CWE-909 Detail

CWE-909

Name

Missing Initialization of Resource

Likelihood

Medium

Status

Incomplete

Published

2013-02-21
00h00 +00:00

Modified

2023-10-26
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Missing Initialization of Resource

The product does not initialize a critical resource.

CWE Description

Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality	Read Memory, Read Application Data Note: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
Availability	DoS: Crash, Exit, or Restart Note: The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.

Observed Examples

References	Description
CVE-2020-20739	A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
CVE-2005-1036	Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap

Potential Mitigations

Phases : Implementation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
Phases : Implementation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Phases : Implementation
Avoid race conditions (CWE-362) during initialization routines.
Phases : Build and Compilation
Run or compile your product with settings that generate warnings about uninitialized variables or data.

Vulnerability Mapping Notes

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2012-12-21 +00:00	2013-02-21 +00:00	2.4

Modifications

Name	Organization	Date	Comment
CWE Content Team	MITRE	2019-06-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2021-03-15 +00:00	updated Demonstrative_Examples, Observed_Examples
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description, Potential_Mitigations, Relationships
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Mapping_Notes, Type