CWE-457
AllowedUse of Uninitialized Variable
Abstraction: Variant · Status: Draft
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
297 vulnerabilities reference this CWE, most recent first.
GHSA-PVH9-2948-MGMJ
Vulnerability from github – Published: 2025-02-03 06:30 – Updated: 2025-02-03 18:30In DA, there is a possible read of uninitialized heap data due to uninitialized data. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291449; Issue ID: MSV-2066.
{
"affected": [],
"aliases": [
"CVE-2025-20638"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-03T04:15:08Z",
"severity": "MODERATE"
},
"details": "In DA, there is a possible read of uninitialized heap data due to uninitialized data. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291449; Issue ID: MSV-2066.",
"id": "GHSA-pvh9-2948-mgmj",
"modified": "2025-02-03T18:30:41Z",
"published": "2025-02-03T06:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20638"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/February-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q386-C4R6-FHPQ
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31PDF-XChange Editor J2K File Parsing Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of J2K files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-20909.
{
"affected": [],
"aliases": [
"CVE-2023-42048"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:38Z",
"severity": "LOW"
},
"details": "PDF-XChange Editor J2K File Parsing Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of J2K files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-20909.",
"id": "GHSA-q386-c4r6-fhpq",
"modified": "2024-05-03T03:31:00Z",
"published": "2024-05-03T03:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42048"
},
{
"type": "WEB",
"url": "https://www.tracker-software.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q545-RCCV-33G7
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 21:31Race in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11064"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:10Z",
"severity": "MODERATE"
},
"details": "Race in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-q545-rccv-33g7",
"modified": "2026-06-05T21:31:57Z",
"published": "2026-06-05T00:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11064"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/499075743"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7RV-P9GV-MCJ9
Vulnerability from github – Published: 2024-05-08 00:31 – Updated: 2024-05-08 00:31Foxit PDF Reader Annotation Use of Uninitialized Variable Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of Annotation objects. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14658.
{
"affected": [],
"aliases": [
"CVE-2021-34953"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T23:15:08Z",
"severity": "HIGH"
},
"details": "Foxit PDF Reader Annotation Use of Uninitialized Variable Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Annotation objects. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14658.",
"id": "GHSA-q7rv-p9gv-mcj9",
"modified": "2024-05-08T00:31:13Z",
"published": "2024-05-08T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34953"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC4P-7G72-JQRQ
Vulnerability from github – Published: 2024-05-01 18:30 – Updated: 2024-05-07 12:30An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 while parsing HTTP requests. In certain configurations, a specially crafted HTTP request can result in disclosure of data allocated on the heap, which could contain sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-40533"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T16:15:06Z",
"severity": "MODERATE"
},
"details": "An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 while parsing HTTP requests. In certain configurations, a specially crafted HTTP request can result in disclosure of data allocated on the heap, which could contain sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.",
"id": "GHSA-qc4p-7g72-jqrq",
"modified": "2024-05-07T12:30:50Z",
"published": "2024-05-01T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40533"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/05/07/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QG3J-XJ32-H7FH
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-03-01 00:01This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF images. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15411.
{
"affected": [],
"aliases": [
"CVE-2021-46617"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T20:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF images. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15411.",
"id": "GHSA-qg3j-xj32-h7fh",
"modified": "2022-03-01T00:01:01Z",
"published": "2022-02-19T00:01:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46617"
},
{
"type": "WEB",
"url": "https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0015"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-204"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QJ6X-X634-3RC3
Vulnerability from github – Published: 2026-07-09 00:31 – Updated: 2026-07-09 15:32Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-15109"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T23:16:52Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-qj6x-x634-3rc3",
"modified": "2026-07-09T15:32:29Z",
"published": "2026-07-09T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15109"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/516899138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QP6G-F22X-MGXR
Vulnerability from github – Published: 2024-04-16 09:30 – Updated: 2024-04-16 09:30In OffloadAMRWriter, a scalar field is not initialized so will contain an arbitrary value left over from earlier computations
{
"affected": [],
"aliases": [
"CVE-2024-32625"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-16T09:15:07Z",
"severity": "MODERATE"
},
"details": "In OffloadAMRWriter, a scalar field is not initialized so will contain an arbitrary value left over from earlier computations",
"id": "GHSA-qp6g-f22x-mgxr",
"modified": "2024-04-16T09:30:33Z",
"published": "2024-04-16T09:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32625"
},
{
"type": "WEB",
"url": "https://www.asrmicro.com/en/goods/psirt?cid=38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QWW9-Q864-VPMP
Vulnerability from github – Published: 2025-09-06 18:30 – Updated: 2025-09-06 18:30Use of an uninitialized variable in the ASP could allow an attacker to access leftover data from a trusted execution environment (TEE) driver, potentially leading to loss of confidentiality.
{
"affected": [],
"aliases": [
"CVE-2023-31326"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-06T17:15:31Z",
"severity": "LOW"
},
"details": "Use of an uninitialized variable in the ASP could allow an attacker to access leftover data from a trusted execution environment (TEE) driver, potentially leading to loss of confidentiality.",
"id": "GHSA-qww9-q864-vpmp",
"modified": "2025-09-06T18:30:32Z",
"published": "2025-09-06T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31326"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4012.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-5007.html"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6018.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R34R-5RVH-PC3M
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 21:31Uninitialized Use in WebML in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11033"
],
"database_specific": {
"cwe_ids": [
"CWE-457"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:07Z",
"severity": "MODERATE"
},
"details": "Uninitialized Use in WebML in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-r34r-5rvh-pc3m",
"modified": "2026-06-05T21:31:57Z",
"published": "2026-06-05T00:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11033"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/497926664"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-57
Strategy: Attack Surface Reduction
Ensure that critical variables are initialized before first use [REF-1485].
Mitigation
Strategy: Compilation or Build Hardening
Most compilers will complain about the use of uninitialized variables if warnings are turned on.
Mitigation
When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.
Mitigation
Strategy: Language Selection
Choose a language that is not susceptible to these issues.
Mitigation
Mitigating technologies such as safe string libraries and container abstractions could be introduced.
No CAPEC attack patterns related to this CWE.