QwikSec

Security Database

CVE

CWE

Training

CWE Database
/

CWE-908

Back to CWE list

CWE-908

Use of Uninitialized Resource

Base
Incomplete

Description

The product uses or accesses a resource that has not been initialized.

When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.

Parent Weaknesses (ChildOf)

CWE-665: Improper Initialization...

Common Consequences

Scope

Confidentiality

Impact

Read Memory, Read Application Data

Scope

Availability

Impact

DoS: Crash, Exit, or Restart

Potential Mitigations

Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Implementation

Avoid race conditions (CWE-362) during initialization routines.

Build and Compilation

Run or compile the product with settings that generate warnings about uninitialized variables or data.

CVE-2019-9805

Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.

CVE-2008-4197

Use of uninitialized memory may allow code execution.

CVE-2008-2934

Free of an uninitialized pointer leads to crash and possible code execution.

CVE-2008-0063

Product does not clear memory contents when generating an error message, leading to information leak.

CVE-2008-0062

Lack of initialization triggers NULL pointer dereference or double-free.

CVE-2008-0081

Uninitialized variable leads to code execution in popular desktop application.

CVE-2008-3688

Chain: Uninitialized variable leads to infinite loop.

CVE-2008-3475

Chain: Improper initialization leads to memory corruption.

CVE-2005-1036

Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap

CVE-2008-3597

Chain: game server can access player data structures before initialization has happened leading to NULL dereference

+3 more examples

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now