CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-6JFC-JV5M-VXV3
Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-20 00:02In sec_SHA256_Transform of sha256_core.c, there is a possible way to read heap data due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-197965864References: N/A
{
"affected": [],
"aliases": [
"CVE-2021-39680"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "In sec_SHA256_Transform of sha256_core.c, there is a possible way to read heap data due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-197965864References: N/A",
"id": "GHSA-6jfc-jv5m-vxv3",
"modified": "2022-01-20T00:02:08Z",
"published": "2022-01-15T00:01:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39680"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-01-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6JW3-XMJ9-QVCW
Vulnerability from github – Published: 2023-12-15 00:31 – Updated: 2023-12-15 00:31The first S0 encryption key is generated with an uninitialized PRNG in Z/IP Gateway products running Silicon Labs Z/IP Gateway SDK v7.18.3 and earlier. This makes the first S0 key generated at startup predictable, potentially allowing network key prediction and unauthorized S0 network access.
{
"affected": [],
"aliases": [
"CVE-2023-4489"
],
"database_specific": {
"cwe_ids": [
"CWE-1279",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-14T23:15:07Z",
"severity": "MODERATE"
},
"details": "\n\n\nThe first S0 encryption key is generated with an uninitialized PRNG in Z/IP Gateway products running Silicon Labs Z/IP Gateway SDK v7.18.3 and earlier. This makes the first S0 key generated at startup predictable, potentially allowing network key prediction and unauthorized S0 network access.\n\n \n\n",
"id": "GHSA-6jw3-xmj9-qvcw",
"modified": "2023-12-15T00:31:03Z",
"published": "2023-12-15T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4489"
},
{
"type": "WEB",
"url": "https://github.com/SiliconLabs/gecko_sdk"
},
{
"type": "WEB",
"url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000buWj0QAE?operationContext=S1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6M3J-PCG3-CX2R
Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30Vulnerability of variables not being initialized in the notification module Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-56446"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T03:15:10Z",
"severity": "MODERATE"
},
"details": "Vulnerability of variables not being initialized in the notification module\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-6m3j-pcg3-cx2r",
"modified": "2025-01-08T03:30:24Z",
"published": "2025-01-08T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56446"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6PW8-5P8J-M67X
Vulnerability from github – Published: 2023-04-13 00:30 – Updated: 2024-04-04 03:25An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.
{
"affected": [],
"aliases": [
"CVE-2023-22897"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T23:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall\u0027s endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.",
"id": "GHSA-6pw8-5p8j-m67x",
"modified": "2024-04-04T03:25:44Z",
"published": "2023-04-13T00:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22897"
},
{
"type": "WEB",
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22897.txt"
},
{
"type": "WEB",
"url": "https://rcesecurity.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171928/SecurePoint-UTM-12.x-Memory-Leak.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Apr/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6Q37-HH76-6RV4
Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.
{
"affected": [],
"aliases": [
"CVE-2022-2308"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-01T21:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.",
"id": "GHSA-6q37-hh76-6rv4",
"modified": "2022-09-08T00:00:30Z",
"published": "2022-09-02T00:01:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2308"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103900"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6V28-C2X2-8P46
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause Buffer.alloc() to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding can be passed as a number, this is misinterpreted by Buffer's internal "fill" method as the start to a fill operation. This flaw may be abused where Buffer.alloc() arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2018-7166"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-21T12:29:00Z",
"severity": "HIGH"
},
"details": "In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer\u0027s` internal \"fill\" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.",
"id": "GHSA-6v28-c2x2-8p46",
"modified": "2022-05-13T01:16:08Z",
"published": "2022-05-13T01:16:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7166"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2553"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6W5Q-CG43-PM5X
Vulnerability from github – Published: 2023-06-15 21:30 – Updated: 2024-04-04 04:52In readSampleData of NuMediaExtractor.cpp, there is a possible out of bounds write due to uninitialized data. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-275418191
{
"affected": [],
"aliases": [
"CVE-2023-21127"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-15T19:15:09Z",
"severity": "HIGH"
},
"details": "In readSampleData of NuMediaExtractor.cpp, there is a possible out of bounds write due to uninitialized data. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-275418191",
"id": "GHSA-6w5q-cg43-pm5x",
"modified": "2024-04-04T04:52:21Z",
"published": "2023-06-15T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21127"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6WH2-MPVP-28Q3
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable uninitialized variable vulnerability exists in the RTF-parsing functionality of Atlantis Word Processor 3.2.6 version. A specially crafted RTF file can leverage an uninitialized stack address, resulting in an out-of-bounds write, which in turn could lead to code execution.
{
"affected": [],
"aliases": [
"CVE-2018-3975"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-01T20:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable uninitialized variable vulnerability exists in the RTF-parsing functionality of Atlantis Word Processor 3.2.6 version. A specially crafted RTF file can leverage an uninitialized stack address, resulting in an out-of-bounds write, which in turn could lead to code execution.",
"id": "GHSA-6wh2-mpvp-28q3",
"modified": "2022-05-13T01:01:49Z",
"published": "2022-05-13T01:01:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3975"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0641"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6WP2-FW3V-MFMC
Vulnerability from github – Published: 2021-08-25 20:57 – Updated: 2021-08-24 18:54An issue was discovered in the array-tools crate before 0.3.2 for Rust. Affected versions of this crate don't guard against panics, so that partially uninitialized buffer is dropped when user-provided T::clone() panics in FixedCapacityDequeLike<T, A>::clone(). This causes memory corruption.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "array-tools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36452"
],
"database_specific": {
"cwe_ids": [
"CWE-908",
"CWE-909"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T20:24:55Z",
"nvd_published_at": "2021-08-08T06:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in the array-tools crate before 0.3.2 for Rust. Affected versions of this crate don\u0027t guard against panics, so that partially uninitialized buffer is dropped when user-provided `T::clone()` panics in `FixedCapacityDequeLike\u003cT, A\u003e::clone()`. This causes memory corruption.\n",
"id": "GHSA-6wp2-fw3v-mfmc",
"modified": "2021-08-24T18:54:26Z",
"published": "2021-08-25T20:57:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36452"
},
{
"type": "WEB",
"url": "https://github.com/L117/array-tools/issues/2"
},
{
"type": "PACKAGE",
"url": "https://github.com/L117/array-tools"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/array-tools/RUSTSEC-2020-0132.md"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0132.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Memory corruption in array-tools"
}
GHSA-6X3J-FQGG-3HQR
Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2022-08-26 00:03In PVRSRVBridgeHeapCfgHeapDetails, there is a possible leak of kernel heap content due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-236848165
{
"affected": [],
"aliases": [
"CVE-2021-0698"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "In PVRSRVBridgeHeapCfgHeapDetails, there is a possible leak of kernel heap content due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-236848165",
"id": "GHSA-6x3j-fqgg-3hqr",
"modified": "2022-08-26T00:03:34Z",
"published": "2022-08-25T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0698"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-08-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.