Tag Archives: Missing Initialization of a Variable

CWE-456 – Missing Initialization of a Variable

Read Time:1 Minute, 11 Second

Description

The software does not initialize critical variables, which causes the execution environment to use unexpected values.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-909
CWE-665
CWE-665
CWE-89
CWE-120
CWE-98
CWE-457

 

Consequences

Integrity, Other: Unexpected State, Quality Degradation, Varies by Context

The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.

 

Potential Mitigations

Phase: Implementation

Description: 

Check that critical variables are initialized.

Phase: Testing

Description: 

Use a static analysis tool to spot non-initialized variables.

CVE References

  • CVE-2020-6078
    • Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
  • CVE-2009-2692
    • Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
  • CVE-2020-20739
    • A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
  • CVE-2005-2978
    • Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
  • CVE-2005-2109
    • Internal variable in PHP application is not initialized, allowing external modification.
  • CVE-2005-2193
    • Array variable not initialized in PHP application, leading to resultant SQL injection.