Common Weakness Enumeration

CWE-665

Discouraged

Improper Initialization

Abstraction: Class · Status: Draft

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

425 vulnerabilities reference this CWE, most recent first.

GHSA-H22V-XV8R-CG6P

Vulnerability from github – Published: 2023-02-16 21:30 – Updated: 2023-03-02 15:30
VLAI
Details

Improper initialization in the Intel(R) Battery Life Diagnostic Tool software before version 2.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-16T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper initialization in the Intel(R) Battery Life Diagnostic Tool software before version 2.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-h22v-xv8r-cg6p",
  "modified": "2023-03-02T15:30:17Z",
  "published": "2023-02-16T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34153"
    },
    {
      "type": "WEB",
      "url": "http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00726.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2Q3-VXXV-25RG

Vulnerability from github – Published: 2022-01-11 00:01 – Updated: 2022-01-14 00:02
VLAI
Details

The eID module has a vulnerability that causes the memory to be used without being initialized,Successful exploitation of this vulnerability may affect data confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-10T14:10:00Z",
    "severity": "HIGH"
  },
  "details": "The eID module has a vulnerability that causes the memory to be used without being initialized,Successful exploitation of this vulnerability may affect data confidentiality.",
  "id": "GHSA-h2q3-vxxv-25rg",
  "modified": "2022-01-14T00:02:48Z",
  "published": "2022-01-11T00:01:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40025"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202201-0000001238736331"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H43V-FH8Q-W87R

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2023-05-22 21:30
VLAI
Details

A vulnerability in the Link Layer Discovery Protocol (LLDP) message parser of Cisco IOS Software and Cisco IOS XE Software could allow an attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to improper initialization of a buffer. An attacker could exploit this vulnerability via any of the following methods: An authenticated, remote attacker could access the LLDP neighbor table via either the CLI or SNMP while the device is in a specific state. An unauthenticated, adjacent attacker could corrupt the LLDP neighbor table by injecting specific LLDP frames into the network and then waiting for an administrator of the device or a network management system (NMS) managing the device to retrieve the LLDP neighbor table of the device via either the CLI or SNMP. An authenticated, adjacent attacker with SNMP read-only credentials or low privileges on the device CLI could corrupt the LLDP neighbor table by injecting specific LLDP frames into the network and then accessing the LLDP neighbor table via either the CLI or SNMP. A successful exploit could allow the attacker to cause the affected device to crash, resulting in a reload of the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-456",
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-23T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Link Layer Discovery Protocol (LLDP) message parser of Cisco IOS Software and Cisco IOS XE Software could allow an attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to improper initialization of a buffer. An attacker could exploit this vulnerability via any of the following methods: An authenticated, remote attacker could access the LLDP neighbor table via either the CLI or SNMP while the device is in a specific state. An unauthenticated, adjacent attacker could corrupt the LLDP neighbor table by injecting specific LLDP frames into the network and then waiting for an administrator of the device or a network management system (NMS) managing the device to retrieve the LLDP neighbor table of the device via either the CLI or SNMP. An authenticated, adjacent attacker with SNMP read-only credentials or low privileges on the device CLI could corrupt the LLDP neighbor table by injecting specific LLDP frames into the network and then accessing the LLDP neighbor table via either the CLI or SNMP. A successful exploit could allow the attacker to cause the affected device to crash, resulting in a reload of the device.",
  "id": "GHSA-h43v-fh8q-w87r",
  "modified": "2023-05-22T21:30:22Z",
  "published": "2022-05-24T19:15:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34703"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lldp-dos-sBnuHSjT"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4WC-P3WJ-466Q

Vulnerability from github – Published: 2023-04-17 21:30 – Updated: 2024-04-04 03:31
VLAI
Details

A malicious actor may convince a victim to open a malicious USD file that may trigger an uninitialized variable which may result in code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-17T21:15:07Z",
    "severity": "HIGH"
  },
  "details": "A malicious actor may convince a victim to open a malicious USD file that may trigger an uninitialized variable which may result in code execution.",
  "id": "GHSA-h4wc-p3wj-466q",
  "modified": "2024-04-04T03:31:03Z",
  "published": "2023-04-17T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25010"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4XP-387R-72M5

Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-20 00:00
VLAI
Details

Improper initialization for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-18T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper initialization for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-h4xp-387r-72m5",
  "modified": "2022-08-20T00:00:38Z",
  "published": "2022-08-19T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23223"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00621.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H5WQ-R2R3-29GW

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-12T01:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, aka \"Windows Kernel Information Disclosure Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-0960, CVE-2018-0968, CVE-2018-0969, CVE-2018-0970, CVE-2018-0971, CVE-2018-0972, CVE-2018-0973, CVE-2018-0974, CVE-2018-0975.",
  "id": "GHSA-h5wq-r2r3-29gw",
  "modified": "2022-05-13T01:18:35Z",
  "published": "2022-05-13T01:18:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0887"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0887"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103629"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040657"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H666-G8CV-Q5JV

Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52
VLAI
Details

A memory initialization issue was addressed with improved memory handling. This issue affected versions prior to macOS Mojave 10.14.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-03T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A memory initialization issue was addressed with improved memory handling. This issue affected versions prior to macOS Mojave 10.14.",
  "id": "GHSA-h666-g8cv-q5jv",
  "modified": "2022-05-13T01:52:40Z",
  "published": "2022-05-13T01:52:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4351"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT209139"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H6C2-FRM7-53HM

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-10T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.",
  "id": "GHSA-h6c2-frm7-53hm",
  "modified": "2022-05-13T01:33:31Z",
  "published": "2022-05-13T01:33:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1118"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2948"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3083"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3096"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-1118"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1573699"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1118"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3762-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3762-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H752-H62F-W8J9

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-19T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR",
  "id": "GHSA-h752-h62f-w8j9",
  "modified": "2022-05-13T01:14:07Z",
  "published": "2022-05-13T01:14:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20023"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-033-libvnc-memory-leak"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201908-05"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3877-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4547-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4587-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4383"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H7FR-P7XW-3G9Q

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117871

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0451"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-10T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117871",
  "id": "GHSA-h7fr-p7xw-3g9q",
  "modified": "2022-05-24T17:44:10Z",
  "published": "2022-05-24T17:44:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0451"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile your product with settings that generate warnings about uninitialized variables or data.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.