Common Weakness Enumeration

CWE-908

Allowed

Use of Uninitialized Resource

Abstraction: Base · Status: Incomplete

The product uses or accesses a resource that has not been initialized.

822 vulnerabilities reference this CWE, most recent first.

GHSA-6X6V-877J-V9FV

Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2026-01-09 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix KMSAN uninit-value in extent_info usage

KMSAN reported a use of uninitialized value in __is_extent_mergeable() and __is_back_mergeable() via the read extent tree path.

The root cause is that get_read_extent_info() only initializes three fields (fofs, blk, len) of struct extent_info, leaving the remaining fields uninitialized. This leads to undefined behavior when those fields are accessed later, especially during extent merging.

Fix it by zero-initializing the extent_info struct before population.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T17:15:35Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix KMSAN uninit-value in extent_info usage\n\nKMSAN reported a use of uninitialized value in `__is_extent_mergeable()`\n and `__is_back_mergeable()` via the read extent tree path.\n\nThe root cause is that `get_read_extent_info()` only initializes three\nfields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the\nremaining fields uninitialized. This leads to undefined behavior\nwhen those fields are accessed later, especially during\nextent merging.\n\nFix it by zero-initializing the `extent_info` struct before population.",
  "id": "GHSA-6x6v-877j-v9fv",
  "modified": "2026-01-09T15:30:22Z",
  "published": "2025-08-19T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38579"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01b6f5955e0008af6bc3a181310d2744bb349800"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/08e8ab00a6d20d5544c932ee85a297d833895141"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/154467f4ad033473e5c903a03e7b9bca7df9a0fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44a79437309e0ee2276ac17aaedc71253af253a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc1615d5aba4f396cf412579928539a2b124c8a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dabfa3952c8e6bfe6414dbf32e8b6c5f349dc898"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e68b751ec2b15d866967812c57cfdfc1eba6a269"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72GM-6QCQ-3XMP

Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2025-02-03 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

asix: fix uninit-value in asix_mdio_read()

asix_read_cmd() may read less than sizeof(smsr) bytes and in this case smsr will be uninitialized.

Fail log: BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497 asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497 asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-04T18:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nasix: fix uninit-value in asix_mdio_read()\n\nasix_read_cmd() may read less than sizeof(smsr) bytes and in this case\nsmsr will be uninitialized.\n\nFail log:\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\nBUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\nBUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]\n asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497\n asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497",
  "id": "GHSA-72gm-6qcq-3xmp",
  "modified": "2025-02-03T15:31:59Z",
  "published": "2024-03-04T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47101"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8035b1a2a37a29d8c717ef84fca8fe7278bc9f03"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d259f621c85949f30cc578cac813b82bb5169f56"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-743M-W227-WRRF

Vulnerability from github – Published: 2026-01-14 15:33 – Updated: 2026-03-25 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

um: init cpu_tasks[] earlier

This is currently done in uml_finishsetup(), but e.g. with KCOV enabled we'll crash because some init code can call into e.g. memparse(), which has coverage annotations, and then the checks in check_kcov_mode() crash because current is NULL.

Simply initialize the cpu_tasks[] array statically, which fixes the crash. For the later SMP work, it seems to have not really caused any problems yet, but initialize all of the entries anyway.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-14T15:16:01Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\num: init cpu_tasks[] earlier\n\nThis is currently done in uml_finishsetup(), but e.g. with\nKCOV enabled we\u0027ll crash because some init code can call\ninto e.g. memparse(), which has coverage annotations, and\nthen the checks in check_kcov_mode() crash because current\nis NULL.\n\nSimply initialize the cpu_tasks[] array statically, which\nfixes the crash. For the later SMP work, it seems to have\nnot really caused any problems yet, but initialize all of\nthe entries anyway.",
  "id": "GHSA-743m-w227-wrrf",
  "modified": "2026-03-25T21:30:22Z",
  "published": "2026-01-14T15:33:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71115"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b5d4416964c07c902163822a30a622111172b01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dbbf6d47130674640cd12a0781a0fb2a575d0e44"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-764W-CH2J-96HF

Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03
VLAI
Details

The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-5165"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-08-12T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.",
  "id": "GHSA-764w-ch2j-96hf",
  "modified": "2022-05-13T01:03:35Z",
  "published": "2022-05-13T01:03:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5165"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1674"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1683"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1718"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1739"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1740"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1793"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1833"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2015-5165"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1248760"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1180-security-advisory-13"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165373.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167792.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167820.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1674.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1683.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1739.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1740.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1793.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1833.html"
    },
    {
      "type": "WEB",
      "url": "http://support.citrix.com/article/CTX201717"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2015/dsa-3348"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2015/dsa-3349"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/76153"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1033176"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-140.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7676-XQ8C-838G

Vulnerability from github – Published: 2024-11-28 06:32 – Updated: 2025-01-18 00:30
VLAI
Details

In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-28T01:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a\u00a0possible information disclosure due to uninitialized data. This could lead\u00a0to local information disclosure with no additional execution privileges\u00a0needed. User interaction is not needed for exploitation.",
  "id": "GHSA-7676-xq8c-838g",
  "modified": "2025-01-18T00:30:47Z",
  "published": "2024-11-28T06:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9377"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/pixel/2018-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-776Q-X7MF-F2FF

Vulnerability from github – Published: 2024-11-09 12:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower

Avoid potentially crashing in the driver because of uninitialized private data

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: do not pass a stopped vif to the driver in .get_txpower\n\nAvoid potentially crashing in the driver because of uninitialized private data",
  "id": "GHSA-776q-x7mf-f2ff",
  "modified": "2025-11-04T00:31:59Z",
  "published": "2024-11-09T12:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50237"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/393b6bc174b0dd21bb2a36c13b36e62fc3474a23"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ccf525a73d48e814634847f6d4a6150c6f0dffc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78b698fbf37208ee921ee4cedea75b5d33d6ea9f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f6cd4d5bb7406656835a90e4f1a2192607f0c21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0b862aa3dbcd16b3c4715259a825f48ca540088"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2bcbe5450b20641f512d6b26c6b256a5a4f847f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c21efba8b5a86537ccdf43f77536bad02f82776c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee35c423042c9e04079fdee3db545135d609d6ea"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7787-4VJC-4737

Vulnerability from github – Published: 2023-09-14 21:30 – Updated: 2023-11-04 06:34
VLAI
Details

A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-14T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Binutils. The use of an uninitialized field in the struct module *module may lead to application crash and local denial of service.",
  "id": "GHSA-7787-4vjc-4737",
  "modified": "2023-11-04T06:34:05Z",
  "published": "2023-09-14T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25585"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-25585"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167498"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231103-0003"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29892"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78G7-JM5H-PV8Q

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T18:15:37Z",
    "severity": "MODERATE"
  },
  "details": "Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.",
  "id": "GHSA-78g7-jm5h-pv8q",
  "modified": "2025-08-12T18:31:31Z",
  "published": "2025-08-12T18:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53138"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78J4-R4GH-XCM9

Vulnerability from github – Published: 2022-07-12 00:00 – Updated: 2024-03-21 03:34
VLAI
Details

softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-11T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.",
  "id": "GHSA-78j4-r4gh-xcm9",
  "modified": "2024-03-21T03:34:15Z",
  "published": "2022-07-12T00:00:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35414"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qemu/qemu/commit/3517fb726741c109cae7995f9ea46f0cab6187d6#diff-83c563ed6330dc5d49876f1116e7518b5c16654bbc6e9b4ea8e28f5833d576fcR482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qemu/qemu/commit/3517fb726741c109cae7995f9ea46f0cab6187d6#diff-83c563ed6330dc5d49876f1116e7518b5c16654bbc6e9b4ea8e28f5833d576fcR482.aa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qemu/qemu/blob/f200ff158d5abcb974a6b597a962b6b2fbea2b06/softmmu/physmem.c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qemu/qemu/blob/v7.0.0/include/exec/cpu-all.h#L145-L148"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/qemu-project/qemu/-/issues/1065"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://sick.codes/sick-2022-113"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/qemu-devel%40nongnu.org/msg895266.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/qemu-devel@nongnu.org/msg895266.html"
    },
    {
      "type": "WEB",
      "url": "https://www.qemu.org/docs/master/system/security.html#non-virtualization-use-case"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-799F-R78P-GQ9C

Vulnerability from github – Published: 2022-01-06 22:17 – Updated: 2022-01-07 16:22
VLAI
Summary
Use of Uninitialized Resource in acc_reader.
Details

An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. read_up_to may read from uninitialized memory locations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "acc_reader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T18:13:55Z",
    "nvd_published_at": "2021-12-27T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. read_up_to may read from uninitialized memory locations.",
  "id": "GHSA-799f-r78p-gq9c",
  "modified": "2022-01-07T16:22:24Z",
  "published": "2022-01-06T22:17:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netvl/acc_reader/issues/1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netvl/acc_reader"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/acc_reader/RUSTSEC-2020-0155.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0155.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Uninitialized Resource in acc_reader."
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile the product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.