Common Weakness Enumeration

CWE-908

Allowed

Use of Uninitialized Resource

Abstraction: Base · Status: Incomplete

The product uses or accesses a resource that has not been initialized.

822 vulnerabilities reference this CWE, most recent first.

GHSA-95W8-3Q3Q-F94X

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Use of uninitialized resource in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T18:15:44Z",
    "severity": "HIGH"
  },
  "details": "Use of uninitialized resource in Microsoft Office Excel allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-95w8-3q3q-f94x",
  "modified": "2025-08-12T18:31:32Z",
  "published": "2025-08-12T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53759"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96F3-QV87-V4W6

Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_queue: Initialize ctx to avoid memory allocation error

It is possible that ctx in nfqnl_build_packet_message() could be used before it is properly initialize, which is only initialized by nfqnl_get_sk_secctx().

This patch corrects this problem by initializing the lsmctx to a safe value when it is declared.

This is similar to the commit 35fcac7a7c25 ("audit: Initialize lsmctx to avoid memory allocation error").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T15:16:05Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: Initialize ctx to avoid memory allocation error\n\nIt is possible that ctx in nfqnl_build_packet_message() could be used\nbefore it is properly initialize, which is only initialized\nby nfqnl_get_sk_secctx().\n\nThis patch corrects this problem by initializing the lsmctx to a safe\nvalue when it is declared.\n\nThis is similar to the commit 35fcac7a7c25\n(\"audit: Initialize lsmctx to avoid memory allocation error\").",
  "id": "GHSA-96f3-qv87-v4w6",
  "modified": "2025-11-03T21:33:38Z",
  "published": "2025-04-16T15:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22110"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/778b09d91baafb13408470c721d034d6515cfa5a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddbf7e1d82a1d0c1d3425931a6cb1b83f8454759"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96M2-JM5M-F37F

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 18:31
VLAI
Details

Uninitialized Use in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:13Z",
    "severity": "MODERATE"
  },
  "details": "Uninitialized Use in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-96m2-jm5m-f37f",
  "modified": "2026-06-05T18:31:35Z",
  "published": "2026-06-05T00:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11089"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/500154880"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96RP-HHC3-26CM

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Uninitialized data for socket address leads to information exposure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-11T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Uninitialized data for socket address leads to information exposure.",
  "id": "GHSA-96rp-hhc3-26cm",
  "modified": "2022-05-13T01:18:58Z",
  "published": "2022-05-13T01:18:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12011"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2019/01/07/january-2019-code-aurora-security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9783-42PM-X5JQ

Vulnerability from github – Published: 2022-01-06 22:13 – Updated: 2023-06-13 17:22
VLAI
Summary
Use of Uninitialized Resource in csv-sniffer.
Details

Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation (within fn preamble_skipcount()).

Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "csv-sniffer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-45686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T17:04:29Z",
    "nvd_published_at": "2021-12-27T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation (within fn preamble_skipcount()).\n\nArbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.",
  "id": "GHSA-9783-42pm-x5jq",
  "modified": "2023-06-13T17:22:23Z",
  "published": "2022-01-06T22:13:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jblondin/csv-sniffer/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jblondin/csv-sniffer/pull/2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jblondin/csv-sniffer"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/csv-sniffer/RUSTSEC-2021-0088.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0088.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Uninitialized Resource in csv-sniffer."
}

GHSA-979Q-6JJC-29JH

Vulnerability from github – Published: 2025-07-28 12:30 – Updated: 2025-12-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_conntrack: fix crash due to removal of uninitialised entry

A crash in conntrack was reported while trying to unlink the conntrack entry from the hash bucket list: [exception RIP: __nf_ct_delete_from_lists+172] [..] #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack] #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack] #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack] [..]

The nf_conn struct is marked as allocated from slab but appears to be in a partially initialised state:

ct hlist pointer is garbage; looks like the ct hash value (hence crash). ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected ct->timeout is 30000 (=30s), which is unexpected.

Everything else looks like normal udp conntrack entry. If we ignore ct->status and pretend its 0, the entry matches those that are newly allocated but not yet inserted into the hash: - ct hlist pointers are overloaded and store/cache the raw tuple hash - ct->timeout matches the relative time expected for a new udp flow rather than the absolute 'jiffies' value.

If it were not for the presence of IPS_CONFIRMED, __nf_conntrack_find_get() would have skipped the entry.

Theory is that we did hit following race:

cpu x cpu y cpu z found entry E found entry E E is expired nf_ct_delete() return E to rcu slab init_conntrack E is re-inited, ct->status set to 0 reply tuplehash hnnode.pprev stores hash value.

cpu y found E right before it was deleted on cpu x. E is now re-inited on cpu z. cpu y was preempted before checking for expiry and/or confirm bit.

                ->refcnt set to 1
                E now owned by skb
                ->timeout set to 30000

If cpu y were to resume now, it would observe E as expired but would skip E due to missing CONFIRMED bit.

                nf_conntrack_confirm gets called
                sets: ct->status |= CONFIRMED
                This is wrong: E is not yet added
                to hashtable.

cpu y resumes, it observes E as expired but CONFIRMED: nf_ct_expired() -> yes (ct->timeout is 30s) confirmed bit set.

cpu y will try to delete E from the hashtable: nf_ct_delete() -> set DYING bit __nf_ct_delete_from_lists

Even this scenario doesn't guarantee a crash: cpu z still holds the table bucket lock(s) so y blocks:

        wait for spinlock held by z

                CONFIRMED is set but there is no
                guarantee ct will be added to hash:
                "chaintoolong" or "clash resolution"
                logic both skip the insert step.
                reply hnnode.pprev still stores the
                hash value.

                unlocks spinlock
                return NF_DROP
        <unblocks, then
         crashes on hlist_nulls_del_rcu pprev>

In case CPU z does insert the entry into the hashtable, cpu y will unlink E again right away but no crash occurs.

Without 'cpu y' race, 'garbage' hlist is of no consequence: ct refcnt remains at 1, eventually skb will be free'd and E gets destroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy.

To resolve this, move the IPS_CONFIRMED assignment after the table insertion but before the unlock.

Pablo points out that the confirm-bit-store could be reordered to happen before hlist add resp. the timeout fixup, so switch to set_bit and before_atomic memory barrier to prevent this.

It doesn't matter if other CPUs can observe a newly inserted entry right before the CONFIRMED bit was set:

Such event cannot be distinguished from above "E is the old incarnation" case: the entry will be skipped.

Also change nf_ct_should_gc() to first check the confirmed bit.

The gc sequence is: 1. Check if entry has expired, if not skip to next entry 2. Obtain a reference to the expired entry. 3. Call nf_ct_should_gc() to double-check step 1.

nf_ct_should_gc() is thus called only for entries that already failed an expiry check. After this patch, once the confirmed bit check pas ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T12:15:29Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: fix crash due to removal of uninitialised entry\n\nA crash in conntrack was reported while trying to unlink the conntrack\nentry from the hash bucket list:\n    [exception RIP: __nf_ct_delete_from_lists+172]\n    [..]\n #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]\n #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]\n #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]\n    [..]\n\nThe nf_conn struct is marked as allocated from slab but appears to be in\na partially initialised state:\n\n ct hlist pointer is garbage; looks like the ct hash value\n (hence crash).\n ct-\u003estatus is equal to IPS_CONFIRMED|IPS_DYING, which is expected\n ct-\u003etimeout is 30000 (=30s), which is unexpected.\n\nEverything else looks like normal udp conntrack entry.  If we ignore\nct-\u003estatus and pretend its 0, the entry matches those that are newly\nallocated but not yet inserted into the hash:\n  - ct hlist pointers are overloaded and store/cache the raw tuple hash\n  - ct-\u003etimeout matches the relative time expected for a new udp flow\n    rather than the absolute \u0027jiffies\u0027 value.\n\nIf it were not for the presence of IPS_CONFIRMED,\n__nf_conntrack_find_get() would have skipped the entry.\n\nTheory is that we did hit following race:\n\ncpu x \t\t\tcpu y\t\t\tcpu z\n found entry E\t\tfound entry E\n E is expired\t\t\u003cpreemption\u003e\n nf_ct_delete()\n return E to rcu slab\n\t\t\t\t\tinit_conntrack\n\t\t\t\t\tE is re-inited,\n\t\t\t\t\tct-\u003estatus set to 0\n\t\t\t\t\treply tuplehash hnnode.pprev\n\t\t\t\t\tstores hash value.\n\ncpu y found E right before it was deleted on cpu x.\nE is now re-inited on cpu z.  cpu y was preempted before\nchecking for expiry and/or confirm bit.\n\n\t\t\t\t\t-\u003erefcnt set to 1\n\t\t\t\t\tE now owned by skb\n\t\t\t\t\t-\u003etimeout set to 30000\n\nIf cpu y were to resume now, it would observe E as\nexpired but would skip E due to missing CONFIRMED bit.\n\n\t\t\t\t\tnf_conntrack_confirm gets called\n\t\t\t\t\tsets: ct-\u003estatus |= CONFIRMED\n\t\t\t\t\tThis is wrong: E is not yet added\n\t\t\t\t\tto hashtable.\n\ncpu y resumes, it observes E as expired but CONFIRMED:\n\t\t\t\u003cresumes\u003e\n\t\t\tnf_ct_expired()\n\t\t\t -\u003e yes (ct-\u003etimeout is 30s)\n\t\t\tconfirmed bit set.\n\ncpu y will try to delete E from the hashtable:\n\t\t\tnf_ct_delete() -\u003e set DYING bit\n\t\t\t__nf_ct_delete_from_lists\n\nEven this scenario doesn\u0027t guarantee a crash:\ncpu z still holds the table bucket lock(s) so y blocks:\n\n\t\t\twait for spinlock held by z\n\n\t\t\t\t\tCONFIRMED is set but there is no\n\t\t\t\t\tguarantee ct will be added to hash:\n\t\t\t\t\t\"chaintoolong\" or \"clash resolution\"\n\t\t\t\t\tlogic both skip the insert step.\n\t\t\t\t\treply hnnode.pprev still stores the\n\t\t\t\t\thash value.\n\n\t\t\t\t\tunlocks spinlock\n\t\t\t\t\treturn NF_DROP\n\t\t\t\u003cunblocks, then\n\t\t\t crashes on hlist_nulls_del_rcu pprev\u003e\n\nIn case CPU z does insert the entry into the hashtable, cpu y will unlink\nE again right away but no crash occurs.\n\nWithout \u0027cpu y\u0027 race, \u0027garbage\u0027 hlist is of no consequence:\nct refcnt remains at 1, eventually skb will be free\u0027d and E gets\ndestroyed via: nf_conntrack_put -\u003e nf_conntrack_destroy -\u003e nf_ct_destroy.\n\nTo resolve this, move the IPS_CONFIRMED assignment after the table\ninsertion but before the unlock.\n\nPablo points out that the confirm-bit-store could be reordered to happen\nbefore hlist add resp. the timeout fixup, so switch to set_bit and\nbefore_atomic memory barrier to prevent this.\n\nIt doesn\u0027t matter if other CPUs can observe a newly inserted entry right\nbefore the CONFIRMED bit was set:\n\nSuch event cannot be distinguished from above \"E is the old incarnation\"\ncase: the entry will be skipped.\n\nAlso change nf_ct_should_gc() to first check the confirmed bit.\n\nThe gc sequence is:\n 1. Check if entry has expired, if not skip to next entry\n 2. Obtain a reference to the expired entry.\n 3. Call nf_ct_should_gc() to double-check step 1.\n\nnf_ct_should_gc() is thus called only for entries that already failed an\nexpiry check. After this patch, once the confirmed bit check pas\n---truncated---",
  "id": "GHSA-979q-6jjc-29jh",
  "modified": "2025-12-22T21:30:31Z",
  "published": "2025-07-28T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38472"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d72afb340657f03f7261e9243b44457a9228ac7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76179961c423cd698080b5e4d5583cf7f4fcdde9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/938ce0e8422d3793fe30df2ed0e37f6bc0598379"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a47ef874189d47f934d0809ae738886307c0ea22"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc38c249c622ff5e3011b8845fd49dbfd9289afc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99R2-XH56-23CV

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-17 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator

BPF programs may call next() and destroy() on BPF iterators even after new() returns an error value (e.g. bpf_for_each() macro ignores error returns from new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized state after an error return causing bpf_iter_scx_dsq_next() to dereference garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that next() and destroy() become noops.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T10:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: bpf_iter_scx_dsq_new() should always initialize iterator\n\nBPF programs may call next() and destroy() on BPF iterators even after new()\nreturns an error value (e.g. bpf_for_each() macro ignores error returns from\nnew()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized\nstate after an error return causing bpf_iter_scx_dsq_next() to dereference\ngarbage data. Make bpf_iter_scx_dsq_new() always clear $kit-\u003edsq so that\nnext() and destroy() become noops.",
  "id": "GHSA-99r2-xh56-23cv",
  "modified": "2025-11-17T15:30:33Z",
  "published": "2025-06-18T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38012"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0102989af4c334d1d98b2a0fd4d61a5152e39b72"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/255dd31bfc4a67a19b1fc2cd130a50284dadfe3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/428dc9fc0873989d73918d4a9cc22745b7bbc799"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99RF-J72J-FQV4

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32
VLAI
Details

Microsoft Outlook Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:16:01Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Outlook Remote Code Execution Vulnerability",
  "id": "GHSA-99rf-j72j-fqv4",
  "modified": "2025-01-14T18:32:05Z",
  "published": "2025-01-14T18:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21357"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21357"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99V9-H89C-34WF

Vulnerability from github – Published: 2025-09-23 15:31 – Updated: 2025-09-23 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt

Fix the following kernel oops in btmtksdio_interrrupt

[ 14.339134] btmtksdio_interrupt+0x28/0x54 [ 14.339139] process_sdio_pending_irqs+0x68/0x1a0 [ 14.339144] sdio_irq_work+0x40/0x70 [ 14.339154] process_one_work+0x184/0x39c [ 14.339160] worker_thread+0x228/0x3e8 [ 14.339168] kthread+0x148/0x3ac [ 14.339176] ret_from_fork+0x10/0x30

That happened because hdev->power_on is already called before sdio_set_drvdata which btmtksdio_interrupt handler relies on is not properly set up.

The details are shown as the below: hci_register_dev would run queue_work(hdev->req_workqueue, &hdev->power_on) as WQ_HIGHPRI workqueue_struct to complete the power-on sequeunce and thus hci_power_on may run before sdio_set_drvdata is done in btmtksdio_probe.

The hci_dev_do_open in hci_power_on would initialize the device and enable the interrupt and thus it is possible that btmtksdio_interrupt is being called right before sdio_set_drvdata is filled out.

When btmtksdio_interrupt is being called and sdio_set_drvdata is not filled , the kernel oops is going to happen because btmtksdio_interrupt access an uninitialized pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:57Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt\n\nFix the following kernel oops in btmtksdio_interrrupt\n\n[   14.339134]  btmtksdio_interrupt+0x28/0x54\n[   14.339139]  process_sdio_pending_irqs+0x68/0x1a0\n[   14.339144]  sdio_irq_work+0x40/0x70\n[   14.339154]  process_one_work+0x184/0x39c\n[   14.339160]  worker_thread+0x228/0x3e8\n[   14.339168]  kthread+0x148/0x3ac\n[   14.339176]  ret_from_fork+0x10/0x30\n\nThat happened because hdev-\u003epower_on is already called before\nsdio_set_drvdata which btmtksdio_interrupt handler relies on is not\nproperly set up.\n\nThe details are shown as the below: hci_register_dev would run\nqueue_work(hdev-\u003ereq_workqueue, \u0026hdev-\u003epower_on) as WQ_HIGHPRI\nworkqueue_struct to complete the power-on sequeunce and thus hci_power_on\nmay run before sdio_set_drvdata is done in btmtksdio_probe.\n\nThe hci_dev_do_open in hci_power_on would initialize the device and enable\nthe interrupt and thus it is possible that btmtksdio_interrupt is being\ncalled right before sdio_set_drvdata is filled out.\n\nWhen btmtksdio_interrupt is being called and sdio_set_drvdata is not filled\n, the kernel oops is going to happen because btmtksdio_interrupt access an\nuninitialized pointer.",
  "id": "GHSA-99v9-h89c-34wf",
  "modified": "2025-09-23T15:31:08Z",
  "published": "2025-09-23T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49200"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4d3d1f2c35a19988d3c5f0ee86038b525e830840"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d7be5afbb41c918d2f12f857f8c7efa50500be2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70a6cf749d9ff9f463490248322e5343199bc267"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/770a97d3f34b801de1b04737b43e02c55118c41a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/874eca93966a786eace87fa6dfb206c2dd9519b1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b062a0b9c1dc1ff63094337dccfe1568d5b62023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9C2G-HM7X-RWG3

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2024-10-17 21:31
VLAI
Details

Heap-based buffer overflow in Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2 and Windows Data Access Components (WDAC) 6.0 allows remote attackers to execute arbitrary code via crafted XML data that triggers access to an uninitialized object in memory, aka "ADO Cachesize Heap Overflow RCE Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-07-10T21:55:00Z",
    "severity": "HIGH"
  },
  "details": "Heap-based buffer overflow in Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2 and Windows Data Access Components (WDAC) 6.0 allows remote attackers to execute arbitrary code via crafted XML data that triggers access to an uninitialized object in memory, aka \"ADO Cachesize Heap Overflow RCE Vulnerability.\"",
  "id": "GHSA-9c2g-hm7x-rwg3",
  "modified": "2024-10-17T21:31:28Z",
  "published": "2022-05-13T01:15:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1891"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-045"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14783"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA12-192A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile the product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.