CWE-457: Use of Uninitialized Variable
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
扩展描述
In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.
常见后果
影响范围: Availability Integrity Other
技术影响: Other
说明: Initial variables usually contain junk, which can not be trusted for consistency. This can lead to denial of service conditions, or modify control flow in unexpected ways. In some cases, an attacker can "pre-initialize" the variable using previous actions, which might enable code execution. This can cause a race condition if a lock variable check passes when it should not.
影响范围: Authorization Other
技术影响: Other
说明: Strings that are not initialized are especially dangerous, since many functions expect a null at the end -- and only at the end -- of a string.
潜在缓解措施
阶段: Implementation
策略: Attack Surface Reduction
描述: Ensure that critical variables are initialized before first use [REF-1485].
阶段: Build and Compilation
策略: Compilation or Build Hardening
描述: Most compilers will complain about the use of uninitialized variables if warnings are turned on.
阶段: Implementation Operation
描述: When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.
阶段: Requirements
策略: Language Selection
描述: Choose a language that is not susceptible to these issues.
阶段: Architecture and Design
描述: Mitigating technologies such as safe string libraries and container abstractions could be introduced.
检测方法
方法: Fuzzing
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
有效性: High
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2019-15900
Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).
参考: CVE-2008-3688
Chain: A denial of service may be caused by an uninitialized variable (CWE-457) allowing an infinite loop (CWE-835) resulting from a connection to an unresponsive server.
参考: CVE-2008-0081
Uninitialized variable leads to code execution in popular desktop application.
参考: CVE-2007-4682
Crafted input triggers dereference of an uninitialized object pointer.
参考: CVE-2007-3468
Crafted audio file triggers crash when an uninitialized variable is used.
参考: CVE-2007-2728
Uninitialized random seed variable used.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | In C, using an uninitialized char * in some string libraries will return incorrect results, as the libraries expect the null terminator to always be at the end of a string, even if the string is empty. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Uninitialized variable | - |
| 7 Pernicious Kingdoms | - | Uninitialized Variable | - |
| Software Fault Patterns | SFP1 | Glitch in computation | - |
| SEI CERT Perl Coding Standard | DCL33-PL | Declare identifiers before using them | Imprecise |