CWE-908: Use of Uninitialized Resource
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses or accesses a resource that has not been initialized.
扩展描述
When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.
常见后果
影响范围: Confidentiality
技术影响: Read Memory Read Application Data
说明: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
潜在缓解措施
阶段: Implementation
描述: Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
阶段: Implementation
描述: Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
阶段: Implementation
描述: Avoid race conditions (CWE-362) during initialization routines.
阶段: Build and Compilation
描述: Run or compile the product with settings that generate warnings about uninitialized variables or data.
观察示例
参考: CVE-2019-9805
Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.
参考: CVE-2008-4197
Use of uninitialized memory may allow code execution.
参考: CVE-2008-2934
Free of an uninitialized pointer leads to crash and possible code execution.
参考: CVE-2008-0063
Product does not clear memory contents when generating an error message, leading to information leak.
参考: CVE-2008-0062
Lack of initialization triggers NULL pointer dereference or double-free.
参考: CVE-2008-0081
Uninitialized variable leads to code execution in popular desktop application.
参考: CVE-2008-3688
Chain: Uninitialized variable leads to infinite loop.
参考: CVE-2008-3475
Chain: Improper initialization leads to memory corruption.
参考: CVE-2005-1036
Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
参考: CVE-2008-3597
Chain: game server can access player data structures before initialization has happened leading to NULL dereference
参考: CVE-2009-2692
Chain: uninitialized function pointers can be dereferenced allowing code execution
参考: CVE-2009-0949
Chain: improper initialization of memory can lead to NULL dereference
参考: CVE-2009-3620
Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CERT C Secure Coding | EXP33-C | Do not read uninitialized memory | CWE More Abstract |