Common Weakness Enumeration

CWE-908

Allowed

Use of Uninitialized Resource

Abstraction: Base · Status: Incomplete

The product uses or accesses a resource that has not been initialized.

822 vulnerabilities reference this CWE, most recent first.

GHSA-6JFC-JV5M-VXV3

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-20 00:02
VLAI
Details

In sec_SHA256_Transform of sha256_core.c, there is a possible way to read heap data due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-197965864References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In sec_SHA256_Transform of sha256_core.c, there is a possible way to read heap data due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-197965864References: N/A",
  "id": "GHSA-6jfc-jv5m-vxv3",
  "modified": "2022-01-20T00:02:08Z",
  "published": "2022-01-15T00:01:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39680"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2022-01-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6JW3-XMJ9-QVCW

Vulnerability from github – Published: 2023-12-15 00:31 – Updated: 2023-12-15 00:31
VLAI
Details

The first S0 encryption key is generated with an uninitialized PRNG in Z/IP Gateway products running Silicon Labs Z/IP Gateway SDK v7.18.3 and earlier. This makes the first S0 key generated at startup predictable, potentially allowing network key prediction and unauthorized S0 network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1279",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-14T23:15:07Z",
    "severity": "MODERATE"
  },
  "details": "\n\n\nThe first S0 encryption key is generated with an uninitialized PRNG in Z/IP Gateway products running Silicon Labs Z/IP Gateway SDK v7.18.3 and earlier. This makes the first S0 key generated at startup predictable, potentially allowing network key prediction and unauthorized S0 network access.\n\n \n\n",
  "id": "GHSA-6jw3-xmj9-qvcw",
  "modified": "2023-12-15T00:31:03Z",
  "published": "2023-12-15T00:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SiliconLabs/gecko_sdk"
    },
    {
      "type": "WEB",
      "url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000buWj0QAE?operationContext=S1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6M3J-PCG3-CX2R

Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30
VLAI
Details

Vulnerability of variables not being initialized in the notification module Impact: Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T03:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability of variables not being initialized in the notification module\nImpact: Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-6m3j-pcg3-cx2r",
  "modified": "2025-01-08T03:30:24Z",
  "published": "2025-01-08T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56446"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2025/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6PW8-5P8J-M67X

Vulnerability from github – Published: 2023-04-13 00:30 – Updated: 2024-04-04 03:25
VLAI
Details

An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall's endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-12T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in SecurePoint UTM before 12.2.5.1. The firewall\u0027s endpoint at /spcgi.cgi allows information disclosure of memory contents to be achieved by an authenticated user. Essentially, uninitialized data can be retrieved via an approach in which a sessionid is obtained but not used.",
  "id": "GHSA-6pw8-5p8j-m67x",
  "modified": "2024-04-04T03:25:44Z",
  "published": "2023-04-13T00:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2023-22897.txt"
    },
    {
      "type": "WEB",
      "url": "https://rcesecurity.com"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/171928/SecurePoint-UTM-12.x-Memory-Leak.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Apr/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6Q37-HH76-6RV4

Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00
VLAI
Details

A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-01T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.",
  "id": "GHSA-6q37-hh76-6rv4",
  "modified": "2022-09-08T00:00:30Z",
  "published": "2022-09-02T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2308"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103900"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6V28-C2X2-8P46

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16
VLAI
Details

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause Buffer.alloc() to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding can be passed as a number, this is misinterpreted by Buffer's internal "fill" method as the start to a fill operation. This flaw may be abused where Buffer.alloc() arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-21T12:29:00Z",
    "severity": "HIGH"
  },
  "details": "In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer\u0027s` internal \"fill\" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.",
  "id": "GHSA-6v28-c2x2-8p46",
  "modified": "2022-05-13T01:16:08Z",
  "published": "2022-05-13T01:16:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7166"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2553"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/august-2018-security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6W5Q-CG43-PM5X

Vulnerability from github – Published: 2023-06-15 21:30 – Updated: 2024-04-04 04:52
VLAI
Details

In readSampleData of NuMediaExtractor.cpp, there is a possible out of bounds write due to uninitialized data. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-275418191

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-15T19:15:09Z",
    "severity": "HIGH"
  },
  "details": "In readSampleData of NuMediaExtractor.cpp, there is a possible out of bounds write due to uninitialized data. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-275418191",
  "id": "GHSA-6w5q-cg43-pm5x",
  "modified": "2024-04-04T04:52:21Z",
  "published": "2023-06-15T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21127"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WH2-MPVP-28Q3

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01
VLAI
Details

An exploitable uninitialized variable vulnerability exists in the RTF-parsing functionality of Atlantis Word Processor 3.2.6 version. A specially crafted RTF file can leverage an uninitialized stack address, resulting in an out-of-bounds write, which in turn could lead to code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3975"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-01T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable uninitialized variable vulnerability exists in the RTF-parsing functionality of Atlantis Word Processor 3.2.6 version. A specially crafted RTF file can leverage an uninitialized stack address, resulting in an out-of-bounds write, which in turn could lead to code execution.",
  "id": "GHSA-6wh2-mpvp-28q3",
  "modified": "2022-05-13T01:01:49Z",
  "published": "2022-05-13T01:01:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3975"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0641"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WP2-FW3V-MFMC

Vulnerability from github – Published: 2021-08-25 20:57 – Updated: 2021-08-24 18:54
VLAI
Summary
Memory corruption in array-tools
Details

An issue was discovered in the array-tools crate before 0.3.2 for Rust. Affected versions of this crate don't guard against panics, so that partially uninitialized buffer is dropped when user-provided T::clone() panics in FixedCapacityDequeLike<T, A>::clone(). This causes memory corruption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "array-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908",
      "CWE-909"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:24:55Z",
    "nvd_published_at": "2021-08-08T06:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the array-tools crate before 0.3.2 for Rust. Affected versions of this crate don\u0027t guard against panics, so that partially uninitialized buffer is dropped when user-provided `T::clone()` panics in `FixedCapacityDequeLike\u003cT, A\u003e::clone()`. This causes memory corruption.\n",
  "id": "GHSA-6wp2-fw3v-mfmc",
  "modified": "2021-08-24T18:54:26Z",
  "published": "2021-08-25T20:57:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36452"
    },
    {
      "type": "WEB",
      "url": "https://github.com/L117/array-tools/issues/2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/L117/array-tools"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/array-tools/RUSTSEC-2020-0132.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0132.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Memory corruption in array-tools"
}

GHSA-6X3J-FQGG-3HQR

Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2022-08-26 00:03
VLAI
Details

In PVRSRVBridgeHeapCfgHeapDetails, there is a possible leak of kernel heap content due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-236848165

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-24T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In PVRSRVBridgeHeapCfgHeapDetails, there is a possible leak of kernel heap content due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-236848165",
  "id": "GHSA-6x3j-fqgg-3hqr",
  "modified": "2022-08-26T00:03:34Z",
  "published": "2022-08-25T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0698"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-08-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile the product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.