Common Weakness Enumeration

CWE-824

Allowed

Access of Uninitialized Pointer

Abstraction: Base · Status: Incomplete

The product accesses or uses a pointer that has not been initialized.

451 vulnerabilities reference this CWE, most recent first.

GHSA-8CXJ-VC9J-XQ64

Vulnerability from github – Published: 2023-01-17 12:30 – Updated: 2023-01-24 21:30
VLAI
Details

CX-Motion-MCH v2.32 and earlier contains an access of uninitialized pointer vulnerability. Having a user to open a specially crafted project file may lead to information disclosure and/or arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-17T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "CX-Motion-MCH v2.32 and earlier contains an access of uninitialized pointer vulnerability. Having a user to open a specially crafted project file may lead to information disclosure and/or arbitrary code execution.",
  "id": "GHSA-8cxj-vc9j-xq64",
  "modified": "2023-01-24T21:30:28Z",
  "published": "2023-01-17T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22366"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU91744508/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8J35-8P36-8W3G

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2023-07-07 21:30
VLAI
Details

Adobe Bridge version 11.0.2 (and earlier) is affected by an uninitialized variable vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-824",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-20T19:15:00Z",
    "severity": "LOW"
  },
  "details": "Adobe Bridge version 11.0.2 (and earlier) is affected by an uninitialized variable vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-8j35-8p36-8w3g",
  "modified": "2023-07-07T21:30:15Z",
  "published": "2022-05-24T19:11:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35991"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/bridge/apsb21-53.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MXF-8WH9-G5PV

Vulnerability from github – Published: 2026-04-21 15:32 – Updated: 2026-04-22 18:31
VLAI
Details

Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-21T13:16:21Z",
    "severity": "MODERATE"
  },
  "details": "Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.",
  "id": "GHSA-8mxf-8wh9-g5pv",
  "modified": "2026-04-22T18:31:39Z",
  "published": "2026-04-21T15:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6757"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013588"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-30"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-32"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-33"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-34"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8PRM-GH76-RQ38

Vulnerability from github – Published: 2023-09-20 18:30 – Updated: 2025-06-28 00:31
VLAI
Details

Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665",
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-20T18:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local access.",
  "id": "GHSA-8prm-gh76-rq38",
  "modified": "2025-06-28T00:31:11Z",
  "published": "2023-09-20T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20597"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-4007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8Q5Q-7MVV-W97X

Vulnerability from github – Published: 2025-05-29 15:31 – Updated: 2025-12-16 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

module: ensure that kobject_put() is safe for module type kobjects

In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-29T14:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: ensure that kobject_put() is safe for module type kobjects\n\nIn \u0027lookup_or_create_module_kobject()\u0027, an internal kobject is created\nusing \u0027module_ktype\u0027. So call to \u0027kobject_put()\u0027 on error handling\npath causes an attempt to use an uninitialized completion pointer in\n\u0027module_kobject_release()\u0027. In this scenario, we just want to release\nkobject without an extra synchronization required for a regular module\nunloading process, so adding an extra check whether \u0027complete()\u0027 is\nactually required makes \u0027kobject_put()\u0027 safe.",
  "id": "GHSA-8q5q-7mvv-w97x",
  "modified": "2025-12-16T21:30:49Z",
  "published": "2025-05-29T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37995"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31d8df3f303c3ae9115230820977ef8c35c88808"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93799fb988757cdacf19acba57807746c00378e6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e7b49ce4f9d0cb5b6e87db9e07a2fb9e754b0dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a63d99873547d8b39eb2f6db79dd235761e7098a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6aeb739974ec73e5217c75a7c008a688d3d5cf1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d63851049f412cdfadaeef7a7eaef5031d11c1e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1c71b4bd721a4ea21da408806964b10468623f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/faa9059631d3491d699c69ecf512de9e1a3d6649"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8QXC-57HF-HC9J

Vulnerability from github – Published: 2026-07-01 17:48 – Updated: 2026-07-01 17:48
VLAI
Summary
Open Babel has uninitialized pointer dereference in PQS pFormat
Details

Summary

A memory-safety vulnerability in Open Babel's PQS parser caused an uninitialized pointer dereference when reading a crafted input file.

Details

The flaw was in the pFormat handling of the PQS reader. A malformed input caused the parser to dereference a format pointer that had never been initialized.

Impact

Open Babel is a C++ library and CLI used to read and write chemistry file formats; it is shipped by Linux distributions and embedded in services that may parse untrusted input. Triggering this vulnerability requires the victim to open a malicious PQS file with the obabel tool, the OBConversion API, or any of the language bindings (Python, Ruby, Java, R, Perl, C#, PHP).

Affected versions

All releases up to and including 3.1.1.

Patched version

3.2.0 (released 2026-05-26).

Patch

Fix commit: https://github.com/openbabel/openbabel/commit/2a7d2cda

A minimized reproducer for this CVE is checked in under test/files/fuzz_regress/ and is exercised on every CI build under ASAN+UBSAN by the fuzzregresstest harness.

Credit

Reported by Cisco TALOS.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openbabel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T17:48:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA memory-safety vulnerability in Open Babel\u0027s PQS parser caused an\nuninitialized pointer dereference when reading a crafted input file.\n\n### Details\n\nThe flaw was in the `pFormat` handling of the PQS reader. A malformed\ninput caused the parser to dereference a format pointer that had\nnever been initialized.\n\n### Impact\n\nOpen Babel is a C++ library and CLI used to read and write chemistry\nfile formats; it is shipped by Linux distributions and embedded in\nservices that may parse untrusted input. Triggering this vulnerability\nrequires the victim to open a malicious PQS file with the `obabel`\ntool, the `OBConversion` API, or any of the language bindings (Python,\nRuby, Java, R, Perl, C#, PHP).\n\n### Affected versions\n\nAll releases up to and including 3.1.1.\n\n### Patched version\n\n3.2.0 (released 2026-05-26).\n\n### Patch\n\nFix commit: https://github.com/openbabel/openbabel/commit/2a7d2cda\n\nA minimized reproducer for this CVE is checked in under\n`test/files/fuzz_regress/` and is exercised on every CI build under\nASAN+UBSAN by the `fuzzregresstest` harness.\n\n### Credit\n\nReported by Cisco TALOS.",
  "id": "GHSA-8qxc-57hf-hc9j",
  "modified": "2026-07-01T17:48:54Z",
  "published": "2026-07-01T17:48:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbabel/openbabel/security/advisories/GHSA-8qxc-57hf-hc9j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbabel/openbabel/commit/2a7d2cda8bd47daade2e555e34b69651a2e132ef"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbabel/openbabel"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1670"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1670"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open Babel has uninitialized pointer dereference in PQS pFormat"
}

GHSA-8V2W-Q3WX-M958

Vulnerability from github – Published: 2026-04-15 00:31 – Updated: 2026-04-15 00:31
VLAI
Details

Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T23:16:27Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-8v2w-q3wx-m958",
  "modified": "2026-04-15T00:31:35Z",
  "published": "2026-04-15T00:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27300"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92C5-XC6W-8GH2

Vulnerability from github – Published: 2022-12-08 00:30 – Updated: 2022-12-09 21:30
VLAI
Details

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-07T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code.",
  "id": "GHSA-92c5-xc6w-8gh2",
  "modified": "2022-12-09T21:30:47Z",
  "published": "2022-12-08T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2952"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-326-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92QG-HFHR-PPVQ

Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2026-04-29 04:13
VLAI
Details

Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows local unauthenticated attackers the ability to execute DoS attack

and potentially arbitrary code execution

under the context of the ‘root’ user.This issue affects WR940N and WR941ND: ≤ WR940N v5 3.20.1 Build 200316,

WR941ND v6 3.16.9 Build 151203.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T19:16:21Z",
    "severity": "HIGH"
  },
  "details": "Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows\u00a0local unauthenticated attackers the ability to execute DoS attack \n\nand potentially arbitrary code execution\n\nunder the context of the \u2018root\u2019 user.This issue affects WR940N and WR941ND: \u2264 WR940N v5 3.20.1 Build 200316, \n\n\u2264\n\n WR941ND v6 3.16.9 Build 151203.",
  "id": "GHSA-92qg-hfhr-ppvq",
  "modified": "2026-04-29T04:13:42Z",
  "published": "2025-12-18T21:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14739"
    },
    {
      "type": "WEB",
      "url": "https://blog.exodusintel.com/2022/06/23/tp-link-wr940n-wr941nd-uninitialized-pointer-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/us/support/download/tl-wr940n/v5/#Firmware"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/us/support/download/tl-wr941nd/#Firmware"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/us/support/faq/4848"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-93X3-2R5R-4375

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2025-08-15 21:31
VLAI
Details

A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34596"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-26T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.",
  "id": "GHSA-93x3-2r5r-4375",
  "modified": "2025-08-15T21:31:14Z",
  "published": "2022-05-24T19:18:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34596"
    },
    {
      "type": "WEB",
      "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16878\u0026token=e5644ec405590e66aefa62304cb8632df9fc9e9c\u0026download="
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.