the following vulnerability has been resolved:
cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
If the userspace tools switch from NL80211_IFTYPE_P2P_GO to NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it does not call the cleanup cfg80211_stop_ap(), this leads to the initialization of in-use data. For example, this path re-init the sdata->assigned_chanctx_list while it is still an element of assigned_vifs list, and makes that linked list corrupt.
{
"affected": [],
"aliases": [
"CVE-2021-47194"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T19:15:47Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: call cfg80211_stop_ap when switch from P2P_GO type\n\nIf the userspace tools switch from NL80211_IFTYPE_P2P_GO to\nNL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it\ndoes not call the cleanup cfg80211_stop_ap(), this leads to the\ninitialization of in-use data. For example, this path re-init the\nsdata-\u003eassigned_chanctx_list while it is still an element of\nassigned_vifs list, and makes that linked list corrupt.",
"id": "GHSA-p3j3-7q7c-3g53",
"modified": "2024-04-19T21:31:07Z",
"published": "2024-04-10T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47194"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0738cdb636c21ab552eaecf905efa4a6070e3ebc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4e458abbb4a523f1413bfe15c079cf4e24c15b21"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52affc201fc22a1ab9a59ef0ed641a9adfcb8d13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/563fbefed46ae4c1f70cffb8eb54c02df480b2c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a9b671c8d74a3e1b999e7a0c7f366079bcc93dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b97b5776daa0b39dbdadfea176f9cc0646d4a66"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8f06bb8c216bcd172394f61e557727e691b4cb24"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b8a045e2a9b234cfbc06cf36923886164358ddec"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P4P6-GWHQ-Q5Q7
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
{
"affected": [],
"aliases": [
"CVE-2019-19126"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-19T22:15:00Z",
"severity": "LOW"
},
"details": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.",
"id": "GHSA-p4p6-gwhq-q5q7",
"modified": "2022-05-24T17:01:35Z",
"published": "2022-05-24T17:01:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19126"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25204"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4416-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5MC-228W-WJFM
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:46Failure to initialize the extra buffer can lead to an out of buffer access in WLAN function in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24
{
"affected": [],
"aliases": [
"CVE-2018-11949"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-24T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Failure to initialize the extra buffer can lead to an out of buffer access in WLAN function in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24",
"id": "GHSA-p5mc-228w-wjfm",
"modified": "2024-04-04T00:46:59Z",
"published": "2022-05-24T16:46:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11949"
},
{
"type": "WEB",
"url": "https://www.codeaurora.org/security-bulletin/2019/04/01/april-2019-code-aurora-security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P7X9-2GR9-QM7X
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18Microsoft Office 2010 SP2, Microsoft Office 2013 SP1 and RT SP1, Microsoft Office 2016, and Microsoft Office 2016 Click-to-Run (C2R) allow an information disclosure vulnerability, due to how Office initializes the affected variable, aka "Microsoft Office Information Disclosure Vulnerability".
{
"affected": [],
"aliases": [
"CVE-2018-0853"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-15T02:29:00Z",
"severity": "MODERATE"
},
"details": "Microsoft Office 2010 SP2, Microsoft Office 2013 SP1 and RT SP1, Microsoft Office 2016, and Microsoft Office 2016 Click-to-Run (C2R) allow an information disclosure vulnerability, due to how Office initializes the affected variable, aka \"Microsoft Office Information Disclosure Vulnerability\".",
"id": "GHSA-p7x9-2gr9-qm7x",
"modified": "2022-05-13T01:18:33Z",
"published": "2022-05-13T01:18:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0853"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0853"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102868"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040381"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P84C-PFQC-C27P
Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-01-23 21:30An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted.
The following reboot reason can be seen in the output of 'show chassis routing-engine' and as a log message:
reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump
This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP:
- 24.4 versions before 24.4R2,
- 25.2 versions before 25.2R1-S2, 25.2R2.
This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1.
{
"affected": [],
"aliases": [
"CVE-2026-21913"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T21:16:07Z",
"severity": "HIGH"
},
"details": "An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).\n\nOn EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP)\u00a0a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted.\n\n\n\n\nThe following reboot reason can be seen in the output of \u0027show chassis routing-engine\u0027 and as a log message:\n\n\u00a0 reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump \n\n\n\n\nThis issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP:\n\n\n\n * 24.4 versions before 24.4R2,\n * 25.2 versions before 25.2R1-S2, 25.2R2.\n\n\n\n\nThis issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1.",
"id": "GHSA-p84c-pfqc-c27p",
"modified": "2026-01-23T21:30:40Z",
"published": "2026-01-15T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21913"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA106014"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA106014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.