CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-H68C-38X6-5X45
Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 15:30In the Linux kernel, the following vulnerability has been resolved:
of/fdt: run soc memory setup when early_init_dt_scan_memory fails
If memory has been found early_init_dt_scan_memory now returns 1. If it hasn't found any memory it will return 0, allowing other memory setup mechanisms to carry on.
Previously early_init_dt_scan_memory always returned 0 without distinguishing between any kind of memory setup being done or not. Any code path after the early_init_dt_scan memory call in the ramips plat_mem_setup code wouldn't be executed anymore. Making early_init_dt_scan_memory the only way to initialize the memory.
Some boards, including my mt7621 based Cudy X6 board, depend on memory initialization being done via the soc_info.mem_detect function pointer. Those wouldn't be able to obtain memory and panic the kernel during early bootup with the message "early_init_dt_alloc_memory_arch: Failed to allocate 12416 bytes align=0x40".
{
"affected": [],
"aliases": [
"CVE-2023-53341"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T15:15:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nof/fdt: run soc memory setup when early_init_dt_scan_memory fails\n\nIf memory has been found early_init_dt_scan_memory now returns 1. If\nit hasn\u0027t found any memory it will return 0, allowing other memory\nsetup mechanisms to carry on.\n\nPreviously early_init_dt_scan_memory always returned 0 without\ndistinguishing between any kind of memory setup being done or not. Any\ncode path after the early_init_dt_scan memory call in the ramips\nplat_mem_setup code wouldn\u0027t be executed anymore. Making\nearly_init_dt_scan_memory the only way to initialize the memory.\n\nSome boards, including my mt7621 based Cudy X6 board, depend on memory\ninitialization being done via the soc_info.mem_detect function\npointer. Those wouldn\u0027t be able to obtain memory and panic the kernel\nduring early bootup with the message \"early_init_dt_alloc_memory_arch:\nFailed to allocate 12416 bytes align=0x40\".",
"id": "GHSA-h68c-38x6-5x45",
"modified": "2025-12-11T15:30:29Z",
"published": "2025-09-17T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53341"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/04836fc5b720dfa32ff781383d84f63019abf9b9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a12187d5853d9fd5102278cecef7dac7c8ce7ea"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c4849f18185fd4e93b04cd45552f8d68c0240e21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6J8-G36H-J99V
Vulnerability from github – Published: 2022-05-01 23:27 – Updated: 2024-02-09 00:31Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted macros, aka "Macro Validation Vulnerability," a different vulnerability than CVE-2007-3490.
{
"affected": [],
"aliases": [
"CVE-2008-0081"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-01-16T23:00:00Z",
"severity": "HIGH"
},
"details": "Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted macros, aka \"Macro Validation Vulnerability,\" a different vulnerability than CVE-2007-3490.",
"id": "GHSA-h6j8-g36h-j99v",
"modified": "2024-02-09T00:31:33Z",
"published": "2022-05-01T23:27:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0081"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-014"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39699"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5546"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=120585858807305\u0026w=2"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28506"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1019200"
},
{
"type": "WEB",
"url": "http://www.microsoft.com/technet/security/advisory/947563.mspx"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27305"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA08-071A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/0146"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/0846/references"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H94P-VJQX-V7RR
Vulnerability from github – Published: 2026-07-01 15:35 – Updated: 2026-07-01 15:35FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
{
"affected": [],
"aliases": [
"CVE-2026-6686"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T15:17:12Z",
"severity": "MODERATE"
},
"details": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.",
"id": "GHSA-h94p-vjqx-v7rr",
"modified": "2026-07-01T15:35:21Z",
"published": "2026-07-01T15:35:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6686"
},
{
"type": "WEB",
"url": "https://elm-chan.org/fsw/ff"
},
{
"type": "WEB",
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/fatfs-uninit-cluster-exposure-cve-2026-6686"
},
{
"type": "WEB",
"url": "https://www.runzero.com/blog/fatfs-bugs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H9XV-Q955-564M
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.
{
"affected": [],
"aliases": [
"CVE-2019-9639"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-09T00:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.",
"id": "GHSA-h9xv-q955-564m",
"modified": "2022-05-13T01:02:53Z",
"published": "2022-05-13T01:02:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9639"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=77659"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190502-0007"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3922-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3922-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3922-3"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4403"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HCVQ-7HMV-2Q86
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-11-07 18:31In the Linux kernel, the following vulnerability has been resolved:
net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
syzbot reported that act_len in kalmia_send_init_packet() is uninitialized when passing it to the first usb_bulk_msg error path. Jiri Pirko noted that it's pointless to pass it in the error path, and that the value that would be printed in the second error path would be the value of act_len from the first call to usb_bulk_msg.[1]
With this in mind, let's just not pass act_len to the usb_bulk_msg error paths.
1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/
{
"affected": [],
"aliases": [
"CVE-2023-52703"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:12Z",
"severity": "LOW"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/usb: kalmia: Don\u0027t pass act_len in usb_bulk_msg error path\n\nsyzbot reported that act_len in kalmia_send_init_packet() is\nuninitialized when passing it to the first usb_bulk_msg error path. Jiri\nPirko noted that it\u0027s pointless to pass it in the error path, and that\nthe value that would be printed in the second error path would be the\nvalue of act_len from the first call to usb_bulk_msg.[1]\n\nWith this in mind, let\u0027s just not pass act_len to the usb_bulk_msg error\npaths.\n\n1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/",
"id": "GHSA-hcvq-7hmv-2q86",
"modified": "2024-11-07T18:31:20Z",
"published": "2024-05-21T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52703"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/02df3170c04a8356cd571ab9155a42f030190abc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b5de7d44890b78519acbcc80d8d1f23ff2872e5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/338f826d3afead6e4df521f7972a4bef04a72efb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/525bdcb0838d19d918c7786151ee14661967a030"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/723ef7b66f37c0841f5a451ccbce47ee1641e081"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a753352622b4f3c0219e0e9c73114b2848ae6042"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c68f345b7c425b38656e1791a0486769a8797016"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HF5V-H65Q-2G27
Vulnerability from github – Published: 2024-08-06 15:30 – Updated: 2024-08-08 00:31ANGLE failed to initialize parameters which lead to reading from uninitialized memory. This could be leveraged to leak sensitive data from memory. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
{
"affected": [],
"aliases": [
"CVE-2024-7526"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T13:15:57Z",
"severity": "HIGH"
},
"details": "ANGLE failed to initialize parameters which lead to reading from uninitialized memory. This could be leveraged to leak sensitive data from memory. This vulnerability affects Firefox \u003c 129, Firefox ESR \u003c 115.14, and Firefox ESR \u003c 128.1.",
"id": "GHSA-hf5v-h65q-2g27",
"modified": "2024-08-08T00:31:44Z",
"published": "2024-08-06T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7526"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1910306"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-34"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-35"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-37"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HF7W-M8FC-Q8FP
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-09-23 21:30In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix freeing of uninitialized misc IRQ vector
When VSI set up failed in i40e_probe() as part of PF switch set up driver was trying to free misc IRQ vectors in i40e_clear_interrupt_scheme and produced a kernel Oops:
Trying to free already-free IRQ 266 WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300 Workqueue: events work_for_cpu_fn RIP: 0010:__free_irq+0x9a/0x300 Call Trace: ? synchronize_irq+0x3a/0xa0 free_irq+0x2e/0x60 i40e_clear_interrupt_scheme+0x53/0x190 [i40e] i40e_probe.part.108+0x134b/0x1a40 [i40e] ? kmem_cache_alloc+0x158/0x1c0 ? acpi_ut_update_ref_count.part.1+0x8e/0x345 ? acpi_ut_update_object_reference+0x15e/0x1e2 ? strstr+0x21/0x70 ? irq_get_irq_data+0xa/0x20 ? mp_check_pin_attr+0x13/0xc0 ? irq_get_irq_data+0xa/0x20 ? mp_map_pin_to_irq+0xd3/0x2f0 ? acpi_register_gsi_ioapic+0x93/0x170 ? pci_conf1_read+0xa4/0x100 ? pci_bus_read_config_word+0x49/0x70 ? do_pci_enable_device+0xcc/0x100 local_pci_probe+0x41/0x90 work_for_cpu_fn+0x16/0x20 process_one_work+0x1a7/0x360 worker_thread+0x1cf/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x112/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x1f/0x40
The problem is that at that point misc IRQ vectors were not allocated yet and we get a call trace that driver is trying to free already free IRQ vectors.
Add a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED PF state before calling i40e_free_misc_vector. This state is set only if misc IRQ vectors were properly initialized.
{
"affected": [],
"aliases": [
"CVE-2021-47424"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix freeing of uninitialized misc IRQ vector\n\nWhen VSI set up failed in i40e_probe() as part of PF switch set up\ndriver was trying to free misc IRQ vectors in\ni40e_clear_interrupt_scheme and produced a kernel Oops:\n\n Trying to free already-free IRQ 266\n WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300\n Workqueue: events work_for_cpu_fn\n RIP: 0010:__free_irq+0x9a/0x300\n Call Trace:\n ? synchronize_irq+0x3a/0xa0\n free_irq+0x2e/0x60\n i40e_clear_interrupt_scheme+0x53/0x190 [i40e]\n i40e_probe.part.108+0x134b/0x1a40 [i40e]\n ? kmem_cache_alloc+0x158/0x1c0\n ? acpi_ut_update_ref_count.part.1+0x8e/0x345\n ? acpi_ut_update_object_reference+0x15e/0x1e2\n ? strstr+0x21/0x70\n ? irq_get_irq_data+0xa/0x20\n ? mp_check_pin_attr+0x13/0xc0\n ? irq_get_irq_data+0xa/0x20\n ? mp_map_pin_to_irq+0xd3/0x2f0\n ? acpi_register_gsi_ioapic+0x93/0x170\n ? pci_conf1_read+0xa4/0x100\n ? pci_bus_read_config_word+0x49/0x70\n ? do_pci_enable_device+0xcc/0x100\n local_pci_probe+0x41/0x90\n work_for_cpu_fn+0x16/0x20\n process_one_work+0x1a7/0x360\n worker_thread+0x1cf/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x112/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x1f/0x40\n\nThe problem is that at that point misc IRQ vectors\nwere not allocated yet and we get a call trace\nthat driver is trying to free already free IRQ vectors.\n\nAdd a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED\nPF state before calling i40e_free_misc_vector. This state is set only if\nmisc IRQ vectors were properly initialized.",
"id": "GHSA-hf7w-m8fc-q8fp",
"modified": "2025-09-23T21:30:53Z",
"published": "2024-05-21T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47424"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/17063cac4088b8e2fc0f633abddca5426ed58312"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e5a20573a926302b233b0c2e1077f5debc7ab2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60ad4cde0ad28921f9ea25b0201c774b95ffa4b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/75099439209d3cda439a1d9b00d19a50f0066fef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97aeed72af4f83ae51534f0a2473ff52f8d66236"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HFH2-MJPV-G64V
Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05The PVRSRVBridgeGetMultiCoreInfo ioctl in the PowerVR kernel driver can return uninitialized kernel memory to user space. The contents of this memory could contain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2021-0948"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T00:15:23Z",
"severity": "MODERATE"
},
"details": "The PVRSRVBridgeGetMultiCoreInfo ioctl in the PowerVR kernel driver can return uninitialized kernel memory to user space. The contents of this memory could contain sensitive information.\n\n",
"id": "GHSA-hfh2-mjpv-g64v",
"modified": "2024-04-04T06:05:06Z",
"published": "2023-07-13T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0948"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HFWG-2MM4-H8C4
Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-11-07 18:31In the Linux kernel, the following vulnerability has been resolved:
media: mxl111sf: change mutex_init() location
Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized mutex. The problem was in wrong mutex_init() location.
Previous mutex_init(&state->msg_lock) call was in ->init() function, but dvb_usbv2_init() has this order of calls:
dvb_usbv2_init()
dvb_usbv2_adapter_init()
dvb_usbv2_adapter_frontend_init()
props->frontend_attach()
props->init()
Since mxl111sf_ devices call mxl111sf_ctrl_msg() in ->frontend_attach() internally we need to initialize state->msg_lock before frontend_attach(). To achieve it, ->probe() call added to all mxl111sf_ devices, which will simply initiaize mutex.
{
"affected": [],
"aliases": [
"CVE-2021-47583"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T15:15:52Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mxl111sf: change mutex_init() location\n\nSyzbot reported, that mxl111sf_ctrl_msg() uses uninitialized\nmutex. The problem was in wrong mutex_init() location.\n\nPrevious mutex_init(\u0026state-\u003emsg_lock) call was in -\u003einit() function, but\ndvb_usbv2_init() has this order of calls:\n\n\tdvb_usbv2_init()\n\t dvb_usbv2_adapter_init()\n\t dvb_usbv2_adapter_frontend_init()\n\t props-\u003efrontend_attach()\n\n\t props-\u003einit()\n\nSince mxl111sf_* devices call mxl111sf_ctrl_msg() in -\u003efrontend_attach()\ninternally we need to initialize state-\u003emsg_lock before\nfrontend_attach(). To achieve it, -\u003eprobe() call added to all mxl111sf_*\ndevices, which will simply initiaize mutex.",
"id": "GHSA-hfwg-2mm4-h8c4",
"modified": "2024-11-07T18:31:21Z",
"published": "2024-06-19T15:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47583"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/44870a9e7a3c24acbb3f888b2a7cc22c9bdf7e7f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b2d9600b31f9ba7adbc9f3c54a068615d27b390"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c6fdf62bfe1bc72bfceeaf832ef7499c7ed09ba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/96f182c9f48b984447741f054ec301fdc8517035"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b99bdf127af91d53919e96292c05f737c45ea59a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HG2X-2C94-6W8P
Vulnerability from github – Published: 2024-06-14 09:31 – Updated: 2024-06-14 09:31Memory management vulnerability in the Gralloc module Impact: Successful exploitation of this vulnerability will affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-36503"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-14T08:15:41Z",
"severity": "HIGH"
},
"details": "Memory management vulnerability in the Gralloc module\nImpact: Successful exploitation of this vulnerability will affect availability.",
"id": "GHSA-hg2x-2c94-6w8p",
"modified": "2024-06-14T09:31:17Z",
"published": "2024-06-14T09:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36503"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.