CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-G569-WG4C-8CRR
Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2025-10-22 18:30In the Linux kernel, the following vulnerability has been resolved:
RDMA/hfi1: Prevent use of lock before it is initialized
If there is a failure during probe of hfi1 before the sdma_map_lock is initialized, the call to hfi1_free_devdata() will attempt to use a lock that has not been initialized. If the locking correctness validator is on then an INFO message and stack trace resembling the following may be seen:
INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. Call Trace: register_lock_class+0x11b/0x880 __lock_acquire+0xf3/0x7930 lock_acquire+0xff/0x2d0 _raw_spin_lock_irq+0x46/0x60 sdma_clean+0x42a/0x660 [hfi1] hfi1_free_devdata+0x3a7/0x420 [hfi1] init_one+0x867/0x11a0 [hfi1] pci_device_probe+0x40e/0x8d0
The use of sdma_map_lock in sdma_clean() is for freeing the sdma_map memory, and sdma_map is not allocated/initialized until after sdma_map_lock has been initialized. This code only needs to be run if sdma_map is not NULL, and so checking for that condition will avoid trying to use the lock before it is initialized.
{
"affected": [],
"aliases": [
"CVE-2022-49433"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hfi1: Prevent use of lock before it is initialized\n\nIf there is a failure during probe of hfi1 before the sdma_map_lock is\ninitialized, the call to hfi1_free_devdata() will attempt to use a lock\nthat has not been initialized. If the locking correctness validator is on\nthen an INFO message and stack trace resembling the following may be seen:\n\n INFO: trying to register non-static key.\n The code is fine but needs lockdep annotation, or maybe\n you didn\u0027t initialize this object before use?\n turning off the locking correctness validator.\n Call Trace:\n register_lock_class+0x11b/0x880\n __lock_acquire+0xf3/0x7930\n lock_acquire+0xff/0x2d0\n _raw_spin_lock_irq+0x46/0x60\n sdma_clean+0x42a/0x660 [hfi1]\n hfi1_free_devdata+0x3a7/0x420 [hfi1]\n init_one+0x867/0x11a0 [hfi1]\n pci_device_probe+0x40e/0x8d0\n\nThe use of sdma_map_lock in sdma_clean() is for freeing the sdma_map\nmemory, and sdma_map is not allocated/initialized until after\nsdma_map_lock has been initialized. This code only needs to be run if\nsdma_map is not NULL, and so checking for that condition will avoid trying\nto use the lock before it is initialized.",
"id": "GHSA-g569-wg4c-8crr",
"modified": "2025-10-22T18:30:31Z",
"published": "2025-10-22T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49433"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/05c03dfd09c069c4ffd783b47b2da5dcc9421f2c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/288d198f50434f29b4a26a9de4394ae2305ad8af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30eb275e7ed588270ae159cc590a96658e0cfd8f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/66090815a24ce14cf51ef5453fc0218fe8a39bc2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/addb192000d8819c0b1553453994df9bb54c28db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca55150bff5817af4f857a746ecab9862c23e12a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc0750e659db7b315bf6348902cc8ca3cdd4b8d8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5HM-28JR-53FH
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
{
"affected": [],
"aliases": [
"CVE-2020-10933"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-04T15:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.",
"id": "GHSA-g5hm-28jr-53fh",
"modified": "2022-05-24T17:17:05Z",
"published": "2022-05-24T17:17:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10933"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4TNVTT66VPRMX5UZYSDGSVRXKKDDDU5"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200625-0001"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4721"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G5XQ-CCC5-74P4
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
{
"affected": [],
"aliases": [
"CVE-2024-13164"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:27Z",
"severity": "HIGH"
},
"details": "An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.",
"id": "GHSA-g5xq-ccc5-74p4",
"modified": "2025-01-14T18:32:01Z",
"published": "2025-01-14T18:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13164"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G737-8242-62F7
Vulnerability from github – Published: 2025-12-24 12:30 – Updated: 2026-02-26 21:31In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Initialize allocated memory before use
KMSAN reports: Multiple uninitialized values detected:
- KMSAN: uninit-value in ntfs_read_hdr (3)
- KMSAN: uninit-value in bcmp (3)
Memory is allocated by __getname(), which is a wrapper for kmem_cache_alloc(). This memory is used before being properly cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to properly allocate and clear memory before use.
{
"affected": [],
"aliases": [
"CVE-2025-68365"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-24T11:16:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Initialize allocated memory before use\n\nKMSAN reports: Multiple uninitialized values detected:\n\n- KMSAN: uninit-value in ntfs_read_hdr (3)\n- KMSAN: uninit-value in bcmp (3)\n\nMemory is allocated by __getname(), which is a wrapper for\nkmem_cache_alloc(). This memory is used before being properly\ncleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to\nproperly allocate and clear memory before use.",
"id": "GHSA-g737-8242-62f7",
"modified": "2026-02-26T21:31:25Z",
"published": "2025-12-24T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68365"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d52c592cf53f5bb7163967edc01d2d7d80de44a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a58e29849aef8d26554a982989a2190b49aaf8ed"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bdf38063fd15f2fc7361dc0b5d3c259741eab835"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7728057220cabd720e27e46097edad48e5bd728"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G8PG-2C55-H595
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12528.
{
"affected": [],
"aliases": [
"CVE-2021-31423"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-29T17:15:00Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 15.1.5-47309. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-12528.",
"id": "GHSA-g8pg-2c55-h595",
"modified": "2022-05-24T17:49:17Z",
"published": "2022-05-24T17:49:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31423"
},
{
"type": "WEB",
"url": "https://kb.parallels.com/en/125013"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-431"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G9FM-C939-XC3Q
Vulnerability from github – Published: 2022-10-13 12:00 – Updated: 2022-10-13 19:00Dell BIOS contains a use of uninitialized variable vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.
{
"affected": [],
"aliases": [
"CVE-2022-34390"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-12T20:15:00Z",
"severity": "HIGH"
},
"details": "Dell BIOS contains a use of uninitialized variable vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.",
"id": "GHSA-g9fm-c939-xc3q",
"modified": "2022-10-13T19:00:17Z",
"published": "2022-10-13T12:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34390"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000203882"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GCG4-GQCM-665F
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2026-07-05 03:30An issue was discovered in function scanallsubs in src/sbbs3/scansubs.cpp in Synchronet BBS, which may allow attackers to view sensitive information due to an uninitialized value.
{
"affected": [],
"aliases": [
"CVE-2021-36512"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-19T12:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in function scanallsubs in src/sbbs3/scansubs.cpp in Synchronet BBS, which may allow attackers to view sensitive information due to an uninitialized value.",
"id": "GHSA-gcg4-gqcm-665f",
"modified": "2026-07-05T03:30:43Z",
"published": "2022-05-24T19:18:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36512"
},
{
"type": "WEB",
"url": "https://gitlab.synchro.net/main/sbbs/-/issues/276"
},
{
"type": "WEB",
"url": "http://synchronet.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GCPC-QQ7M-V632
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.
{
"affected": [],
"aliases": [
"CVE-2025-53148"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T18:15:39Z",
"severity": "MODERATE"
},
"details": "Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.",
"id": "GHSA-gcpc-qq7m-v632",
"modified": "2025-08-12T18:31:31Z",
"published": "2025-08-12T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53148"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53148"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GFRM-669R-42X9
Vulnerability from github – Published: 2025-05-13 18:30 – Updated: 2025-05-13 18:30Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
{
"affected": [],
"aliases": [
"CVE-2025-29958"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T17:15:55Z",
"severity": "MODERATE"
},
"details": "Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.",
"id": "GHSA-gfrm-669r-42x9",
"modified": "2025-05-13T18:30:54Z",
"published": "2025-05-13T18:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29958"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29958"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GG2H-7M29-P3RH
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may allow a guest to execute code on the host.
{
"affected": [],
"aliases": [
"CVE-2018-6981"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-04T14:29:00Z",
"severity": "HIGH"
},
"details": "VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may allow a guest to execute code on the host.",
"id": "GHSA-gg2h-7m29-p3rh",
"modified": "2022-05-13T01:04:00Z",
"published": "2022-05-13T01:04:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6981"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2018-0027.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105881"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1042054"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1042055"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.