CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-XVXX-4FR3-55XV
Vulnerability from github – Published: 2026-01-07 21:31 – Updated: 2026-01-12 18:30Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior.
{
"affected": [],
"aliases": [
"CVE-2026-22188"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T21:16:02Z",
"severity": "MODERATE"
},
"details": "Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior.",
"id": "GHSA-xvxx-4fr3-55xv",
"modified": "2026-01-12T18:30:24Z",
"published": "2026-01-07T21:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22188"
},
{
"type": "WEB",
"url": "https://github.com/panda3d/panda3d"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2026/Jan/9"
},
{
"type": "WEB",
"url": "https://www.panda3d.org"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/panda3d-deploy-stub-stack-exhaustion-via-unbounded-alloca"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XXQ4-9C68-6533
Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30Windows Authentication Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-38254"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T17:15:31Z",
"severity": "MODERATE"
},
"details": "Windows Authentication Information Disclosure Vulnerability",
"id": "GHSA-xxq4-9c68-6533",
"modified": "2024-09-10T18:30:46Z",
"published": "2024-09-10T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38254"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.