Modes d'introduction
Implementation
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)
Conséquences courantes
Portée |
Impact |
Probabilité |
Confidentiality | Read Memory, Read Application Data
Note: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party. | |
Availability | DoS: Crash, Exit, or Restart
Note: The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend. | |
Exemples observés
Références |
Description |
| Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption. |
| Use of uninitialized memory may allow code execution. |
| Free of an uninitialized pointer leads to crash and possible code execution. |
| Product does not clear memory contents when generating an error message, leading to information leak. |
| Lack of initialization triggers NULL pointer dereference or double-free. |
| Uninitialized variable leads to code execution in popular desktop application. |
| Chain: Uninitialized variable leads to infinite loop. |
| Chain: Improper initialization leads to memory corruption. |
| Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap |
| Chain: game server can access player data structures before initialization has happened leading to NULL dereference |
| Chain: uninitialized function pointers can be dereferenced allowing code execution |
| Chain: improper initialization of memory can lead to NULL dereference |
| Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference |
Mesures d’atténuation potentielles
Phases : Implementation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Phases : Implementation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Phases : Implementation
Avoid race conditions (CWE-362) during initialization routines.
Phases : Build and Compilation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-436
Exploiting Uninitialized Data
mercy.
http://www.felinemenace.org/~mercy/papers/UBehavior/UBehavior.zip
Soumission
Nom |
Organisation |
Date |
Date de publication |
Version |
CWE Content Team |
MITRE |
2012-12-21 +00:00 |
2013-02-21 +00:00 |
2.4 |
Modifications
Nom |
Organisation |
Date |
Commentaire |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated Taxonomy_Mappings |
CWE Content Team |
MITRE |
2019-01-03 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-02-24 +00:00 |
updated Description, Relationships |
CWE Content Team |
MITRE |
2020-08-20 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2020-12-10 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2021-03-15 +00:00 |
updated Demonstrative_Examples, Observed_Examples |
CWE Content Team |
MITRE |
2023-01-31 +00:00 |
updated Description, Potential_Mitigations |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |