CWE-665
DiscouragedImproper Initialization
Abstraction: Class · Status: Draft
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
425 vulnerabilities reference this CWE, most recent first.
GHSA-4PP8-9MJG-PQ9P
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 14.0 and iPadOS 14.0. A local user may be able to read kernel memory.
{
"affected": [],
"aliases": [
"CVE-2020-9964"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-16T17:15:00Z",
"severity": "MODERATE"
},
"details": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 14.0 and iPadOS 14.0. A local user may be able to read kernel memory.",
"id": "GHSA-4pp8-9mjg-pq9p",
"modified": "2022-05-24T17:31:11Z",
"published": "2022-05-24T17:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9964"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT211850"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Nov/20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4PP9-PCMJ-QJGW
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-10-19 19:00Improper initialization in subsystem for Intel(R) CSME versions before12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE versions before 4.0.30 Intel(R) SPS versions before E3_05.01.04.200 may allow a privileged user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-8744"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T18:15:00Z",
"severity": "HIGH"
},
"details": "Improper initialization in subsystem for Intel(R) CSME versions before12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE versions before 4.0.30 Intel(R) SPS versions before E3_05.01.04.200 may allow a privileged user to potentially enable escalation of privilege via local access.",
"id": "GHSA-4pp9-pcmj-qjgw",
"modified": "2022-10-19T19:00:25Z",
"published": "2022-05-24T17:34:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8744"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-501073.pdf"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201113-0002"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201113-0004"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201113-0005"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4R96-MM68-CWX7
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43MIMEDefang 2.80 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by the init-script.in and mimedefang-init.in scripts.
{
"affected": [],
"aliases": [
"CVE-2017-14102"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-01T05:29:00Z",
"severity": "HIGH"
},
"details": "MIMEDefang 2.80 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by the init-script.in and mimedefang-init.in scripts.",
"id": "GHSA-4r96-mm68-cwx7",
"modified": "2022-05-13T01:43:19Z",
"published": "2022-05-13T01:43:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14102"
},
{
"type": "WEB",
"url": "http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038077.html"
},
{
"type": "WEB",
"url": "http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038085.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4VJH-72CP-6GMQ
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:30In QTEE, an incorrect fuse value can be blown in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in version MDM9206, MDM9607, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 820, SD 820A, SD 835, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016.
{
"affected": [],
"aliases": [
"CVE-2017-18131"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-06T23:29:00Z",
"severity": "HIGH"
},
"details": "In QTEE, an incorrect fuse value can be blown in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in version MDM9206, MDM9607, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 820, SD 820A, SD 835, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, Snapdragon_High_Med_2016.",
"id": "GHSA-4vjh-72cp-6gmq",
"modified": "2024-04-04T00:30:58Z",
"published": "2022-05-24T16:45:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18131"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4W4V-9F8X-9PV8
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-05-24 17:13An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user's private browsing activity may be unexpectedly saved in Screen Time.
{
"affected": [],
"aliases": [
"CVE-2020-9775"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-01T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user\u0027s private browsing activity may be unexpectedly saved in Screen Time.",
"id": "GHSA-4w4v-9f8x-9pv8",
"modified": "2022-05-24T17:13:13Z",
"published": "2022-05-24T17:13:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9775"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT211102"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211100"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4X8V-RCHJ-QVPF
Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2025-11-03 21:30A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-1122"
],
"database_specific": {
"cwe_ids": [
"CWE-665",
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-29T18:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.",
"id": "GHSA-4x8v-rchj-qvpf",
"modified": "2025-11-03T21:30:39Z",
"published": "2022-03-30T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1122"
},
{
"type": "WEB",
"url": "https://github.com/uclouvain/openjpeg/issues/1368"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:7645"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8207"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-1122"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067052"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00006.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00002.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MIWSQFQWXDU4MT3XTVAO6HC7TVL3NHS7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RMKBAMK2CAM5TMC5TODKVCE5AAPTD5YV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROSN5NRUFOH7HGLJ4ZSKPGAKLFXJALW4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIWSQFQWXDU4MT3XTVAO6HC7TVL3NHS7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RMKBAMK2CAM5TMC5TODKVCE5AAPTD5YV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROSN5NRUFOH7HGLJ4ZSKPGAKLFXJALW4"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4XHM-W228-Q98H
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2021-0095"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T19:15:00Z",
"severity": "MODERATE"
},
"details": "Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.",
"id": "GHSA-4xhm-w228-q98h",
"modified": "2022-05-24T19:04:28Z",
"published": "2022-05-24T19:04:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0095"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210625-0009"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00463.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-56FG-32QC-V967
Vulnerability from github – Published: 2022-01-20 00:01 – Updated: 2022-01-27 00:03An Improper Initialization vulnerability in Juniper Networks Junos OS Evolved may cause a commit operation for disabling the telnet service to not take effect as expected, resulting in the telnet service staying enabled. When it is not intended to be operating on the device, an administrator can issue the following command to verify whether telnet is operating in the background: user@device > show system connections | grep :23 tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 20879/xinetd This issue affects: Juniper Networks Junos OS Evolved All versions prior to 20.4R2-S2-EVO; 21.1 version 21.1R1-EVO and later versions; 21.2 versions prior to 21.2R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2022-22164"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-19T01:15:00Z",
"severity": "MODERATE"
},
"details": "An Improper Initialization vulnerability in Juniper Networks Junos OS Evolved may cause a commit operation for disabling the telnet service to not take effect as expected, resulting in the telnet service staying enabled. When it is not intended to be operating on the device, an administrator can issue the following command to verify whether telnet is operating in the background: user@device \u003e show system connections | grep :23 tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 20879/xinetd This issue affects: Juniper Networks Junos OS Evolved All versions prior to 20.4R2-S2-EVO; 21.1 version 21.1R1-EVO and later versions; 21.2 versions prior to 21.2R2-EVO.",
"id": "GHSA-56fg-32qc-v967",
"modified": "2022-01-27T00:03:49Z",
"published": "2022-01-20T00:01:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22164"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11272"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-57WQ-CCPJ-F5J9
Vulnerability from github – Published: 2022-05-01 18:16 – Updated: 2024-02-09 03:32The kernel in Apple Mac OS X 10.4 through 10.4.10 does not reset the current Mach Thread Port or Thread Exception Port when executing a setuid program, which allows local users to execute arbitrary code by creating the port before launching the setuid program, then writing to the address space of the setuid process.
{
"affected": [],
"aliases": [
"CVE-2007-3749"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-11-15T01:46:00Z",
"severity": "HIGH"
},
"details": "The kernel in Apple Mac OS X 10.4 through 10.4.10 does not reset the current Mach Thread Port or Thread Exception Port when executing a setuid program, which allows local users to execute arbitrary code by creating the port before launching the setuid program, then writing to the address space of the setuid process.",
"id": "GHSA-57wq-ccpj-f5j9",
"modified": "2024-02-09T03:32:52Z",
"published": "2022-05-01T18:16:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3749"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38466"
},
{
"type": "WEB",
"url": "http://docs.info.apple.com/article.html?artnum=307041"
},
{
"type": "WEB",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27643"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/26444"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA07-319A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/3868"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-58QV-QVF3-F8MP
Vulnerability from github – Published: 2024-03-03 21:31 – Updated: 2025-11-04 21:31p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact because of initialization issues in situations where parsing of advertised service information fails.
{
"affected": [],
"aliases": [
"CVE-2024-28084"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-03T21:15:49Z",
"severity": "HIGH"
},
"details": "p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact because of initialization issues in situations where parsing of advertised service information fails.",
"id": "GHSA-58qv-qvf3-f8mp",
"modified": "2025-11-04T21:31:15Z",
"published": "2024-03-03T21:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28084"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=52a47c9fd428904de611a90cbf8b223af879684d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=d34b4e16e045142590ed7cb653e01ed0ae5362eb"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KSGT4IZ23CJBOQA3AFYEMBJ5OHFZBMK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYRPQ3OLV3GGLUCDYWBHU34DLBLM62XJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KSGT4IZ23CJBOQA3AFYEMBJ5OHFZBMK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYRPQ3OLV3GGLUCDYWBHU34DLBLM62XJ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.