CWE-665
DiscouragedImproper Initialization
Abstraction: Class · Status: Draft
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
425 vulnerabilities reference this CWE, most recent first.
GHSA-Q6JQ-567X-75GP
Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2024-04-04 02:46The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization.
{
"affected": [],
"aliases": [
"CVE-2015-8367"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-14T16:15:00Z",
"severity": "CRITICAL"
},
"details": "The phase_one_correct function in Libraw before 0.17.1 allows attackers to cause memory errors and possibly execute arbitrary code, related to memory object initialization.",
"id": "GHSA-q6jq-567x-75gp",
"modified": "2024-04-04T02:46:24Z",
"published": "2022-05-24T17:06:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8367"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/134573/LibRaw-0.17-Overflow.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2015/Nov/108"
},
{
"type": "WEB",
"url": "http://www.libraw.org/news/libraw-0-17-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7R2-C6MW-RGWR
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:58Improper initialization for some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2022-31477"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:11Z",
"severity": "MODERATE"
},
"details": "Improper initialization for some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-q7r2-c6mw-rgwr",
"modified": "2024-04-04T03:58:57Z",
"published": "2023-05-10T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31477"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00777.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q8RM-WVJP-6QF3
Vulnerability from github – Published: 2023-10-29 09:30 – Updated: 2023-11-08 15:30When the isula load command is used to load malicious images, attackers can execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2021-33636"
],
"database_specific": {
"cwe_ids": [
"CWE-665",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-29T08:15:20Z",
"severity": "HIGH"
},
"details": "\nWhen the isula load command is used to load malicious images, attackers can execute arbitrary code.\n\n",
"id": "GHSA-q8rm-wvjp-6qf3",
"modified": "2023-11-08T15:30:32Z",
"published": "2023-10-29T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33636"
},
{
"type": "WEB",
"url": "https://gitee.com/src-openeuler/iSulad/pulls/600/files"
},
{
"type": "WEB",
"url": "https://gitee.com/src-openeuler/iSulad/pulls/627/files"
},
{
"type": "WEB",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC7J-6RVC-FXHF
Vulnerability from github – Published: 2023-05-08 21:31 – Updated: 2024-04-04 03:51A memory initialization issue was addressed. This issue is fixed in macOS Ventura 13.3. A remote user may be able to cause unexpected app termination or arbitrary code execution
{
"affected": [],
"aliases": [
"CVE-2023-27934"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-08T20:15:17Z",
"severity": "HIGH"
},
"details": "A memory initialization issue was addressed. This issue is fixed in macOS Ventura 13.3. A remote user may be able to cause unexpected app termination or arbitrary code execution",
"id": "GHSA-qc7j-6rvc-fxhf",
"modified": "2024-04-04T03:51:42Z",
"published": "2023-05-08T21:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27934"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213670"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213677"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213677"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCG7-R5QQ-MQMW
Vulnerability from github – Published: 2024-07-05 15:32 – Updated: 2025-02-13 18:32The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.
Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
{
"affected": [],
"aliases": [
"CVE-2024-39864"
],
"database_specific": {
"cwe_ids": [
"CWE-665",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-05T14:15:03Z",
"severity": "CRITICAL"
},
"details": "The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value).\u00a0An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete\u00a0compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.\n\nUsers are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.",
"id": "GHSA-qcg7-r5qq-mqmw",
"modified": "2025-02-13T18:32:31Z",
"published": "2024-07-05T15:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39864"
},
{
"type": "WEB",
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1"
},
{
"type": "WEB",
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/07/05/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QGW4-62XF-F822
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are initialized in memory, aka "Windows Kernel Information Disclosure Vulnerability". This CVE is unique from CVE-2018-0811, CVE-2018-0813, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, and CVE-2018-0901 and CVE-2018-0926.
{
"affected": [],
"aliases": [
"CVE-2018-0814"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T17:29:00Z",
"severity": "MODERATE"
},
"details": "The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are initialized in memory, aka \"Windows Kernel Information Disclosure Vulnerability\". This CVE is unique from CVE-2018-0811, CVE-2018-0813, CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, and CVE-2018-0901 and CVE-2018-0926.",
"id": "GHSA-qgw4-62xf-f822",
"modified": "2022-05-13T01:18:32Z",
"published": "2022-05-13T01:18:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0814"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0814"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103251"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040517"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QHPM-8P8J-GWV9
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the NBAP dissector could crash. This was addressed in epan/dissectors/asn1/nbap/nbap.cnf by ensuring DCH ID initialization.
{
"affected": [],
"aliases": [
"CVE-2018-7419"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-23T22:29:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the NBAP dissector could crash. This was addressed in epan/dissectors/asn1/nbap/nbap.cnf by ensuring DCH ID initialization.",
"id": "GHSA-qhpm-8p8j-gwv9",
"modified": "2022-05-13T01:20:35Z",
"published": "2022-05-13T01:20:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7419"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14443"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=bebd3a1f50b0a27738d8d3da5b33c1b392eb7273"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00018.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4217"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2018-14.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103159"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPXC-2F6P-R9WG
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3,macOS Mojave 10.14.3,tvOS 12.1.2,watchOS 5.1.3. A malicious application may be able to break out of its sandbox.
{
"affected": [],
"aliases": [
"CVE-2019-6230"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-05T16:29:00Z",
"severity": "HIGH"
},
"details": "A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3,macOS Mojave 10.14.3,tvOS 12.1.2,watchOS 5.1.3. A malicious application may be able to break out of its sandbox.",
"id": "GHSA-qpxc-2f6p-r9wg",
"modified": "2022-05-13T01:22:38Z",
"published": "2022-05-13T01:22:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6230"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209443"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209446"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209447"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209448"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106739"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQ4C-HM99-979M
Vulnerability from github – Published: 2025-08-18 15:10 – Updated: 2025-08-18 15:10Due to a flaw in the constructor id_map::IdMap::from_iter, ill-formed objects may be created in which the amount of actually initialized memory is less than what is expected by the fields of IdMap. Specifically, the field ids is initialized based on the capacity of the vector values, which is constructed from the provided iterator. However, the length of this vector may be smaller than its capacity.
In such cases, when the resulting IdMap is dropped, its destructor incorrectly assumes that values contains ids.len() == values.capacity() initialized elements and attempts to iterate over and drop them. This leads to dereferencing and attempting to free uninitialized memory, resulting in undefined behavior and potential segmentation faults.
The bug was fixed in commit fab6922, and all unsafe code was removed from the crate.
Note that the maintainer recommends using the following alternatives: - slab - slotmap
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "id-map"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.6"
},
{
"fixed": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-18T15:10:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Due to a flaw in the constructor `id_map::IdMap::from_iter`, ill-formed objects may be created in which the amount of actually initialized memory is less than what is expected by the fields of `IdMap`. Specifically, the field `ids` is initialized based on the capacity of the vector `values`, which is constructed from the provided iterator. However, the length of this vector may be smaller than its capacity.\n\nIn such cases, when the resulting `IdMap` is dropped, its destructor incorrectly assumes that `values` contains `ids.len() == values.capacity()` initialized elements and attempts to iterate over and drop them. This leads to dereferencing and attempting to free uninitialized memory, resulting in undefined behavior and potential segmentation faults.\n\nThe bug was fixed in commit `fab6922`, and all unsafe code was removed from the crate.\n\nNote that the maintainer recommends using the following alternatives:\n- [slab](https://crates.io/crates/slab)\n- [slotmap](https://crates.io/crates/slotmap)",
"id": "GHSA-qq4c-hm99-979m",
"modified": "2025-08-18T15:10:15Z",
"published": "2025-08-18T15:10:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/andrewhickman/id-map/issues/4"
},
{
"type": "WEB",
"url": "https://github.com/andrewhickman/id-map/commit/fab6922b955b5a2986dfff2ccb341628faec30ed"
},
{
"type": "PACKAGE",
"url": "https://github.com/andrewhickman/id-map"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0050.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "IdMap from_iter may lead to uninitialized memory being freed on drop"
}
GHSA-QQ6C-XRMH-Q72X
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable.
{
"affected": [],
"aliases": [
"CVE-2016-9594"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-23T19:29:00Z",
"severity": "HIGH"
},
"details": "curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl\u0027s internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable.",
"id": "GHSA-qq6c-xrmh-q72x",
"modified": "2022-05-13T01:38:28Z",
"published": "2022-05-13T01:38:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9594"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9594"
},
{
"type": "WEB",
"url": "https://curl.haxx.se/docs/adv_20161223.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-47"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2017-04"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95094"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037528"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.