CWE-665
Improper Initialization
Description
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Read Memory, Read Application Data
Scope
Impact
Bypass Protection Mechanism
Scope
Impact
DoS: Crash, Exit, or Restart
Potential Mitigations
Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Avoid race conditions (CWE-362) during initialization routines.
Run or compile your product with settings that generate warnings about uninitialized variables or data.
CVE-2001-1471chain: an invalid value prevents a library file from being included, skipping initialization of key variables, leading to resultant eval injection.
CVE-2008-3637Improper error checking in protection mechanism produces an uninitialized variable, allowing security bypass and code execution.
CVE-2008-4197Use of uninitialized memory may allow code execution.
CVE-2008-2934Free of an uninitialized pointer leads to crash and possible code execution.
CVE-2007-3749OS kernel does not reset a port when starting a setuid program, allowing local users to access the port and gain privileges.
CVE-2008-0063Product does not clear memory contents when generating an error message, leading to information leak.
CVE-2008-0062Lack of initialization triggers NULL pointer dereference or double-free.
CVE-2008-0081Uninitialized variable leads to code execution in popular desktop application.
CVE-2008-3688chain: Uninitialized variable leads to infinite loop.
CVE-2008-3475chain: Improper initialization leads to memory corruption.
+6 more examples
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now