CWE-908
Use of Uninitialized Resource
Moyen
Incomplete
2013-02-21
00h00 +00:00
00h00 +00:00
2023-06-29
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.
Description du CWE
When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.
Informations générales
Modes d'introduction
ImplementationPlateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality | Read Memory, Read Application Data Note: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. | |
| Availability | DoS: Crash, Exit, or Restart Note: The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend. |
Exemples observés
| Références | Description |
|---|---|
CVE-2019-9805 | Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption. |
CVE-2008-4197 | Use of uninitialized memory may allow code execution. |
CVE-2008-2934 | Free of an uninitialized pointer leads to crash and possible code execution. |
CVE-2008-0063 | Product does not clear memory contents when generating an error message, leading to information leak. |
CVE-2008-0062 | Lack of initialization triggers NULL pointer dereference or double-free. |
CVE-2008-0081 | Uninitialized variable leads to code execution in popular desktop application. |
CVE-2008-3688 | Chain: Uninitialized variable leads to infinite loop. |
CVE-2008-3475 | Chain: Improper initialization leads to memory corruption. |
CVE-2005-1036 | Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap |
CVE-2008-3597 | Chain: game server can access player data structures before initialization has happened leading to NULL dereference |
CVE-2009-2692 | Chain: uninitialized function pointers can be dereferenced allowing code execution |
CVE-2009-0949 | Chain: improper initialization of memory can lead to NULL dereference |
CVE-2009-3620 | Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference |
Mesures d’atténuation potentielles
Phases : ImplementationExplicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Phases : Implementation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Phases : Implementation
Avoid race conditions (CWE-362) during initialization routines.
Phases : Build and Compilation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-436
Exploiting Uninitialized Datamercy.
http://www.felinemenace.org/~mercy/papers/UBehavior/UBehavior.zip
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | 2.4 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CWE Content Team | MITRE | updated Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples | |
| CWE Content Team | MITRE | updated Description, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.