CWE-824
AllowedAccess of Uninitialized Pointer
Abstraction: Base · Status: Incomplete
The product accesses or uses a pointer that has not been initialized.
451 vulnerabilities reference this CWE, most recent first.
GHSA-J89P-MFG5-QJ34
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of XE files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20201.
{
"affected": [],
"aliases": [
"CVE-2023-35713"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T02:15:33Z",
"severity": "HIGH"
},
"details": "Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XE files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20201.",
"id": "GHSA-j89p-mfg5-qj34",
"modified": "2024-05-03T03:30:52Z",
"published": "2024-05-03T03:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35713"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-876"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J8C5-8FHM-5VQG
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-12 00:00The affected product is vulnerable to an out-of-bounds read via uninitialized pointer, which may allow an attacker to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2022-29488"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "HIGH"
},
"details": "The affected product is vulnerable to an out-of-bounds read via uninitialized pointer, which may allow an attacker to execute arbitrary code.",
"id": "GHSA-j8c5-8fhm-5vqg",
"modified": "2022-06-12T00:00:47Z",
"published": "2022-06-03T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29488"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-146-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JFFP-X5H3-26CQ
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka 'GDI+ Remote Code Execution Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2019-0853"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T21:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory, aka \u0027GDI+ Remote Code Execution Vulnerability\u0027.",
"id": "GHSA-jffp-x5h3-26cq",
"modified": "2022-05-13T01:21:41Z",
"published": "2022-05-13T01:21:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0853"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0853"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-362"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-363"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JG27-PGXP-GCV8
Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-05-26 00:01Inkscape version 0.19 can access an uninitialized pointer, which may allow an attacker to have access to unauthorized information.
{
"affected": [],
"aliases": [
"CVE-2021-42702"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-18T17:15:00Z",
"severity": "MODERATE"
},
"details": "Inkscape version 0.19 can access an uninitialized pointer, which may allow an attacker to have access to unauthorized information.",
"id": "GHSA-jg27-pgxp-gcv8",
"modified": "2022-05-26T00:01:30Z",
"published": "2022-05-19T00:00:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42702"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-132-03"
},
{
"type": "WEB",
"url": "https://www.integraxor.com/scada-animation-graphic-editor-extension-inkscape"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JG55-F428-4RRG
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-17 00:00Adobe Photoshop versions 22.5.8 (and earlier) and 23.4.2 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-38426"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T18:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Photoshop versions 22.5.8 (and earlier) and 23.4.2 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-jg55-f428-4rrg",
"modified": "2022-09-17T00:00:33Z",
"published": "2022-09-17T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38426"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb22-52.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JGP5-G9CP-MGFW
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-21 18:30Horner Automation's Cscape version 9.90 SP 6 and prior does not properly validate user-supplied data. If a user opens a maliciously formed FNT file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer, leading to an out-of-bounds memory read.
{
"affected": [],
"aliases": [
"CVE-2022-3377"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-15T21:15:00Z",
"severity": "HIGH"
},
"details": "Horner Automation\u0027s Cscape version 9.90 SP 6 and prior does not properly validate user-supplied data. If a user opens a maliciously formed FNT file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer, leading to an out-of-bounds memory read.",
"id": "GHSA-jgp5-g9cp-mgfw",
"modified": "2022-11-21T18:30:38Z",
"published": "2022-11-16T12:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3377"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-277-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ24-4W7R-FFCH
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31IrfanView SID File Parsing Uninitialized Pointer Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SID files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23276.
{
"affected": [],
"aliases": [
"CVE-2024-9258"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T22:15:22Z",
"severity": "HIGH"
},
"details": "IrfanView SID File Parsing Uninitialized Pointer Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SID files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23276.",
"id": "GHSA-jj24-4w7r-ffch",
"modified": "2024-11-23T03:31:59Z",
"published": "2024-11-23T03:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9258"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1370"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMGR-533J-34JH
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2022-10-07 18:16WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.
{
"affected": [],
"aliases": [
"CVE-2019-11498"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-24T05:29:00Z",
"severity": "MODERATE"
},
"details": "WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a \"Conditional jump or move depends on uninitialised value\" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.",
"id": "GHSA-jmgr-533j-34jh",
"modified": "2022-10-07T18:16:00Z",
"published": "2022-05-24T16:44:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11498"
},
{
"type": "WEB",
"url": "https://github.com/dbry/WavPack/issues/67"
},
{
"type": "WEB",
"url": "https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00013.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFFFWIWALGQPKINRDW3PRGRD5LOLGZA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRWQNE3TH5UF64IKHKKHVCHJHUOVKJUH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZDKXGA2ZNSSM64ZYDHOWCO4Q4VAKAON"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SCK2YJXY6V5CKGKSF2PPN7RL2DXVOC6G"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-19"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3960-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JP97-993H-745Q
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Cscape (All Versions prior to 9.90 SP5) lacks proper validation of user-supplied data when parsing project files. This could lead to an out-of-bounds write via an uninitialized pointer. An attacker could leverage this vulnerability to execute code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2021-33015"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-25T19:15:00Z",
"severity": "HIGH"
},
"details": "Cscape (All Versions prior to 9.90 SP5) lacks proper validation of user-supplied data when parsing project files. This could lead to an out-of-bounds write via an uninitialized pointer. An attacker could leverage this vulnerability to execute code in the context of the current process.",
"id": "GHSA-jp97-993h-745q",
"modified": "2022-05-24T19:12:09Z",
"published": "2022-05-24T19:12:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33015"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-224-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JR2X-6QF6-Q5MC
Vulnerability from github – Published: 2026-07-01 17:48 – Updated: 2026-07-01 17:48Summary
A memory-safety vulnerability in Open Babel's MSI parser caused an uninitialized pointer dereference when reading a crafted input file.
Details
The flaw was in the atom handling of the MSI reader. A malformed record caused the parser to dereference an atom pointer that had never been initialized.
Impact
Open Babel is a C++ library and CLI used to read and write chemistry
file formats; it is shipped by Linux distributions and embedded in
services that may parse untrusted input. Triggering this vulnerability
requires the victim to open a malicious MSI file with the obabel
tool, the OBConversion API, or any of the language bindings (Python,
Ruby, Java, R, Perl, C#, PHP).
Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
Fix commit: https://github.com/openbabel/openbabel/commit/fa9a2d9a
A minimized reproducer for this CVE is checked in under
test/files/fuzz_regress/ and is exercised on every CI build under
ASAN+UBSAN by the fuzzregresstest harness.
Credit
Reported by Cisco TALOS.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openbabel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-44451"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T17:48:17Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nA memory-safety vulnerability in Open Babel\u0027s MSI parser caused an\nuninitialized pointer dereference when reading a crafted input file.\n\n### Details\n\nThe flaw was in the atom handling of the MSI reader. A malformed\nrecord caused the parser to dereference an atom pointer that had\nnever been initialized.\n\n### Impact\n\nOpen Babel is a C++ library and CLI used to read and write chemistry\nfile formats; it is shipped by Linux distributions and embedded in\nservices that may parse untrusted input. Triggering this vulnerability\nrequires the victim to open a malicious MSI file with the `obabel`\ntool, the `OBConversion` API, or any of the language bindings (Python,\nRuby, Java, R, Perl, C#, PHP).\n\n### Affected versions\n\nAll releases up to and including 3.1.1.\n\n### Patched version\n\n3.2.0 (released 2026-05-26).\n\n### Patch\n\nFix commit: https://github.com/openbabel/openbabel/commit/fa9a2d9a\n\nA minimized reproducer for this CVE is checked in under\n`test/files/fuzz_regress/` and is exercised on every CI build under\nASAN+UBSAN by the `fuzzregresstest` harness.\n\n### Credit\n\nReported by Cisco TALOS.",
"id": "GHSA-jr2x-6qf6-q5mc",
"modified": "2026-07-01T17:48:17Z",
"published": "2026-07-01T17:48:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/security/advisories/GHSA-jr2x-6qf6-q5mc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44451"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/commit/fa9a2d9a2eb75154b7a884dfe679ff41a8f9c547"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbabel/openbabel"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1669"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1669"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open Babel has uninitialized pointer dereference in MSI atom parser"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.