CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-8V67-H8JW-J3R2
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:00When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
{
"affected": [],
"aliases": [
"CVE-2019-11038"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-19T00:15:00Z",
"severity": "MODERATE"
},
"details": "When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.",
"id": "GHSA-8v67-h8jw-j3r2",
"modified": "2024-04-04T01:00:52Z",
"published": "2022-05-24T16:48:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11038"
},
{
"type": "WEB",
"url": "https://github.com/libgd/libgd/issues/501"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4529"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4316-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4316-1"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Sep/38"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAZBVK6XNYEIN7RDQXESSD63QHXPLKWL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKSSWFR2WPMUOIB5EN5ZM252NNEPYUTG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAZBVK6XNYEIN7RDQXESSD63QHXPLKWL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PKSSWFR2WPMUOIB5EN5ZM252NNEPYUTG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00003.html"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1140120"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1140118"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1724432"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1724149"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=77973"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929821"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8V7X-4VVG-PGR3
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-23 21:30In the Linux kernel, the following vulnerability has been resolved:
cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails
Commit 5e42bcbc3fef ("cxl/region: decrement ->nr_targets on error in cxl_region_attach()") tried to avoid 'eiw' initialization errors when ->nr_targets exceeded 16, by just decrementing ->nr_targets when cxl_region_setup_targets() failed.
Commit 86987c766276 ("cxl/region: Cleanup target list on attach error") extended that cleanup to also clear cxled->pos and p->targets[pos]. The initialization error was incidentally fixed separately by: Commit 8d4285425714 ("cxl/region: Fix port setup uninitialized variable warnings") which was merged a few days after 5e42bcbc3fef.
But now the original cleanup when cxl_region_setup_targets() fails prevents endpoint and switch decoder resources from being reused:
1) the cleanup does not set the decoder's region to NULL, which results in future dpa_size_store() calls returning -EBUSY 2) the decoder is not properly freed, which results in future commit errors associated with the upstream switch
Now that the initialization errors were fixed separately, the proper cleanup for this case is to just return immediately. Then the resources associated with this target get cleanup up as normal when the failed region is deleted.
The ->nr_targets decrement in the error case also helped prevent a p->targets[] array overflow, so add a new check to prevent against that overflow.
Tested by trying to create an invalid region for a 2 switch * 2 endpoint topology, and then following up with creating a valid region.
{
"affected": [],
"aliases": [
"CVE-2023-52792"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Do not try to cleanup after cxl_region_setup_targets() fails\n\nCommit 5e42bcbc3fef (\"cxl/region: decrement -\u003enr_targets on error in\ncxl_region_attach()\") tried to avoid \u0027eiw\u0027 initialization errors when\n-\u003enr_targets exceeded 16, by just decrementing -\u003enr_targets when\ncxl_region_setup_targets() failed.\n\nCommit 86987c766276 (\"cxl/region: Cleanup target list on attach error\")\nextended that cleanup to also clear cxled-\u003epos and p-\u003etargets[pos]. The\ninitialization error was incidentally fixed separately by:\nCommit 8d4285425714 (\"cxl/region: Fix port setup uninitialized variable\nwarnings\") which was merged a few days after 5e42bcbc3fef.\n\nBut now the original cleanup when cxl_region_setup_targets() fails\nprevents endpoint and switch decoder resources from being reused:\n\n1) the cleanup does not set the decoder\u0027s region to NULL, which results\n in future dpa_size_store() calls returning -EBUSY\n2) the decoder is not properly freed, which results in future commit\n errors associated with the upstream switch\n\nNow that the initialization errors were fixed separately, the proper\ncleanup for this case is to just return immediately. Then the resources\nassociated with this target get cleanup up as normal when the failed\nregion is deleted.\n\nThe -\u003enr_targets decrement in the error case also helped prevent\na p-\u003etargets[] array overflow, so add a new check to prevent against\nthat overflow.\n\nTested by trying to create an invalid region for a 2 switch * 2 endpoint\ntopology, and then following up with creating a valid region.",
"id": "GHSA-8v7x-4vvg-pgr3",
"modified": "2025-09-23T21:30:53Z",
"published": "2024-05-21T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52792"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0718588c7aaa7a1510b4de972370535b61dddd0d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07ffcd8ec79cf7383e1e45815f4842fd357991c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9090c5537c93cd0811ab7bfbd925b57addfffb60"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90db4c1d5ebaf574d3c3065c055977982c378a83"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8WH8-CR52-WJ57
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2026-05-12 12:31In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
Syzbot reported the following information leak for in btrfs_ioctl_logical_to_ino():
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x110 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779 btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480 btrfs_ioctl+0x714/0x1260 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890 __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890 x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Bytes 40-65535 of 65536 are uninitialized Memory access of size 65536 starts at ffff888045a40000
This happens, because we're copying a 'struct btrfs_data_container' back to user-space. This btrfs_data_container is allocated in 'init_data_container()' via kvmalloc(), which does not zero-fill the memory.
Fix this by using kvzalloc() which zeroes out the memory on allocation.
{
"affected": [],
"aliases": [
"CVE-2024-35849"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T15:15:21Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we\u0027re copying a \u0027struct btrfs_data_container\u0027 back\nto user-space. This btrfs_data_container is allocated in\n\u0027init_data_container()\u0027 via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.",
"id": "GHSA-8wh8-cr52-wj57",
"modified": "2026-05-12T12:31:47Z",
"published": "2024-05-17T15:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8XPM-GR22-C94J
Vulnerability from github – Published: 2024-05-15 15:30 – Updated: 2024-05-15 15:30ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity
{
"affected": [],
"aliases": [
"CVE-2023-6324"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-15T13:15:26Z",
"severity": "HIGH"
},
"details": "ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity",
"id": "GHSA-8xpm-gr22-c94j",
"modified": "2024-05-15T15:30:33Z",
"published": "2024-05-15T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6324"
},
{
"type": "WEB",
"url": "https://bitdefender.com/blog/labs/notes-on-throughtek-kalay-vulnerabilities-and-their-impact"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-926H-7QF4-C3HQ
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-12-15 18:30In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix iteration of extrefs during log replay
At __inode_add_ref() when processing extrefs, if we jump into the next label we have an undefined value of victim_name.len, since we haven't initialized it before we did the goto. This results in an invalid memory access in the next iteration of the loop since victim_name.len was not initialized to the length of the name of the current extref.
Fix this by initializing victim_name.len with the current extref's name length.
{
"affected": [],
"aliases": [
"CVE-2025-38382"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T13:15:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix iteration of extrefs during log replay\n\nAt __inode_add_ref() when processing extrefs, if we jump into the next\nlabel we have an undefined value of victim_name.len, since we haven\u0027t\ninitialized it before we did the goto. This results in an invalid memory\naccess in the next iteration of the loop since victim_name.len was not\ninitialized to the length of the name of the current extref.\n\nFix this by initializing victim_name.len with the current extref\u0027s name\nlength.",
"id": "GHSA-926h-7qf4-c3hq",
"modified": "2025-12-15T18:30:16Z",
"published": "2025-07-25T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38382"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d11d274e2e1d7c79e2ca8461ce3ff3a95c11171"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/539969fc472886a1d63565459514d47e27fef461"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54a7081ed168b72a8a2d6ef4ba3a1259705a2926"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7ac790dc2ba00499a8d671d4a24de4d4ad27e234"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aee57a0293dca675637e5504709f9f8fd8e871be"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9388-WJ96-7GX7
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30In ~AACExtractor() of AACExtractor.cpp, there is a possible out of bounds write due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-142641801
{
"affected": [],
"aliases": [
"CVE-2020-0411"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-14T14:15:00Z",
"severity": "MODERATE"
},
"details": "In ~AACExtractor() of AACExtractor.cpp, there is a possible out of bounds write due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-142641801",
"id": "GHSA-9388-wj96-7gx7",
"modified": "2022-05-24T17:30:38Z",
"published": "2022-05-24T17:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0411"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-10-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-93QQ-4VH3-3VM5
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use of uninitialized resource in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2026-50455"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:50Z",
"severity": "MODERATE"
},
"details": "Use of uninitialized resource in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.",
"id": "GHSA-93qq-4vh3-3vm5",
"modified": "2026-07-14T18:32:24Z",
"published": "2026-07-14T18:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50455"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50455"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-94HX-Q75X-2Q84
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
pNFS: Fix uninited ptr deref in block/scsi layout
The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers.
An additional problem is that there is no limit on the maximum possible buffer_size. When there are too many extents, the client may create a layoutcommit that is larger than the maximum possible RPC size accepted by the server.
During testing, we observed two typical scenarios. First, one memory page for extents is enough when we work with small files, append data to the end of the file, or preallocate extents before writing. But when we fill a new large file without preallocating, the number of extents can be huge, and counting the number of written extents in ext_tree_encode_commit() does not help much. Since this number increases even more between unlocking and locking of ext_tree, the reallocated buffer may not be large enough again and again.
{
"affected": [],
"aliases": [
"CVE-2025-38691"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npNFS: Fix uninited ptr deref in block/scsi layout\n\nThe error occurs on the third attempt to encode extents. When function\next_tree_prepare_commit() reallocates a larger buffer to retry encoding\nextents, the \"layoutupdate_pages\" page array is initialized only after the\nretry loop. But ext_tree_free_commitdata() is called on every iteration\nand tries to put pages in the array, thus dereferencing uninitialized\npointers.\n\nAn additional problem is that there is no limit on the maximum possible\nbuffer_size. When there are too many extents, the client may create a\nlayoutcommit that is larger than the maximum possible RPC size accepted\nby the server.\n\nDuring testing, we observed two typical scenarios. First, one memory page\nfor extents is enough when we work with small files, append data to the\nend of the file, or preallocate extents before writing. But when we fill\na new large file without preallocating, the number of extents can be huge,\nand counting the number of written extents in ext_tree_encode_commit()\ndoes not help much. Since this number increases even more between\nunlocking and locking of ext_tree, the reallocated buffer may not be\nlarge enough again and again.",
"id": "GHSA-94hx-q75x-2q84",
"modified": "2026-05-12T15:30:59Z",
"published": "2025-09-05T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38691"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/24334f3cf8a294f253071b5bf22d754dbb6d0f2d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2896f101110076ac6bf99d7aaf463d61e26f89dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/37c3443a2685528f972d910a6fb87716b96fef46"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4f783333cbfa2ee7d4aa8e47f6bd1b3f77534fcf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/579b85f893d9885162e1cabf99a4a088916e143e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94ec6d939031a616474376dadbf4a8d0ef8b0bcc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9768797c219326699778fba9cd3b607b2f1e7950"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9be5c04beca3202d0a5f09fb4b2ecb644caa0bc5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f0b2eee3fbba9b7e3746ef698424ef5e4a197776"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-952C-2CX9-GV4R
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-11-24 21:30In the Linux kernel, the following vulnerability has been resolved:
udf: Fix uninitialized array access for some pathnames
For filenames that begin with . and are between 2 and 5 characters long, UDF charset conversion code would read uninitialized memory in the output buffer. The only practical impact is that the name may be prepended a "unification hash" when it is not actually needed but still it is good to fix this.
{
"affected": [],
"aliases": [
"CVE-2023-53165"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T14:15:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix uninitialized array access for some pathnames\n\nFor filenames that begin with . and are between 2 and 5 characters long,\nUDF charset conversion code would read uninitialized memory in the\noutput buffer. The only practical impact is that the name may be prepended a\n\"unification hash\" when it is not actually needed but still it is good\nto fix this.",
"id": "GHSA-952c-2cx9-gv4r",
"modified": "2025-11-24T21:30:57Z",
"published": "2025-09-15T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53165"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/008ae78d1e12efa904dc819b1ec83e2bca6b2c56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/028f6055c912588e6f72722d89c30b401bbcf013"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f1368af47acf4d0b2a5fb0d2c0d6919d2234b6d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4503f6fc95d6dee85fb2c54785848799e192c51c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d50988da0db167aed6f38685145cb5cd526c4f8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/985f9666698960dfc87a106d6314203fa90fda75"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a6824149809395dfbb5bc36bc7057cc3cb84e56d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b37f998d357102e8eb0f8eeb33f03fff22e49cbf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9548-JJM6-2WMW
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3, as used in Android 6.0.1 before 2016-03-01, does not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialized list entry, aka Android internal bug 26186802, a different vulnerability than CVE-2015-3636.
{
"affected": [],
"aliases": [
"CVE-2016-0821"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-03-12T21:59:00Z",
"severity": "MODERATE"
},
"details": "The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3, as used in Android 6.0.1 before 2016-03-01, does not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialized list entry, aka Android internal bug 26186802, a different vulnerability than CVE-2015-3636.",
"id": "GHSA-9548-jjm6-2wmw",
"modified": "2022-05-13T01:04:11Z",
"published": "2022-05-13T01:04:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0821"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8a5e5e02fc83aaf67053ab53b359af08c6c49aaf"
},
{
"type": "WEB",
"url": "http://source.android.com/security/bulletin/2016-03-01.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3607"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/05/02/6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/84260"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2967-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2967-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2968-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2968-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2969-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2970-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2971-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2971-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2971-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.