Common Weakness Enumeration

CWE-824

Allowed

Access of Uninitialized Pointer

Abstraction: Base · Status: Incomplete

The product accesses or uses a pointer that has not been initialized.

451 vulnerabilities reference this CWE, most recent first.

GHSA-P9VW-F8RG-C624

Vulnerability from github – Published: 2025-01-21 15:31 – Updated: 2025-02-28 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

exfat: fix the new buffer was not zeroed before writing

Before writing, if a buffer_head marked as new, its data must be zeroed, otherwise uninitialized data in the page cache will be written.

So this commit uses folio_zero_new_buffers() to zero the new buffers before ->write_end().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T13:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix the new buffer was not zeroed before writing\n\nBefore writing, if a buffer_head marked as new, its data must\nbe zeroed, otherwise uninitialized data in the page cache will\nbe written.\n\nSo this commit uses folio_zero_new_buffers() to zero the new\nbuffers before -\u003ewrite_end().",
  "id": "GHSA-p9vw-f8rg-c624",
  "modified": "2025-02-28T21:32:14Z",
  "published": "2025-01-21T15:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57943"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/942c6f91ab8d82a41650e717940b4e577173762f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98e2fb26d1a9eafe79f46d15d54e68e014d81d8c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PCC9-2XG6-CR43

Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-05 00:00
VLAI
Details

NVIDIA DGX A100 contains a vulnerability in SBIOS in the Ofbd, where a local user with elevated privileges can cause access to an uninitialized pointer, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-04T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA DGX A100 contains a vulnerability in SBIOS in the Ofbd, where a local user with elevated privileges can cause access to an uninitialized pointer, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components.",
  "id": "GHSA-pcc9-2xg6-cr43",
  "modified": "2022-07-05T00:00:53Z",
  "published": "2022-07-05T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31599"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFWF-7J6G-WP9X

Vulnerability from github – Published: 2025-05-13 18:30 – Updated: 2025-05-13 18:30
VLAI
Details

Animate versions 24.0.8, 23.0.11 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T18:15:40Z",
    "severity": "HIGH"
  },
  "details": "Animate versions 24.0.8, 23.0.11 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-pfwf-7j6g-wp9x",
  "modified": "2025-05-13T18:30:58Z",
  "published": "2025-05-13T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43557"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/animate/apsb25-42.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJ68-M269-RX3H

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of FlateDecode streams. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5763.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of FlateDecode streams. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5763.",
  "id": "GHSA-pj68-m269-rx3h",
  "modified": "2022-05-13T01:34:37Z",
  "published": "2022-05-13T01:34:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14282"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-742"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPPX-WXX4-46J2

Vulnerability from github – Published: 2022-12-08 00:30 – Updated: 2022-12-09 21:30
VLAI
Details

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiRootOptionTable, which could allow an attacker to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-08T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiRootOptionTable, which could allow an attacker to execute arbitrary code.",
  "id": "GHSA-pppx-wxx4-46j2",
  "modified": "2022-12-09T21:30:47Z",
  "published": "2022-12-08T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3084"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-326-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR3M-XHHG-CV33

Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-20 00:00
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ansys SpaceClaim 2022 R1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of X_B files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17407.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-15T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ansys SpaceClaim 2022 R1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of X_B files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17407.",
  "id": "GHSA-pr3m-xhhg-cv33",
  "modified": "2022-09-20T00:00:28Z",
  "published": "2022-09-16T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40643"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1199"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2GW-G324-7822

Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-15 15:30
VLAI
Details

When a BIG-IP AFM denial-of-service (DoS) protection profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T14:15:54Z",
    "severity": "HIGH"
  },
  "details": "When a BIG-IP AFM denial-of-service (DoS) protection profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-q2gw-g324-7822",
  "modified": "2025-10-15T15:30:28Z",
  "published": "2025-10-15T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59478"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000152341"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q2M4-JGQ9-Q8VH

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-05T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Subversion\u0027s mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.",
  "id": "GHSA-q2m4-jgq9-q8vh",
  "modified": "2022-05-13T01:18:58Z",
  "published": "2022-05-13T01:18:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11803"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/fa71074862373c142d264534385f8ea5d8d6b80d27f36f3c46f55003@%3Cdev.subversion.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201904-08"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3869-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106770"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2RW-6W82-7R2C

Vulnerability from github – Published: 2023-02-14 12:30 – Updated: 2023-02-22 18:30
VLAI
Details

A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application is vulnerable to uninitialized pointer access while parsing specially crafted SPP files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-19788)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24978"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-14T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Tecnomatix Plant Simulation (All versions \u003c V2201.0006). The affected application is vulnerable to uninitialized pointer access while parsing specially crafted SPP files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-19788)",
  "id": "GHSA-q2rw-6w82-7r2c",
  "modified": "2023-02-22T18:30:35Z",
  "published": "2023-02-14T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24978"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3G7-FFF3-J4MQ

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-09 00:00
VLAI
Details

A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following: Install, manipulate, or delete the configuration of an affected device Cause memory corruption that results in a denial of service (DoS) on an affected device This vulnerability is due to an uninitialized variable. An attacker could exploit this vulnerability by sending a series of NETCONF or RESTCONF requests to an affected device. A successful exploit could allow the attacker to use NETCONF or RESTCONF to install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-824",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-23T03:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following: Install, manipulate, or delete the configuration of an affected device Cause memory corruption that results in a denial of service (DoS) on an affected device This vulnerability is due to an uninitialized variable. An attacker could exploit this vulnerability by sending a series of NETCONF or RESTCONF requests to an affected device. A successful exploit could allow the attacker to use NETCONF or RESTCONF to install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS.",
  "id": "GHSA-q3g7-fff3-j4mq",
  "modified": "2022-07-09T00:00:21Z",
  "published": "2022-05-24T19:15:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1619"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aaa-Yx47ZT8Q"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.