CWE-909
Allowed-with-ReviewMissing Initialization of Resource
Abstraction: Class · Status: Incomplete
The product does not initialize a critical resource.
96 vulnerabilities reference this CWE, most recent first.
GHSA-FQ53-QQ54-MGGP
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05In readVector of IMediaPlayer.cpp, there is a possible read of uninitialized heap data due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-173720767
{
"affected": [],
"aliases": [
"CVE-2021-0484"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T17:15:00Z",
"severity": "MODERATE"
},
"details": "In readVector of IMediaPlayer.cpp, there is a possible read of uninitialized heap data due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-173720767",
"id": "GHSA-fq53-qq54-mggp",
"modified": "2022-05-24T19:05:00Z",
"published": "2022-05-24T19:05:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0484"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-05-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FWFG-74JC-WGX8
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36On Phoenix Contact mGuard Devices versions before 8.8.3 LAN ports get functional after reboot even if they are disabled in the device configuration. For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource
{
"affected": [],
"aliases": [
"CVE-2020-12523"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-17T23:15:00Z",
"severity": "CRITICAL"
},
"details": "On Phoenix Contact mGuard Devices versions before 8.8.3 LAN ports get functional after reboot even if they are disabled in the device configuration. For mGuard devices with integrated switch on the LAN side, single switch ports can be disabled by device configuration. After a reboot these ports get functional independent from their configuration setting: Missing Initialization of Resource",
"id": "GHSA-fwfg-74jc-wgx8",
"modified": "2022-05-24T17:36:49Z",
"published": "2022-05-24T17:36:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12523"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2020-046"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FX82-RMFC-9CQG
Vulnerability from github – Published: 2025-09-30 12:30 – Updated: 2025-11-26 15:34PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that did not use reset password functionality. This issue affects all 3 templates: www, bip and www+bip.
This product is End-Of-Life and producent will not publish patches for this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-8117"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-30T11:37:43Z",
"severity": "HIGH"
},
"details": "PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that did not use reset password functionality. This issue affects all 3 templates: www, bip and www+bip.\n\nThis product is End-Of-Life and producent will not publish patches for this vulnerability.",
"id": "GHSA-fx82-rmfc-9cqg",
"modified": "2025-11-26T15:34:09Z",
"published": "2025-09-30T12:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8117"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2025/09/CVE-2025-7063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G8JR-FHMG-4FR5
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-05-24 17:28In libcodec2_soft_mp3dec, there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-144901522
{
"affected": [],
"aliases": [
"CVE-2020-0340"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-17T21:15:00Z",
"severity": "MODERATE"
},
"details": "In libcodec2_soft_mp3dec, there is a possible information disclosure due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-144901522",
"id": "GHSA-g8jr-fhmg-4fr5",
"modified": "2022-05-24T17:28:40Z",
"published": "2022-05-24T17:28:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0340"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-11"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G9MP-JJ45-5FGJ
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40A denial of service vulnerability in the Android media framework (h264 decoder). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36279112.
{
"affected": [],
"aliases": [
"CVE-2017-0730"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-09T21:29:00Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability in the Android media framework (h264 decoder). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36279112.",
"id": "GHSA-g9mp-jj45-5fgj",
"modified": "2022-05-13T01:40:34Z",
"published": "2022-05-13T01:40:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0730"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-08-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100204"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GCF6-WPV7-J445
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:05In libstagefright, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112052432
{
"affected": [],
"aliases": [
"CVE-2019-9316"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T19:15:00Z",
"severity": "MODERATE"
},
"details": "In libstagefright, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112052432",
"id": "GHSA-gcf6-wpv7-j445",
"modified": "2024-04-04T02:05:33Z",
"published": "2022-05-24T16:57:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9316"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GJP5-Q339-6F4Q
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:04In AAC Codec, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120426166
{
"affected": [],
"aliases": [
"CVE-2019-9247"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T19:15:00Z",
"severity": "MODERATE"
},
"details": "In AAC Codec, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-120426166",
"id": "GHSA-gjp5-q339-6f4q",
"modified": "2024-04-04T02:04:47Z",
"published": "2022-05-24T16:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9247"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GPG2-6GWQ-VF2G
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.
{
"affected": [],
"aliases": [
"CVE-2019-3804"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-26T18:29:00Z",
"severity": "HIGH"
},
"details": "It was found that cockpit before version 184 used glib\u0027s base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.",
"id": "GHSA-gpg2-6gwq-vf2g",
"modified": "2022-05-13T01:05:24Z",
"published": "2022-05-13T01:05:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3804"
},
{
"type": "WEB",
"url": "https://github.com/cockpit-project/cockpit/pull/10819"
},
{
"type": "WEB",
"url": "https://github.com/cockpit-project/cockpit/commit/c51f6177576d7e12"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1569"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1571"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GR8P-66G9-4565
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2022-05-24 17:02In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector could crash. This was addressed in epan/dissectors/asn1/cms/packet-cms-template.c by ensuring that an object identifier is set to NULL after a ContentInfo dissection.
{
"affected": [],
"aliases": [
"CVE-2019-19553"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-05T01:15:00Z",
"severity": "MODERATE"
},
"details": "In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector could crash. This was addressed in epan/dissectors/asn1/cms/packet-cms-template.c by ensuring that an object identifier is set to NULL after a ContentInfo dissection.",
"id": "GHSA-gr8p-66g9-4565",
"modified": "2022-05-24T17:02:44Z",
"published": "2022-05-24T17:02:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19553"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=34d2e0d5318d0a7e9889498c721639e5cbf4ce45"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00008.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2019-22.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GVW2-FVQG-V8MM
Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.
{
"affected": [],
"aliases": [
"CVE-2018-14647"
],
"database_specific": {
"cwe_ids": [
"CWE-909"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-25T00:29:00Z",
"severity": "HIGH"
},
"details": "Python\u0027s elementtree C accelerator failed to initialise Expat\u0027s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat\u0027s internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.",
"id": "GHSA-gvw2-fvqg-v8mm",
"modified": "2022-05-13T01:25:00Z",
"published": "2022-05-13T01:25:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14647"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1260"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2030"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3725"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue34623"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3817-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3817-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4306"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4307"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105396"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041740"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.