Common Weakness Enumeration

CWE-665

Discouraged

Improper Initialization

Abstraction: Class · Status: Draft

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

425 vulnerabilities reference this CWE, most recent first.

GHSA-Q6JQ-567X-75GP

Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2024-04-04 02:46
VLAI
Details

The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-14T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization.",
  "id": "GHSA-q6jq-567x-75gp",
  "modified": "2024-04-04T02:46:24Z",
  "published": "2022-05-24T17:06:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8367"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/134573/LibRaw-0.17-Overflow.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2015/Nov/108"
    },
    {
      "type": "WEB",
      "url": "http://www.libraw.org/news/libraw-0-17-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q7R2-C6MW-RGWR

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:58
VLAI
Details

Improper initialization for some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Improper initialization for some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-q7r2-c6mw-rgwr",
  "modified": "2024-04-04T03:58:57Z",
  "published": "2023-05-10T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31477"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00777.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8RM-WVJP-6QF3

Vulnerability from github – Published: 2023-10-29 09:30 – Updated: 2023-11-08 15:30
VLAI
Details

When the isula load command is used to load malicious images, attackers can execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-29T08:15:20Z",
    "severity": "HIGH"
  },
  "details": "\nWhen the isula load command is used to load malicious images, attackers can execute arbitrary code.\n\n",
  "id": "GHSA-q8rm-wvjp-6qf3",
  "modified": "2023-11-08T15:30:32Z",
  "published": "2023-10-29T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33636"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/src-openeuler/iSulad/pulls/600/files"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/src-openeuler/iSulad/pulls/627/files"
    },
    {
      "type": "WEB",
      "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC7J-6RVC-FXHF

Vulnerability from github – Published: 2023-05-08 21:31 – Updated: 2024-04-04 03:51
VLAI
Details

A memory initialization issue was addressed. This issue is fixed in macOS Ventura 13.3. A remote user may be able to cause unexpected app termination or arbitrary code execution

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27934"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120",
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-08T20:15:17Z",
    "severity": "HIGH"
  },
  "details": "A memory initialization issue was addressed. This issue is fixed in macOS Ventura 13.3. A remote user may be able to cause unexpected app termination or arbitrary code execution",
  "id": "GHSA-qc7j-6rvc-fxhf",
  "modified": "2024-04-04T03:51:42Z",
  "published": "2023-05-08T21:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27934"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213670"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213677"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213677"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCG7-R5QQ-MQMW

Vulnerability from github – Published: 2024-07-05 15:32 – Updated: 2025-02-13 18:32
VLAI
Details

The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.

Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-05T14:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value).\u00a0An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete\u00a0compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.\n\nUsers are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.",
  "id": "GHSA-qcg7-r5qq-mqmw",
  "modified": "2025-02-13T18:32:31Z",
  "published": "2024-07-05T15:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39864"
    },
    {
      "type": "WEB",
      "url": "https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1"
    },
    {
      "type": "WEB",
      "url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/07/05/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QGW4-62XF-F822

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are initialized in memory, aka "Windows Kernel Information Disclosure Vulnerability". This CVE is unique from CVE-2018-0811, CVE-2018-0813, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, and CVE-2018-0901 and CVE-2018-0926.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-14T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are initialized in memory, aka \"Windows Kernel Information Disclosure Vulnerability\". This CVE is unique from CVE-2018-0811, CVE-2018-0813, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, and CVE-2018-0901 and CVE-2018-0926.",
  "id": "GHSA-qgw4-62xf-f822",
  "modified": "2022-05-13T01:18:32Z",
  "published": "2022-05-13T01:18:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0814"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0814"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103251"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040517"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHPM-8P8J-GWV9

Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20
VLAI
Details

In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the NBAP dissector could crash. This was addressed in epan/dissectors/asn1/nbap/nbap.cnf by ensuring DCH ID initialization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-7419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-23T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the NBAP dissector could crash. This was addressed in epan/dissectors/asn1/nbap/nbap.cnf by ensuring DCH ID initialization.",
  "id": "GHSA-qhpm-8p8j-gwv9",
  "modified": "2022-05-13T01:20:35Z",
  "published": "2022-05-13T01:20:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7419"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14443"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=bebd3a1f50b0a27738d8d3da5b33c1b392eb7273"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4217"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2018-14.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103159"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPXC-2F6P-R9WG

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3,macOS Mojave 10.14.3,tvOS 12.1.2,watchOS 5.1.3. A malicious application may be able to break out of its sandbox.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-05T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3,macOS Mojave 10.14.3,tvOS 12.1.2,watchOS 5.1.3. A malicious application may be able to break out of its sandbox.",
  "id": "GHSA-qpxc-2f6p-r9wg",
  "modified": "2022-05-13T01:22:38Z",
  "published": "2022-05-13T01:22:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6230"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209443"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209446"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209447"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209448"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106739"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ4C-HM99-979M

Vulnerability from github – Published: 2025-08-18 15:10 – Updated: 2025-08-18 15:10
VLAI
Summary
IdMap from_iter may lead to uninitialized memory being freed on drop
Details

Due to a flaw in the constructor id_map::IdMap::from_iter, ill-formed objects may be created in which the amount of actually initialized memory is less than what is expected by the fields of IdMap. Specifically, the field ids is initialized based on the capacity of the vector values, which is constructed from the provided iterator. However, the length of this vector may be smaller than its capacity.

In such cases, when the resulting IdMap is dropped, its destructor incorrectly assumes that values contains ids.len() == values.capacity() initialized elements and attempts to iterate over and drop them. This leads to dereferencing and attempting to free uninitialized memory, resulting in undefined behavior and potential segmentation faults.

The bug was fixed in commit fab6922, and all unsafe code was removed from the crate.

Note that the maintainer recommends using the following alternatives: - slab - slotmap

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "id-map"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.6"
            },
            {
              "fixed": "0.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-18T15:10:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Due to a flaw in the constructor `id_map::IdMap::from_iter`, ill-formed objects may be created in which the amount of actually initialized memory is less than what is expected by the fields of `IdMap`. Specifically, the field `ids` is initialized based on the capacity of the vector `values`, which is constructed from the provided iterator. However, the length of this vector may be smaller than its capacity.\n\nIn such cases, when the resulting `IdMap` is dropped, its destructor incorrectly assumes that `values` contains `ids.len() == values.capacity()` initialized elements and attempts to iterate over and drop them. This leads to dereferencing and attempting to free uninitialized memory, resulting in undefined behavior and potential segmentation faults.\n\nThe bug was fixed in commit `fab6922`, and all unsafe code was removed from the crate.\n\nNote that the maintainer recommends using the following alternatives:\n- [slab](https://crates.io/crates/slab)\n- [slotmap](https://crates.io/crates/slotmap)",
  "id": "GHSA-qq4c-hm99-979m",
  "modified": "2025-08-18T15:10:15Z",
  "published": "2025-08-18T15:10:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/andrewhickman/id-map/issues/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/andrewhickman/id-map/commit/fab6922b955b5a2986dfff2ccb341628faec30ed"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/andrewhickman/id-map"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0050.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "IdMap from_iter may lead to uninitialized memory being freed on drop"
}

GHSA-QQ6C-XRMH-Q72X

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-23T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl\u0027s internal function that returns a good 32bit random value.  Having a weak or virtually non-existent random value makes the operations that use it vulnerable.",
  "id": "GHSA-qq6c-xrmh-q72x",
  "modified": "2022-05-13T01:38:28Z",
  "published": "2022-05-13T01:38:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9594"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9594"
    },
    {
      "type": "WEB",
      "url": "https://curl.haxx.se/docs/adv_20161223.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-47"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2017-04"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95094"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037528"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile your product with settings that generate warnings about uninitialized variables or data.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.