CWE-457
AllowedUse of Uninitialized Variable
Abstraction: Variant · Status: Draft
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
298 vulnerabilities reference this CWE, most recent first.
GHSA-65GF-RQ85-48C5
Vulnerability from github – Published: 2026-03-17 18:30 – Updated: 2026-03-17 18:30An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
{
"affected": [],
"aliases": [
"CVE-2026-4147"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-17T16:16:23Z",
"severity": "HIGH"
},
"details": "An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.",
"id": "GHSA-65gf-rq85-48c5",
"modified": "2026-03-17T18:30:33Z",
"published": "2026-03-17T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4147"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-119317"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-66P5-J55P-32R9
Vulnerability from github – Published: 2021-08-25 21:00 – Updated: 2021-08-06 16:36Affected versions of this crate called mem::uninitialized() to create values of a user-supplied type T.
This is unsound e.g. if T is a reference type (which must be non-null and thus may not remain uninitialized).
The flaw was corrected by avoiding the use of mem::uninitialized(), using MaybeUninit instead.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "smallvec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-06T16:36:54Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.\n",
"id": "GHSA-66p5-j55p-32r9",
"modified": "2021-08-06T16:36:54Z",
"published": "2021-08-25T21:00:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/servo/rust-smallvec/issues/126"
},
{
"type": "WEB",
"url": "https://github.com/servo/rust-smallvec/pull/162"
},
{
"type": "PACKAGE",
"url": "https://github.com/servo/rust-smallvec"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2018-0018.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "smallvec creates uninitialized value of any type"
}
GHSA-682P-M82J-VW29
Vulnerability from github – Published: 2026-06-24 21:30 – Updated: 2026-06-24 21:30Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-13023"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T19:17:08Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-682p-m82j-vw29",
"modified": "2026-06-24T21:30:43Z",
"published": "2026-06-24T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13023"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/517080836"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6933-C37P-MPRR
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 03:35Uninitialized Use in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-13969"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:10Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-6933-c37p-mprr",
"modified": "2026-07-01T03:35:23Z",
"published": "2026-07-01T00:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13969"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513762962"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6F27-8674-H7P8
Vulnerability from github – Published: 2023-08-08 12:30 – Updated: 2024-04-04 06:38Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.
{
"affected": [],
"aliases": [
"CVE-2022-40510"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T10:15:12Z",
"severity": "CRITICAL"
},
"details": "Memory corruption due to buffer copy without checking size of input in Audio while voice call with EVS vocoder.",
"id": "GHSA-6f27-8674-h7p8",
"modified": "2024-04-04T06:38:01Z",
"published": "2023-08-08T12:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40510"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/august-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6FX6-MV6X-H475
Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2023-04-08 03:30This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540.
{
"affected": [],
"aliases": [
"CVE-2022-42432"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T19:15:00Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel 6.0-rc2. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the nft_osf_eval function. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel. Was ZDI-CAN-18540.",
"id": "GHSA-6fx6-mv6x-h475",
"modified": "2023-04-08T03:30:28Z",
"published": "2023-03-29T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42432"
},
{
"type": "WEB",
"url": "https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220907082618.1193201-1-pablo@netfilter.org"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6M3J-PCG3-CX2R
Vulnerability from github – Published: 2025-01-08 03:30 – Updated: 2025-01-08 03:30Vulnerability of variables not being initialized in the notification module Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-56446"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T03:15:10Z",
"severity": "MODERATE"
},
"details": "Vulnerability of variables not being initialized in the notification module\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-6m3j-pcg3-cx2r",
"modified": "2025-01-08T03:30:24Z",
"published": "2025-01-08T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56446"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6M8G-7XCG-8JJ5
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-06 06:30Uninitialized Use in Audio in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11141"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:20Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in Audio in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-6m8g-7xcg-8jj5",
"modified": "2026-06-06T06:30:28Z",
"published": "2026-06-05T00:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11141"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/501667839"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6P8Q-F9VC-4MP9
Vulnerability from github – Published: 2026-07-02 00:31 – Updated: 2026-07-02 00:31Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-14413"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T23:16:49Z",
"severity": "HIGH"
},
"details": "Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-6p8q-f9vc-4mp9",
"modified": "2026-07-02T00:31:41Z",
"published": "2026-07-02T00:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14413"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513922055"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-75QX-877V-F9FF
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 03:35Uninitialized Use in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-13950"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:08Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-75qx-877v-f9ff",
"modified": "2026-07-01T03:35:22Z",
"published": "2026-07-01T00:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13950"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513360781"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-57
Strategy: Attack Surface Reduction
Ensure that critical variables are initialized before first use [REF-1485].
Mitigation
Strategy: Compilation or Build Hardening
Most compilers will complain about the use of uninitialized variables if warnings are turned on.
Mitigation
When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.
Mitigation
Strategy: Language Selection
Choose a language that is not susceptible to these issues.
Mitigation
Mitigating technologies such as safe string libraries and container abstractions could be introduced.
No CAPEC attack patterns related to this CWE.