Read Time:1 Minute, 11 Second
Description
The software does not initialize critical variables, which causes the execution environment to use unexpected values.
Modes of Introduction:
– Implementation
Related Weaknesses
CWE-909
CWE-665
CWE-665
CWE-89
CWE-120
CWE-98
CWE-457
Consequences
Integrity, Other: Unexpected State, Quality Degradation, Varies by Context
The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.
Potential Mitigations
Phase: Implementation
Description:
Check that critical variables are initialized.
Phase: Testing
Description:
Use a static analysis tool to spot non-initialized variables.
CVE References
- CVE-2020-6078
- Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
- CVE-2009-2692
- Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
- CVE-2020-20739
- A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
- CVE-2005-2978
- Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
- CVE-2005-2109
- Internal variable in PHP application is not initialized, allowing external modification.
- CVE-2005-2193
- Array variable not initialized in PHP application, leading to resultant SQL injection.