CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-XC6G-7C6R-9WXC
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30PDF-XChange Editor PDF File Parsing Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18493.
{
"affected": [],
"aliases": [
"CVE-2023-39484"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:15Z",
"severity": "LOW"
},
"details": "PDF-XChange Editor PDF File Parsing Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PDF files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18493.",
"id": "GHSA-xc6g-7c6r-9wxc",
"modified": "2024-05-03T03:30:56Z",
"published": "2024-05-03T03:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39484"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1123"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XC6W-XCGH-JJHW
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-05-22 00:31In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix oops due to uninitialised var in smb2_unlink()
If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the iovs set @rqst will be left uninitialised, hence calling SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will oops.
Fix this by initialising @close_iov and @open_iov before setting them in @rqst.
{
"affected": [],
"aliases": [
"CVE-2026-23282"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix oops due to uninitialised var in smb2_unlink()\n\nIf SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the\niovs set @rqst will be left uninitialised, hence calling\nSMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will\noops.\n\nFix this by initialising @close_iov and @open_iov before setting them\nin @rqst.",
"id": "GHSA-xc6w-xcgh-jjhw",
"modified": "2026-05-22T00:31:15Z",
"published": "2026-03-25T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23282"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/048efe129a297256d3c2088cf8d79515ff5ec864"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86163b98891aa9800f6103252e5acc7bb98afb91"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc710c87af3341554d02d634ada1d2036c49a94a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XF3H-RPGF-FMVP
Vulnerability from github – Published: 2024-04-03 15:30 – Updated: 2025-02-28 00:30In the Linux kernel, the following vulnerability has been resolved:
iio: adc: ad4130: zero-initialize clock init data
The clk_init_data struct does not have all its members initialized, causing issues when trying to expose the internal clock on the CLK pin.
Fix this by zero-initializing the clk_init_data struct.
{
"affected": [],
"aliases": [
"CVE-2024-26711"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T15:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad4130: zero-initialize clock init data\n\nThe clk_init_data struct does not have all its members\ninitialized, causing issues when trying to expose the internal\nclock on the CLK pin.\n\nFix this by zero-initializing the clk_init_data struct.",
"id": "GHSA-xf3h-rpgf-fmvp",
"modified": "2025-02-28T00:30:51Z",
"published": "2024-04-03T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26711"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/02876e2df02f8b17a593d77a0a7879a8109b27e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e0dab37750926d4fb0144edb1c1ea0612fea273"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a22b0a2be69a36511cb5b37d948b651ddf7debf3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XFHW-6MC4-MGXF
Vulnerability from github – Published: 2024-04-05 15:40 – Updated: 2024-04-05 15:40As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its type parameter when it attempts to free an object, and swaps it into the storage. This causes instant undefined behavior due to reading the uninitialized memory in order to write it to the pool storage.
Extremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:
use crayon::prelude::*;
application::oneshot().unwrap();
let mut params = MeshParams::default();
let mesh = video::create_mesh(params, None).unwrap();
// Deletes the mesh object.
video::delete_mesh(mesh); // <-- UB
The Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.
Discovered via https://asan.saethlin.dev/ub?crate=crayon&version=0.7.1
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "crayon"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"last_affected": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-05T15:40:40Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "As of version 0.6.0, the ObjectPool explicitly creates an uninitialized instance of its type parameter when it attempts to free an object, and swaps it into the storage. This causes instant undefined behavior due to reading the uninitialized memory in order to write it to the pool storage.\n\nExtremely basic usage of the crate can trigger this issue, e.g. this code from a doctest:\n\n```rust\nuse crayon::prelude::*;\napplication::oneshot().unwrap();\n\nlet mut params = MeshParams::default();\n\nlet mesh = video::create_mesh(params, None).unwrap();\n\n// Deletes the mesh object.\nvideo::delete_mesh(mesh); // \u003c-- UB\n```\n\nThe Clippy warning for this code was silenced in commit c2fde19caf6149d91faa504263f0bc5cafc35de5.\n\nDiscovered via https://asan.saethlin.dev/ub?crate=crayon\u0026version=0.7.1\n",
"id": "GHSA-xfhw-6mc4-mgxf",
"modified": "2024-04-05T15:40:40Z",
"published": "2024-04-05T15:40:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shawnscode/crayon/issues/109"
},
{
"type": "WEB",
"url": "https://github.com/shawnscode/crayon/commit/c2fde19caf6149d91faa504263f0bc5cafc35de5"
},
{
"type": "PACKAGE",
"url": "https://github.com/shawnscode/crayon"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0018.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "crayon: ObjectPool creates uninitialized memory when freeing objects"
}
GHSA-XFJQ-QRVP-MV7M
Vulnerability from github – Published: 2022-12-13 21:30 – Updated: 2022-12-17 00:30Altair HyperView Player versions 2021.1.0.27 and prior are vulnerable to the use of uninitialized memory vulnerability during parsing of H3D files. A DWORD is extracted from an uninitialized buffer and, after sign extension, is used as an index into a stack variable to increment a counter leading to memory corruption.
{
"affected": [],
"aliases": [
"CVE-2022-2949"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-13T21:15:00Z",
"severity": "HIGH"
},
"details": "Altair HyperView Player versions 2021.1.0.27 and prior are vulnerable to the use of uninitialized memory vulnerability during parsing of H3D files. A DWORD is extracted from an uninitialized buffer and, after sign extension, is used as an index into a stack variable to increment a counter leading to memory corruption.",
"id": "GHSA-xfjq-qrvp-mv7m",
"modified": "2022-12-17T00:30:21Z",
"published": "2022-12-13T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2949"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XFQQ-WJXW-FGHM
Vulnerability from github – Published: 2023-08-11 03:30 – Updated: 2024-04-04 06:50Use of uninitialized resource in some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-22330"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-11T03:15:16Z",
"severity": "MODERATE"
},
"details": "Use of uninitialized resource in some Intel(R) NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-xfqq-wjxw-fghm",
"modified": "2024-04-04T06:50:34Z",
"published": "2023-08-11T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22330"
},
{
"type": "WEB",
"url": "http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00917.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XFRF-FHFW-CW7H
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "Link Properties Handling Memory Corruption Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2011-1250"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-06-16T20:55:00Z",
"severity": "HIGH"
},
"details": "Microsoft Internet Explorer 6 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka \"Link Properties Handling Memory Corruption Vulnerability.\"",
"id": "GHSA-xfrf-fhfw-cw7h",
"modified": "2022-05-13T01:03:30Z",
"published": "2022-05-13T01:03:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1250"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-050"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12708"
},
{
"type": "WEB",
"url": "http://www.nsfocus.com/en/advisories/1101.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/518445/100/0/threaded"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XFVH-9MXF-99VM
Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-02-03 15:32In the Linux kernel, the following vulnerability has been resolved:
arm64: ptrace: fix partial SETREGSET for NT_ARM_POE
Currently poe_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.por_el0, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism.
Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of POR_EL1 will be retained.
Before this patch:
| # ./poe-test | Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d | SETREGSET(nt=0x40f, len=8) wrote 8 bytes | | Attempting to read NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) read 8 bytes | Read NT_ARM_POE::por_el0 = 0x900d900d900d900d | | Attempting to write NT_ARM_POE (zero length) | SETREGSET(nt=0x40f, len=0) wrote 0 bytes | | Attempting to read NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) read 8 bytes | Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50
After this patch:
| # ./poe-test | Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d | SETREGSET(nt=0x40f, len=8) wrote 8 bytes | | Attempting to read NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) read 8 bytes | Read NT_ARM_POE::por_el0 = 0x900d900d900d900d | | Attempting to write NT_ARM_POE (zero length) | SETREGSET(nt=0x40f, len=0) wrote 0 bytes | | Attempting to read NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) read 8 bytes | Read NT_ARM_POE::por_el0 = 0x900d900d900d900d
{
"affected": [],
"aliases": [
"CVE-2024-57877"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T15:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_POE\n\nCurrently poe_set() doesn\u0027t initialize the temporary \u0027ctrl\u0027 variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget-\u003ethread.por_el0, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of POR_EL1 will be retained.\n\nBefore this patch:\n\n| # ./poe-test\n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d\n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_POE (zero length)\n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50\n\nAfter this patch:\n\n| # ./poe-test\n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d\n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_POE (zero length)\n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d",
"id": "GHSA-xfvh-9mxf-99vm",
"modified": "2025-02-03T15:32:01Z",
"published": "2025-01-11T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57877"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4105dd76bc8ad6529d47157ef0565cb84ca6676c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/594bfc4947c4fcabba1318d8384c61a29a6b89fb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XFW2-QH29-P3MM
Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
xfrm: fix one more kernel-infoleak in algo dumping
During fuzz testing, the following issue was discovered:
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30 _copy_to_iter+0x598/0x2a30 __skb_datagram_iter+0x168/0x1060 skb_copy_datagram_iter+0x5b/0x220 netlink_recvmsg+0x362/0x1700 sock_recvmsg+0x2dc/0x390 __sys_recvfrom+0x381/0x6d0 __x64_sys_recvfrom+0x130/0x200 x64_sys_call+0x32c8/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81
Uninit was stored to memory at: copy_to_user_state_extra+0xcc1/0x1e00 dump_one_state+0x28c/0x5f0 xfrm_state_walk+0x548/0x11e0 xfrm_dump_sa+0x1e0/0x840 netlink_dump+0x943/0x1c40 __netlink_dump_start+0x746/0xdb0 xfrm_user_rcv_msg+0x429/0xc00 netlink_rcv_skb+0x613/0x780 xfrm_netlink_rcv+0x77/0xc0 netlink_unicast+0xe90/0x1280 netlink_sendmsg+0x126d/0x1490 __sock_sendmsg+0x332/0x3d0 _syssendmsg+0x863/0xc30 _sys_sendmsg+0x285/0x3e0 __x64_sys_sendmsg+0x2d6/0x560 x64_sys_call+0x1316/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81
Uninit was created at: __kmalloc+0x571/0xd30 attach_auth+0x106/0x3e0 xfrm_add_sa+0x2aa0/0x4230 xfrm_user_rcv_msg+0x832/0xc00 netlink_rcv_skb+0x613/0x780 xfrm_netlink_rcv+0x77/0xc0 netlink_unicast+0xe90/0x1280 netlink_sendmsg+0x126d/0x1490 __sock_sendmsg+0x332/0x3d0 _syssendmsg+0x863/0xc30 _sys_sendmsg+0x285/0x3e0 __x64_sys_sendmsg+0x2d6/0x560 x64_sys_call+0x1316/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81
Bytes 328-379 of 732 are uninitialized Memory access of size 732 starts at ffff88800e18e000 Data copied to user address 00007ff30f48aff0
CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Fixes copying of xfrm algorithms where some random data of the structure fields can end up in userspace. Padding in structures may be filled with random (possibly sensitve) data and should never be given directly to user-space.
A similar issue was resolved in the commit 8222d5910dae ("xfrm: Zero padding when dumping algos and encap")
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
{
"affected": [],
"aliases": [
"CVE-2024-50110"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-05T18:15:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: fix one more kernel-infoleak in algo dumping\n\nDuring fuzz testing, the following issue was discovered:\n\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30\n _copy_to_iter+0x598/0x2a30\n __skb_datagram_iter+0x168/0x1060\n skb_copy_datagram_iter+0x5b/0x220\n netlink_recvmsg+0x362/0x1700\n sock_recvmsg+0x2dc/0x390\n __sys_recvfrom+0x381/0x6d0\n __x64_sys_recvfrom+0x130/0x200\n x64_sys_call+0x32c8/0x3cc0\n do_syscall_64+0xd8/0x1c0\n entry_SYSCALL_64_after_hwframe+0x79/0x81\n\nUninit was stored to memory at:\n copy_to_user_state_extra+0xcc1/0x1e00\n dump_one_state+0x28c/0x5f0\n xfrm_state_walk+0x548/0x11e0\n xfrm_dump_sa+0x1e0/0x840\n netlink_dump+0x943/0x1c40\n __netlink_dump_start+0x746/0xdb0\n xfrm_user_rcv_msg+0x429/0xc00\n netlink_rcv_skb+0x613/0x780\n xfrm_netlink_rcv+0x77/0xc0\n netlink_unicast+0xe90/0x1280\n netlink_sendmsg+0x126d/0x1490\n __sock_sendmsg+0x332/0x3d0\n ____sys_sendmsg+0x863/0xc30\n ___sys_sendmsg+0x285/0x3e0\n __x64_sys_sendmsg+0x2d6/0x560\n x64_sys_call+0x1316/0x3cc0\n do_syscall_64+0xd8/0x1c0\n entry_SYSCALL_64_after_hwframe+0x79/0x81\n\nUninit was created at:\n __kmalloc+0x571/0xd30\n attach_auth+0x106/0x3e0\n xfrm_add_sa+0x2aa0/0x4230\n xfrm_user_rcv_msg+0x832/0xc00\n netlink_rcv_skb+0x613/0x780\n xfrm_netlink_rcv+0x77/0xc0\n netlink_unicast+0xe90/0x1280\n netlink_sendmsg+0x126d/0x1490\n __sock_sendmsg+0x332/0x3d0\n ____sys_sendmsg+0x863/0xc30\n ___sys_sendmsg+0x285/0x3e0\n __x64_sys_sendmsg+0x2d6/0x560\n x64_sys_call+0x1316/0x3cc0\n do_syscall_64+0xd8/0x1c0\n entry_SYSCALL_64_after_hwframe+0x79/0x81\n\nBytes 328-379 of 732 are uninitialized\nMemory access of size 732 starts at ffff88800e18e000\nData copied to user address 00007ff30f48aff0\n\nCPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n\nFixes copying of xfrm algorithms where some random\ndata of the structure fields can end up in userspace.\nPadding in structures may be filled with random (possibly sensitve)\ndata and should never be given directly to user-space.\n\nA similar issue was resolved in the commit\n8222d5910dae (\"xfrm: Zero padding when dumping algos and encap\")\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.",
"id": "GHSA-xfw2-qh29-p3mm",
"modified": "2025-11-04T00:31:54Z",
"published": "2024-11-05T18:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50110"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e8fbd2441cb2ea28d6825f2985bf7d84af060bb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/610d4cea9b442b22b4820695fc3335e64849725e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6889cd2a93e1e3606b3f6e958aa0924e836de4d2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c73bca72b84b453c8d26a5e7673b20adb294bf54"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc2ad8e8818e4bf1a93db78d81745b4877b32972"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XH5Q-PCH5-G3XQ
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2026-04-15 00:31A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.
{
"affected": [],
"aliases": [
"CVE-2024-12085"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:25Z",
"severity": "HIGH"
},
"details": "A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.",
"id": "GHSA-xh5q-pch5-g3xq",
"modified": "2026-04-15T00:31:33Z",
"published": "2025-01-14T18:32:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12085"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/952657"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250131-0002"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/952657"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330539"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-12085"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:2701"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1451"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1242"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1227"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1225"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1128"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1123"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:1120"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0885"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0884"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0849"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0790"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0787"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0774"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0714"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0688"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0637"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0325"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0324"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2025:6470"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.