Common Weakness Enumeration

CWE-908

Allowed

Use of Uninitialized Resource

Abstraction: Base · Status: Incomplete

The product uses or accesses a resource that has not been initialized.

822 vulnerabilities reference this CWE, most recent first.

GHSA-FJ83-G2VH-2826

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This can potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-16T22:15:00Z",
    "severity": "LOW"
  },
  "details": "Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This can potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions.",
  "id": "GHSA-fj83-g2vh-2826",
  "modified": "2022-05-24T19:11:27Z",
  "published": "2022-05-24T19:11:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36282"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000190408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FM5W-336Q-VFGR

Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2022-08-26 00:03
VLAI
Details

In PVRSRVBridgeHeapCfgHeapConfigName, there is a possible leak of kernel heap content due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-236848817

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-24T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In PVRSRVBridgeHeapCfgHeapConfigName, there is a possible leak of kernel heap content due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-236848817",
  "id": "GHSA-fm5w-336q-vfgr",
  "modified": "2022-08-26T00:03:34Z",
  "published": "2022-08-25T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0887"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-08-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FM6J-MFPF-PRFQ

Vulnerability from github – Published: 2025-03-12 12:30 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drop_monitor: fix incorrect initialization order

Syzkaller reports the following bug:

BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x119/0x179 lib/dump_stack.c:118 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 reset_per_cpu_data+0xe6/0x240 [drop_monitor] net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:651 [inline] __sock_sendmsg+0x157/0x190 net/socket.c:663 _syssendmsg+0x712/0x870 net/socket.c:2378 _sys_sendmsg+0xf8/0x170 net/socket.c:2432 __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7f3f9815aee9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768

If drop_monitor is built as a kernel module, syzkaller may have time to send a netlink NET_DM_CMD_START message during the module loading. This will call the net_dm_monitor_start() function that uses a spinlock that has not yet been initialized.

To fix this, let's place resource initialization above the registration of a generic netlink family.

Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T10:15:19Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: fix incorrect initialization order\n\nSyzkaller reports the following bug:\n\nBUG: spinlock bad magic on CPU#1, syz-executor.0/7995\n lock: 0xffff88805303f3e0, .magic: 00000000, .owner: \u003cnone\u003e/-1, .owner_cpu: 0\nCPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G            E     5.10.209+ #1\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x119/0x179 lib/dump_stack.c:118\n debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]\n do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]\n _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159\n reset_per_cpu_data+0xe6/0x240 [drop_monitor]\n net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]\n genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497\n genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:651 [inline]\n __sock_sendmsg+0x157/0x190 net/socket.c:663\n ____sys_sendmsg+0x712/0x870 net/socket.c:2378\n ___sys_sendmsg+0xf8/0x170 net/socket.c:2432\n __sys_sendmsg+0xea/0x1b0 net/socket.c:2461\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\nRIP: 0033:0x7f3f9815aee9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9\nRDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007\nRBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768\n\nIf drop_monitor is built as a kernel module, syzkaller may have time\nto send a netlink NET_DM_CMD_START message during the module loading.\nThis will call the net_dm_monitor_start() function that uses\na spinlock that has not yet been initialized.\n\nTo fix this, let\u0027s place resource initialization above the registration\nof a generic netlink family.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.",
  "id": "GHSA-fm6j-mfpf-prfq",
  "modified": "2026-05-12T15:30:51Z",
  "published": "2025-03-12T12:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21862"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/219a47d0e6195bd202f22855e35f25bd15bc4d58"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29f9cdcab3d96d5207a5c92b52c40ad75e5915d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6e9e0f224ffd8b819da3ea247dda404795fdd182"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/872c7c7e57a746046796ddfead529c9d37b9f6b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7859e8643e75619b2705b4fcac93ffd94d72b4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fcfc00bfec7bb6661074cb21356d05a4c9470a3c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FM7P-MPRW-WJM9

Vulnerability from github – Published: 2026-06-19 19:35 – Updated: 2026-06-19 19:35
VLAI
Summary
Oj: intern.c form_attr (uninitialized stack read)
Details

Summary

Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory.

Details

In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer b, populating it with the attribute name, and then freeing it — but it passed the uninitialized stack buffer buf (not b) to rb_intern3():

static VALUE form_attr(const char *str, size_t len) {
    char buf[256];
    if (sizeof(buf) - 2 <= len) {        // long-key path (len >= 254)
        char *b = OJ_R_ALLOC_N(char, len + 2);
        // ... b is filled correctly ...
        id = rb_intern3(buf, len + 1, oj_utf8_encoding);   // BUG: reads `buf`
        OJ_R_FREE(b);
        return id;
    }
    // ...
}

rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf (CWE-125). The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents.

This is the same defect previously fixed in ext/oj/usual.c; intern.c held a duplicated copy of form_attr that was missed.

Proof of Concept

require 'oj'
key  = "A" * 300
json = %Q[{"^o":"Object","#{key}":1}]
Oj.load(json, mode: :object)

On affected versions this raises an EncodingError whose message contains ~1500 bytes of uninitialized stack memory (not the supplied "A"s). The leaked byte count varies between runs with the identical payload (e.g. 1491 vs 1516 bytes), confirming the content is uninitialized memory rather than fixed data.

Impact

Information disclosure of process stack memory to a caller that parses untrusted JSON with Oj.load(..., mode: :object). For keys >= 256 bytes it is also an out-of-bounds read (CWE-125).

Severity is bounded by several preconditions: it requires :object mode (which is already discouraged for untrusted input), the leaked bytes are uncontrolled (the attacker cannot choose what is disclosed), and the data only reaches an attacker if the application surfaces the resulting Symbol or EncodingError back to them. Scored CVSS 5.3 (Medium) on that basis.

Patches

Fixed in 3.17.3: form_attr() now passes b to rb_intern3 (a one-character change mirroring the earlier usual.c fix). Verified on the fixed build: the same payload returns cleanly with no leak across repeated runs.

Credit

Reported by Zac Wang (@7a6163).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "oj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.17.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T19:35:59Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`Oj.load` in `:object` mode reads uninitialized stack memory (and, for long\nkeys, reads out of bounds) when parsing a JSON object whose key is 254 bytes\nor longer. The interned bytes can surface to the caller, disclosing process\nstack memory.\n\n### Details\n\nIn `ext/oj/intern.c`, `form_attr()` handles the long-key path by allocating a\nheap buffer `b`, populating it with the attribute name, and then freeing it \u2014\nbut it passed the **uninitialized stack buffer `buf`** (not `b`) to\n`rb_intern3()`:\n\n```c\nstatic VALUE form_attr(const char *str, size_t len) {\n    char buf[256];\n    if (sizeof(buf) - 2 \u003c= len) {        // long-key path (len \u003e= 254)\n        char *b = OJ_R_ALLOC_N(char, len + 2);\n        // ... b is filled correctly ...\n        id = rb_intern3(buf, len + 1, oj_utf8_encoding);   // BUG: reads `buf`\n        OJ_R_FREE(b);\n        return id;\n    }\n    // ...\n}\n```\n\n`rb_intern3` therefore reads `len + 1` bytes of uninitialized stack memory.\nWhen the key length is \u003e= 256, it also reads out of bounds past the 256-byte\n`buf` (CWE-125). The resulting bytes are interned and can reach the caller via\nthe produced Symbol or via the `EncodingError` message raised on invalid\nUTF-8, leaking process stack contents.\n\nThis is the same defect previously fixed in `ext/oj/usual.c`; `intern.c` held\na duplicated copy of `form_attr` that was missed.\n\n### Proof of Concept\n\n```ruby\nrequire \u0027oj\u0027\nkey  = \"A\" * 300\njson = %Q[{\"^o\":\"Object\",\"#{key}\":1}]\nOj.load(json, mode: :object)\n```\n\nOn affected versions this raises an `EncodingError` whose message contains\n~1500 bytes of uninitialized stack memory (not the supplied \"A\"s). The leaked\nbyte count varies between runs with the identical payload (e.g. 1491 vs 1516\nbytes), confirming the content is uninitialized memory rather than fixed data.\n\n### Impact\n\nInformation disclosure of process stack memory to a caller that parses\nuntrusted JSON with `Oj.load(..., mode: :object)`. For keys \u003e= 256 bytes it is\nalso an out-of-bounds read (CWE-125).\n\nSeverity is bounded by several preconditions: it requires `:object` mode\n(which is already discouraged for untrusted input), the leaked bytes are\nuncontrolled (the attacker cannot choose what is disclosed), and the data only\nreaches an attacker if the application surfaces the resulting Symbol or\n`EncodingError` back to them. Scored CVSS 5.3 (Medium) on that basis.\n\n### Patches\n\nFixed in **3.17.3**: `form_attr()` now passes `b` to `rb_intern3` (a\none-character change mirroring the earlier `usual.c` fix). Verified on the\nfixed build: the same payload returns cleanly with no leak across repeated\nruns.\n\n### Credit\n\nReported by Zac Wang (@7a6163).",
  "id": "GHSA-fm7p-mprw-wjm9",
  "modified": "2026-06-19T19:35:59Z",
  "published": "2026-06-19T19:35:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ohler55/oj/security/advisories/GHSA-fm7p-mprw-wjm9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ohler55/oj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Oj: intern.c form_attr (uninitialized stack read)"
}

GHSA-FMM4-GG8X-5CXP

Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31
VLAI
Details

Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T18:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability",
  "id": "GHSA-fmm4-gg8x-5cxp",
  "modified": "2024-08-13T18:31:16Z",
  "published": "2024-08-13T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38118"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38118"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FP26-FC43-5569

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-02-18 00:00
VLAI
Details

In code generated by aidl_const_expressions.cpp, there is a possible out of bounds read due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-206718630

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-11T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In code generated by aidl_const_expressions.cpp, there is a possible out of bounds read due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-206718630",
  "id": "GHSA-fp26-fc43-5569",
  "modified": "2022-02-18T00:00:42Z",
  "published": "2022-02-12T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39671"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-02-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FP5X-7M4Q-449F

Vulnerability from github – Published: 2025-10-21 21:57 – Updated: 2025-10-21 21:57
VLAI
Summary
Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer
Details

The safe function create_ring_buffer allocates a buffer using Vec::with_capacity followed by set_len, creating a Box<[T]> containing uninitialized memory.

This leads to undefined behavior when functions like write_slices create typed slices (e.g., &mut [bool]) over the uninitialized memory, violating Rust's validity invariants. The issue has been confirmed using Miri.

Fixed in version 0.2.2 by using resize_with to properly initialize the buffer with T::default(), adding a T: Default bound to ensure sound initialization.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "direct_ring_buffer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-21T21:57:31Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "The safe function `create_ring_buffer` allocates a buffer using `Vec::with_capacity` followed by `set_len`, creating a `Box\u003c[T]\u003e` containing uninitialized memory.\n\nThis leads to undefined behavior when functions like `write_slices` create typed slices (e.g., `\u0026mut [bool]`) over the uninitialized memory, violating Rust\u0027s validity invariants. The issue has been confirmed using Miri.\n\nFixed in version 0.2.2 by using `resize_with` to properly initialize the buffer with `T::default()`, adding a `T: Default` bound to ensure sound initialization.",
  "id": "GHSA-fp5x-7m4q-449f",
  "modified": "2025-10-21T21:57:32Z",
  "published": "2025-10-21T21:57:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ain1084/direct_ring_buffer/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ain1084/direct_ring_buffer/pull/2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ain1084/direct_ring_buffer"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0105.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer"
}

GHSA-FPG8-4QPQ-2VF4

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

In readVector of iCrypto.cpp, there is a possible invalid read due to uninitialized data. This could lead to local information disclosure from the DRM server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-79218474

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-02T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In readVector of iCrypto.cpp, there is a possible invalid read due to uninitialized data. This could lead to local information disclosure from the DRM server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-79218474",
  "id": "GHSA-fpg8-4qpq-2vf4",
  "modified": "2022-05-13T01:21:07Z",
  "published": "2022-05-13T01:21:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9499"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/av/+/bf7a67c33c0f044abeef3b9746f434b7f3295bb1"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-10-01"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-10-01,"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105481"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ4P-236V-8G34

Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-11-03 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid accessing uninitialized curseg

syzbot reports a f2fs bug as below:

F2FS-fs (loop3): Stopped filesystem due to reason: 7 kworker/u8:7: attempt to access beyond end of device BUG: unable to handle page fault for address: ffffed1604ea3dfa RIP: 0010:get_ckpt_valid_blocks fs/f2fs/segment.h:361 [inline] RIP: 0010:has_curseg_enough_space fs/f2fs/segment.h:570 [inline] RIP: 0010:__get_secs_required fs/f2fs/segment.h:620 [inline] RIP: 0010:has_not_enough_free_secs fs/f2fs/segment.h:633 [inline] RIP: 0010:has_enough_free_secs+0x575/0x1660 fs/f2fs/segment.h:649 f2fs_is_checkpoint_ready fs/f2fs/segment.h:671 [inline] f2fs_write_inode+0x425/0x540 fs/f2fs/inode.c:791 write_inode fs/fs-writeback.c:1525 [inline] __writeback_single_inode+0x708/0x10d0 fs/fs-writeback.c:1745 writeback_sb_inodes+0x820/0x1360 fs/fs-writeback.c:1976 wb_writeback+0x413/0xb80 fs/fs-writeback.c:2156 wb_do_writeback fs/fs-writeback.c:2303 [inline] wb_workfn+0x410/0x1080 fs/fs-writeback.c:2343 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Commit 8b10d3653735 ("f2fs: introduce FAULT_NO_SEGMENT") allows to trigger no free segment fault in allocator, then it will update curseg->segno to NULL_SEGNO, though, CP_ERROR_FLAG has been set, f2fs_write_inode() missed to check the flag, and access invalid curseg->segno directly in below call path, then resulting in panic:

  • f2fs_write_inode
  • f2fs_is_checkpoint_ready
  • has_enough_free_secs
  • has_not_enough_free_secs
    • __get_secs_required
    • has_curseg_enough_space
    • get_ckpt_valid_blocks : access invalid curseg->segno

To avoid this issue, let's: - check CP_ERROR_FLAG flag in prior to f2fs_is_checkpoint_ready() in f2fs_write_inode(). - in has_curseg_enough_space(), save curseg->segno into a temp variable, and verify its validation before use.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22123"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T15:16:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid accessing uninitialized curseg\n\nsyzbot reports a f2fs bug as below:\n\nF2FS-fs (loop3): Stopped filesystem due to reason: 7\nkworker/u8:7: attempt to access beyond end of device\nBUG: unable to handle page fault for address: ffffed1604ea3dfa\nRIP: 0010:get_ckpt_valid_blocks fs/f2fs/segment.h:361 [inline]\nRIP: 0010:has_curseg_enough_space fs/f2fs/segment.h:570 [inline]\nRIP: 0010:__get_secs_required fs/f2fs/segment.h:620 [inline]\nRIP: 0010:has_not_enough_free_secs fs/f2fs/segment.h:633 [inline]\nRIP: 0010:has_enough_free_secs+0x575/0x1660 fs/f2fs/segment.h:649\n \u003cTASK\u003e\n f2fs_is_checkpoint_ready fs/f2fs/segment.h:671 [inline]\n f2fs_write_inode+0x425/0x540 fs/f2fs/inode.c:791\n write_inode fs/fs-writeback.c:1525 [inline]\n __writeback_single_inode+0x708/0x10d0 fs/fs-writeback.c:1745\n writeback_sb_inodes+0x820/0x1360 fs/fs-writeback.c:1976\n wb_writeback+0x413/0xb80 fs/fs-writeback.c:2156\n wb_do_writeback fs/fs-writeback.c:2303 [inline]\n wb_workfn+0x410/0x1080 fs/fs-writeback.c:2343\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n kthread+0x7a9/0x920 kernel/kthread.c:464\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nCommit 8b10d3653735 (\"f2fs: introduce FAULT_NO_SEGMENT\") allows to trigger\nno free segment fault in allocator, then it will update curseg-\u003esegno to\nNULL_SEGNO, though, CP_ERROR_FLAG has been set, f2fs_write_inode() missed\nto check the flag, and access invalid curseg-\u003esegno directly in below call\npath, then resulting in panic:\n\n- f2fs_write_inode\n - f2fs_is_checkpoint_ready\n  - has_enough_free_secs\n   - has_not_enough_free_secs\n    - __get_secs_required\n     - has_curseg_enough_space\n      - get_ckpt_valid_blocks\n      : access invalid curseg-\u003esegno\n\nTo avoid this issue, let\u0027s:\n- check CP_ERROR_FLAG flag in prior to f2fs_is_checkpoint_ready() in\nf2fs_write_inode().\n- in has_curseg_enough_space(), save curseg-\u003esegno into a temp variable,\nand verify its validation before use.",
  "id": "GHSA-fq4p-236v-8g34",
  "modified": "2025-11-03T18:31:15Z",
  "published": "2025-04-16T15:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22123"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f90e5d423cd2d4c74b2abb527872f335108637f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/986c50f6bca109c6cf362b4e2babcb85aba958f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf49527089ec1ba894c6e587affabbfb2329f52e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQHQ-PC8V-8XCH

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-02-09 00:31
VLAI
Details

A latent vulnerability exists in the Prio library where data may be read from uninitialized memory for some functions, leading to potential memory corruption. This vulnerability affects Firefox < 66.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9805"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-26T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A latent vulnerability exists in the Prio library where data may be read from uninitialized memory for some functions, leading to potential memory corruption. This vulnerability affects Firefox \u003c 66.",
  "id": "GHSA-fqhq-pc8v-8xch",
  "modified": "2024-02-09T00:31:33Z",
  "published": "2022-05-24T16:44:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9805"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1521360"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2019-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile the product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.