Common Weakness Enumeration

CWE-909

Allowed-with-Review

Missing Initialization of Resource

Abstraction: Class · Status: Incomplete

The product does not initialize a critical resource.

96 vulnerabilities reference this CWE, most recent first.

GHSA-HCCR-2HX6-MWMP

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-25 00:01
VLAI
Details

Access of uninitialized pointer vulnerability exists in the simulator module contained in the graphic editor 'V-SFT' versions prior to v6.1.6.0, which may allow an attacker to obtain information and/or execute arbitrary code by having a user to open a specially crafted image file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "Access of uninitialized pointer vulnerability exists in the simulator module contained in the graphic editor \u0027V-SFT\u0027 versions prior to v6.1.6.0, which may allow an attacker to obtain information and/or execute arbitrary code by having a user to open a specially crafted image file.",
  "id": "GHSA-hccr-2hx6-mwmp",
  "modified": "2022-06-25T00:01:04Z",
  "published": "2022-06-15T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29925"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU99188133/index.html"
    },
    {
      "type": "WEB",
      "url": "https://monitouch.fujielectric.com/site/download-e/09vsft6_inf/Search.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMQ5-VC89-4M9M

Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-04-20 00:01
VLAI
Details

An information disclosure vulnerability exists in the pick-and-place rotation parsing functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.8.0. A specially-crafted pick-and-place file can exploit the missing initialization of a structure to leak memory contents. An attacker can provide a malicious file to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-456",
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-04T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in the pick-and-place rotation parsing functionality of Gerbv 2.7.0 and dev (commit b5f1eacd), and Gerbv forked 2.8.0. A specially-crafted pick-and-place file can exploit the missing initialization of a structure to leak memory contents. An attacker can provide a malicious file to trigger this vulnerability.",
  "id": "GHSA-hmq5-vc89-4m9m",
  "modified": "2022-04-20T00:01:31Z",
  "published": "2022-02-10T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40403"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTGBC37N2FV7NKOWFVCFMPAFYEPHSB7C"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1417"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5306"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HP44-V4VF-23FQ

Vulnerability from github – Published: 2025-01-17 21:31 – Updated: 2025-01-18 00:30
VLAI
Details

Teradata Vantage Editor 1.0.1 is mostly intended for SQL database access and docs.teradata.com access, but provides unintended functionality (including Chromium Developer Tools) that can result in a client user accessing arbitrary remote websites.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-17T20:15:28Z",
    "severity": "HIGH"
  },
  "details": "Teradata Vantage Editor 1.0.1 is mostly intended for SQL database access and docs.teradata.com access, but provides unintended functionality (including Chromium Developer Tools) that can result in a client user accessing arbitrary remote websites.",
  "id": "GHSA-hp44-v4vf-23fq",
  "modified": "2025-01-18T00:30:48Z",
  "published": "2025-01-17T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52870"
    },
    {
      "type": "WEB",
      "url": "https://chrismanson.com/CVE/cve-2024-52870.html"
    },
    {
      "type": "WEB",
      "url": "https://www.teradata.com/trust-security-center/data-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JG94-6RJH-CFH5

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-18T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value.",
  "id": "GHSA-jg94-6rjh-cfh5",
  "modified": "2022-05-24T19:17:45Z",
  "published": "2022-05-24T19:17:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36513"
    },
    {
      "type": "WEB",
      "url": "https://github.com/signalwire/freeswitch/issues/1245"
    },
    {
      "type": "WEB",
      "url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
    },
    {
      "type": "WEB",
      "url": "https://newreleases.io/project/github/signalwire/freeswitch/release/v1.10.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JJ9Q-C2R3-CV43

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-01-03T20:00:00Z",
    "severity": "LOW"
  },
  "details": "The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.",
  "id": "GHSA-jj9q-c2r3-cv43",
  "modified": "2022-05-13T01:23:45Z",
  "published": "2022-05-13T01:23:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3877"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=649717"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64578"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=linux-netdev\u0026m=128854507420917\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/02/7"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/04/5"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42884"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/46397"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2126"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc2"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:029"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0017.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/520102/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/44630"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2011-0012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JQCP-W97C-4JJV

Vulnerability from github – Published: 2024-12-28 12:30 – Updated: 2025-09-26 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

thermal: testing: Initialize some variables annoteded with _free()

Variables annotated with __free() need to be initialized if the function can return before they get updated for the first time or the attempt to free the memory pointed to by them upon function return may crash the kernel.

Fix this issue in some places in the thermal testing code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-28T10:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: testing: Initialize some variables annoteded with _free()\n\nVariables annotated with __free() need to be initialized if the function\ncan return before they get updated for the first time or the attempt to\nfree the memory pointed to by them upon function return may crash the\nkernel.\n\nFix this issue in some places in the thermal testing code.",
  "id": "GHSA-jqcp-w97c-4jjv",
  "modified": "2025-09-26T21:30:26Z",
  "published": "2024-12-28T12:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56676"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0104dcdaad3a7afd141e79a5fb817a92ada910ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/526c132124a62be486bad1701f7e8e92212ccec6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M4GR-2PP5-FJMM

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-11 03:41
VLAI
Details

The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-4078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-11-29T16:00:00Z",
    "severity": "LOW"
  },
  "details": "The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.",
  "id": "GHSA-m4gr-2pp5-fjmm",
  "modified": "2025-04-11T03:41:28Z",
  "published": "2022-05-13T01:23:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4078"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=648665"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=fd02db9de73faebc51240619c7c7f99bee9f65c7"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fd02db9de73faebc51240619c7c7f99bee9f65c7"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42778"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42801"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2126"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.36/ChangeLog-2.6.36-rc6"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:051"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/09/25/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/10/06/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/10/07/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/10/25/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/43810"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0012"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0298"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M932-4PMG-RPMM

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:05
VLAI
Details

In libavc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111761624

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-27T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In libavc, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111761624",
  "id": "GHSA-m932-4pmg-rpmm",
  "modified": "2024-04-04T02:05:37Z",
  "published": "2022-05-24T16:57:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9320"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCV2-HJV7-J2XW

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:05
VLAI
Details

In libstagefright, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112005441

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-27T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In libstagefright, there is a missing variable initialization. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112005441",
  "id": "GHSA-mcv2-hjv7-j2xw",
  "modified": "2024-04-04T02:05:29Z",
  "published": "2022-05-24T16:57:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9313"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRQF-77V8-CWVF

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

In ipSecSetEncapSocketOwner of XfrmController.cpp, there is a possible failure to initialize a security feature due to uninitialized data. This could lead to local denial of service of IPsec on sockets with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-9.0 Android ID: A-111650288

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-02T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In ipSecSetEncapSocketOwner of XfrmController.cpp, there is a possible failure to initialize a security feature due to uninitialized data. This could lead to local denial of service of IPsec on sockets with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-9.0 Android ID: A-111650288",
  "id": "GHSA-mrqf-77v8-cwvf",
  "modified": "2022-05-13T01:53:56Z",
  "published": "2022-05-13T01:53:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9511"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/system/netd/+/931418b16c7197ca2df34c2a5609e49791125abe"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-10-01"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-10-01,"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105482"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile your product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.