CWE-457
AllowedUse of Uninitialized Variable
Abstraction: Variant · Status: Draft
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
298 vulnerabilities reference this CWE, most recent first.
GHSA-VVWW-6FQH-6JVQ
Vulnerability from github – Published: 2025-05-13 12:31 – Updated: 2025-05-13 12:31A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions). Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.
{
"affected": [],
"aliases": [
"CVE-2025-40575"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T10:15:27Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions). Affected devices do not properly validate incoming Profinet packets.\nAn unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd\nprocess.",
"id": "GHSA-vvww-6fqh-6jvq",
"modified": "2025-05-13T12:31:36Z",
"published": "2025-05-13T12:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40575"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-327438.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W5HH-7XRP-WMV3
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-07 01:05Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-7972"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T19:16:48Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-w5hh-7xrp-wmv3",
"modified": "2026-05-07T01:05:52Z",
"published": "2026-05-06T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7972"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/497546281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W669-6JC5-CG7F
Vulnerability from github – Published: 2026-06-09 00:33 – Updated: 2026-06-09 03:31Uninitialized Use in Codecs in Google Chrome on Linux, ChromeOS prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted video file. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-11668"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T00:16:49Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in Codecs in Google Chrome on Linux, ChromeOS prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted video file. (Chromium security severity: High)",
"id": "GHSA-w669-6jc5-cg7f",
"modified": "2026-06-09T03:31:39Z",
"published": "2026-06-09T00:33:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11668"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/515419790"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W6XP-GC2W-28HX
Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2025-11-04 00:30IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deploying that could allow a local user to cause a denial of service. IBM X-Force ID: 287318.
{
"affected": [],
"aliases": [
"CVE-2024-31874"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T16:15:15Z",
"severity": "MODERATE"
},
"details": "IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deploying that could allow a local user to cause a denial of service. IBM X-Force ID: 287318.",
"id": "GHSA-w6xp-gc2w-28hx",
"modified": "2025-11-04T00:30:48Z",
"published": "2024-04-10T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31874"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/287318"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7147932"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W7CM-FH2F-3JPH
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 03:35Uninitialized Use in Codecs in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-13958"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:09Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in Codecs in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-w7cm-fh2f-3jph",
"modified": "2026-07-01T03:35:23Z",
"published": "2026-07-01T00:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13958"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513567306"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WG9W-JQP9-M5G6
Vulnerability from github – Published: 2024-08-06 00:31 – Updated: 2024-08-06 00:31oFono AT CMT Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.
The specific flaw exists within the parsing of responses from AT+CMT commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23308.
{
"affected": [],
"aliases": [
"CVE-2024-7541"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T00:15:35Z",
"severity": "LOW"
},
"details": "oFono AT CMT Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability.\n\nThe specific flaw exists within the parsing of responses from AT+CMT commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23308.",
"id": "GHSA-wg9w-jqp9-m5g6",
"modified": "2024-08-06T00:31:20Z",
"published": "2024-08-06T00:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7541"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1081"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WHPX-MF6C-FQ99
Vulnerability from github – Published: 2026-02-16 15:32 – Updated: 2026-02-16 15:32A Use of Uninitialized Variable vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file.
{
"affected": [],
"aliases": [
"CVE-2026-1333"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-16T14:16:18Z",
"severity": "HIGH"
},
"details": "A Use of Uninitialized Variable vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file.",
"id": "GHSA-whpx-mf6c-fq99",
"modified": "2026-02-16T15:32:47Z",
"published": "2026-02-16T15:32:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1333"
},
{
"type": "WEB",
"url": "https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1333"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPP5-CX9W-2RCJ
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 03:35Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-14051"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:17Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-wpp5-cx9w-2rcj",
"modified": "2026-07-01T03:35:23Z",
"published": "2026-07-01T00:34:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14051"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/501747804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WR75-C4VC-PMXM
Vulnerability from github – Published: 2025-03-13 18:32 – Updated: 2025-08-19 15:31A maliciously crafted CATPRODUCT file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2025-1650"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-13T17:15:35Z",
"severity": "HIGH"
},
"details": "A maliciously crafted CATPRODUCT file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.",
"id": "GHSA-wr75-c4vc-pmxm",
"modified": "2025-08-19T15:31:19Z",
"published": "2025-03-13T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1650"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/products/autodesk-access/overview"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Where-can-I-download-the-latest-update-of-AutoCAD-AutoCAD-LT-2022.html"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X6QM-4C7W-8WM7
Vulnerability from github – Published: 2024-08-15 21:31 – Updated: 2024-09-11 15:31In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.
{
"affected": [],
"aliases": [
"CVE-2024-7868"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-15T21:15:18Z",
"severity": "LOW"
},
"details": "In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.",
"id": "GHSA-x6qm-4c7w-8wm7",
"modified": "2024-09-11T15:31:11Z",
"published": "2024-08-15T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7868"
},
{
"type": "WEB",
"url": "https://www.xpdfreader.com/security-bug/CVE-2024-7868.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-57
Strategy: Attack Surface Reduction
Ensure that critical variables are initialized before first use [REF-1485].
Mitigation
Strategy: Compilation or Build Hardening
Most compilers will complain about the use of uninitialized variables if warnings are turned on.
Mitigation
When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.
Mitigation
Strategy: Language Selection
Choose a language that is not susceptible to these issues.
Mitigation
Mitigating technologies such as safe string libraries and container abstractions could be introduced.
No CAPEC attack patterns related to this CWE.