CWE-665
DiscouragedImproper Initialization
Abstraction: Class · Status: Draft
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
425 vulnerabilities reference this CWE, most recent first.
GHSA-467M-6JMP-65G9
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-08-06 00:00A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker is able to abuse this flaw to bypass checks to send any signal to a privileged process.
{
"affected": [],
"aliases": [
"CVE-2020-35508"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-26T17:15:00Z",
"severity": "HIGH"
},
"details": "A flaw possibility of race condition and incorrect initialization of the process id was found in the Linux kernel child/parent process identification handling while filtering signal handlers. A local attacker is able to abuse this flaw to bypass checks to send any signal to a privileged process.",
"id": "GHSA-467m-6jmp-65g9",
"modified": "2022-08-06T00:00:40Z",
"published": "2022-05-24T17:45:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35508"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:1578"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:1739"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:2718"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:2719"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-35508"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902724"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210513-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-47HW-P9QV-5WQQ
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Improper initialization in the Linux kernel-mode driver for some Intel(R) I350 Series Ethernet before version 5.19.2 may allow an authenticated user to potentially enable Information disclosure via data exposure.
{
"affected": [],
"aliases": [
"CVE-2025-24511"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T17:15:34Z",
"severity": "LOW"
},
"details": "Improper initialization in the Linux kernel-mode driver for some Intel(R) I350 Series Ethernet before version 5.19.2 may allow an authenticated user to potentially enable Information disclosure via data exposure.",
"id": "GHSA-47hw-p9qv-5wqq",
"modified": "2025-08-12T18:31:29Z",
"published": "2025-08-12T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24511"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01335.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-47JR-G6Q2-JXRQ
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 14.4 and iPadOS 14.4. An attacker in a privileged position may be able to perform a denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2021-1780"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-02T18:15:00Z",
"severity": "MODERATE"
},
"details": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 14.4 and iPadOS 14.4. An attacker in a privileged position may be able to perform a denial of service attack.",
"id": "GHSA-47jr-g6q2-jxrq",
"modified": "2022-05-24T17:46:20Z",
"published": "2022-05-24T17:46:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1780"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212146"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-48CJ-44RG-FXC7
Vulnerability from github – Published: 2023-03-23 21:30 – Updated: 2025-02-25 21:31A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.
{
"affected": [],
"aliases": [
"CVE-2023-1513"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-23T21:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak.",
"id": "GHSA-48cj-44rg-fxc7",
"modified": "2025-02-25T21:31:20Z",
"published": "2023-03-23T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1513"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/2c10b61421a28e95a46ab489fd56c0f442ff6952"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179892"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/kvm/20230214103304.3689213-1-gregkh%40linuxfoundation.org"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/kvm/20230214103304.3689213-1-gregkh@linuxfoundation.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-49JR-G5J4-39J9
Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30Improper initialization for some ESXi kernel mode driver for the Intel(R) Ethernet 800-Series before version 2.2.2.0 (esxi 8.0) & 2.2.3.0 (esxi 9.0) within Ring 1: Device Drivers may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
{
"affected": [],
"aliases": [
"CVE-2025-25058"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T17:16:13Z",
"severity": "LOW"
},
"details": "Improper initialization for some ESXi kernel mode driver for the Intel(R) Ethernet 800-Series before version 2.2.2.0 (esxi 8.0) \u0026amp; 2.2.3.0 (esxi 9.0) within Ring 1: Device Drivers may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (low), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
"id": "GHSA-49jr-g5j4-39j9",
"modified": "2026-02-10T18:30:39Z",
"published": "2026-02-10T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25058"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01408.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4F4G-M6H2-8Q23
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 02:01In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813.
{
"affected": [],
"aliases": [
"CVE-2019-16921"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T13:15:00Z",
"severity": "HIGH"
},
"details": "In the Linux kernel before 4.17, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory, aka CID-df7e40425813.",
"id": "GHSA-4f4g-m6h2-8q23",
"modified": "2024-04-04T02:01:02Z",
"published": "2022-05-24T16:56:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16921"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/df7e40425813c50cd252e6f5e348a81ef1acae56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df7e40425813c50cd252e6f5e348a81ef1acae56"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4J2R-XH73-3XQW
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:06GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.
{
"affected": [],
"aliases": [
"CVE-2020-35342"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:20Z",
"severity": "HIGH"
},
"details": "GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.",
"id": "GHSA-4j2r-xh73-3xqw",
"modified": "2024-04-04T07:06:25Z",
"published": "2023-08-22T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35342"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231006-0009"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25319"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4JFR-3638-M4HP
Vulnerability from github – Published: 2022-05-13 01:45 – Updated: 2022-05-13 01:45A vulnerability in Simple Network Management Protocol (SNMP) functions of Cisco ASR 1000 Series Aggregation Services Routers running Cisco IOS XE Software Release 3.13.6S, 3.16.2S, or 3.17.1S could allow an authenticated, remote attacker to cause high CPU usage on an affected device, resulting in a denial of service (DoS) condition. More Information: CSCux68796. Known Affected Releases: 15.5(3)S2.1 15.6(1)S1.1. Known Fixed Releases: 15.4(3)S6.1 15.4(3)S6.2 15.5(3)S2.2 15.5(3)S3 15.6(0.22)S0.23 15.6(1)S2 16.2(0.295) 16.3(0.94) 15.5.3S3.
{
"affected": [],
"aliases": [
"CVE-2017-3820"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-03T07:59:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Simple Network Management Protocol (SNMP) functions of Cisco ASR 1000 Series Aggregation Services Routers running Cisco IOS XE Software Release 3.13.6S, 3.16.2S, or 3.17.1S could allow an authenticated, remote attacker to cause high CPU usage on an affected device, resulting in a denial of service (DoS) condition. More Information: CSCux68796. Known Affected Releases: 15.5(3)S2.1 15.6(1)S1.1. Known Fixed Releases: 15.4(3)S6.1 15.4(3)S6.2 15.5(3)S2.2 15.5(3)S3 15.6(0.22)S0.23 15.6(1)S2 16.2(0.295) 16.3(0.94) 15.5.3S3.",
"id": "GHSA-4jfr-3638-m4hp",
"modified": "2022-05-13T01:45:55Z",
"published": "2022-05-13T01:45:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3820"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170201-asrsnmp"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95934"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037770"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4M4W-P55H-JWJH
Vulnerability from github – Published: 2022-02-11 00:01 – Updated: 2025-05-05 18:31Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.
{
"affected": [],
"aliases": [
"CVE-2021-0119"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "MODERATE"
},
"details": "Improper initialization in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via physical access.",
"id": "GHSA-4m4w-p55h-jwjh",
"modified": "2025-05-05T18:31:20Z",
"published": "2022-02-11T00:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0119"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220210-0007"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00527.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4MV5-VJXV-HH3H
Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:02Improper initialization vulnerability in MELSEC-F series FX3U-ENET Firmware version 1.16 and prior, FX3U-ENET-L Firmware version 1.16 and prior and FX3U-ENET-P502 Firmware version 1.16 and prior allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in communication function of the product by sending specially crafted packets. Control by MELSEC-F series PLC is not affected by this vulnerability, but system reset is required for recovery.
{
"affected": [],
"aliases": [
"CVE-2021-20613"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "HIGH"
},
"details": "Improper initialization vulnerability in MELSEC-F series FX3U-ENET Firmware version 1.16 and prior, FX3U-ENET-L Firmware version 1.16 and prior and FX3U-ENET-P502 Firmware version 1.16 and prior allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in communication function of the product by sending specially crafted packets. Control by MELSEC-F series PLC is not affected by this vulnerability, but system reset is required for recovery.",
"id": "GHSA-4mv5-vjxv-hh3h",
"modified": "2022-01-22T00:02:08Z",
"published": "2022-01-15T00:01:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20613"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU93268332/index.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-07"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-024_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.