Common Weakness Enumeration

CWE-457

Allowed

Use of Uninitialized Variable

Abstraction: Variant · Status: Draft

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

298 vulnerabilities reference this CWE, most recent first.

GHSA-PH86-G9R3-5QW4

Vulnerability from github – Published: 2024-02-24 06:30 – Updated: 2025-02-12 21:59
VLAI
Summary
Uninitialized Variable in fastecdsa
Details

Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fastecdsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457",
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-12T21:59:29Z",
    "nvd_published_at": "2024-02-24T05:15:44Z",
    "severity": "HIGH"
  },
  "details": "Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable\u0027s actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.",
  "id": "GHSA-ph86-g9r3-5qw4",
  "modified": "2025-02-12T21:59:29Z",
  "published": "2024-02-24T06:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21502"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AntonKueltz/fastecdsa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uninitialized Variable in fastecdsa"
}

GHSA-PVH9-2948-MGMJ

Vulnerability from github – Published: 2025-02-03 06:30 – Updated: 2025-02-03 18:30
VLAI
Details

In DA, there is a possible read of uninitialized heap data due to uninitialized data. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291449; Issue ID: MSV-2066.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-03T04:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In DA, there is a possible read of uninitialized heap data due to uninitialized data. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09291449; Issue ID: MSV-2066.",
  "id": "GHSA-pvh9-2948-mgmj",
  "modified": "2025-02-03T18:30:41Z",
  "published": "2025-02-03T06:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20638"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/February-2025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q386-C4R6-FHPQ

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31
VLAI
Details

PDF-XChange Editor J2K File Parsing Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of J2K files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-20909.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:38Z",
    "severity": "LOW"
  },
  "details": "PDF-XChange Editor J2K File Parsing Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of J2K files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-20909.",
  "id": "GHSA-q386-c4r6-fhpq",
  "modified": "2024-05-03T03:31:00Z",
  "published": "2024-05-03T03:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42048"
    },
    {
      "type": "WEB",
      "url": "https://www.tracker-software.com/support/security-bulletins.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1351"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q545-RCCV-33G7

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 21:31
VLAI
Details

Race in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:10Z",
    "severity": "MODERATE"
  },
  "details": "Race in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-q545-rccv-33g7",
  "modified": "2026-06-05T21:31:57Z",
  "published": "2026-06-05T00:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11064"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/499075743"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q7RV-P9GV-MCJ9

Vulnerability from github – Published: 2024-05-08 00:31 – Updated: 2024-05-08 00:31
VLAI
Details

Foxit PDF Reader Annotation Use of Uninitialized Variable Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of Annotation objects. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14658.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-07T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "Foxit PDF Reader Annotation Use of Uninitialized Variable Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Annotation objects. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14658.",
  "id": "GHSA-q7rv-p9gv-mcj9",
  "modified": "2024-05-08T00:31:13Z",
  "published": "2024-05-08T00:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34953"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC4P-7G72-JQRQ

Vulnerability from github – Published: 2024-05-01 18:30 – Updated: 2024-05-07 12:30
VLAI
Details

An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 while parsing HTTP requests. In certain configurations, a specially crafted HTTP request can result in disclosure of data allocated on the heap, which could contain sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T16:15:06Z",
    "severity": "MODERATE"
  },
  "details": "An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 while parsing HTTP requests. In certain configurations, a specially crafted HTTP request can result in disclosure of data allocated on the heap, which could contain sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.",
  "id": "GHSA-qc4p-7g72-jqrq",
  "modified": "2024-05-07T12:30:50Z",
  "published": "2024-05-01T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40533"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/05/07/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QG3J-XJ32-H7FH

Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-03-01 00:01
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF images. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15411.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-18T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF images. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15411.",
  "id": "GHSA-qg3j-xj32-h7fh",
  "modified": "2022-03-01T00:01:01Z",
  "published": "2022-02-19T00:01:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46617"
    },
    {
      "type": "WEB",
      "url": "https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0015"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-204"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QJ6X-X634-3RC3

Vulnerability from github – Published: 2026-07-09 00:31 – Updated: 2026-07-09 15:32
VLAI
Details

Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T23:16:52Z",
    "severity": "MODERATE"
  },
  "details": "Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-qj6x-x634-3rc3",
  "modified": "2026-07-09T15:32:29Z",
  "published": "2026-07-09T00:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15109"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/516899138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP6G-F22X-MGXR

Vulnerability from github – Published: 2024-04-16 09:30 – Updated: 2024-04-16 09:30
VLAI
Details

In OffloadAMRWriter, a scalar field is not initialized so will contain an arbitrary value left over from earlier computations

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-16T09:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In OffloadAMRWriter, a scalar field is not initialized so will contain an arbitrary value left over from earlier computations",
  "id": "GHSA-qp6g-f22x-mgxr",
  "modified": "2024-04-16T09:30:33Z",
  "published": "2024-04-16T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32625"
    },
    {
      "type": "WEB",
      "url": "https://www.asrmicro.com/en/goods/psirt?cid=38"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWW9-Q864-VPMP

Vulnerability from github – Published: 2025-09-06 18:30 – Updated: 2025-09-06 18:30
VLAI
Details

Use of an uninitialized variable in the ASP could allow an attacker to access leftover data from a trusted execution environment (TEE) driver, potentially leading to loss of confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-06T17:15:31Z",
    "severity": "LOW"
  },
  "details": "Use of an uninitialized variable in the ASP could allow an attacker to access leftover data from a trusted execution environment (TEE) driver, potentially leading to loss of confidentiality.",
  "id": "GHSA-qww9-q864-vpmp",
  "modified": "2025-09-06T18:30:32Z",
  "published": "2025-09-06T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31326"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4012.html"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-5007.html"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6018.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-57
Implementation

Strategy: Attack Surface Reduction

Ensure that critical variables are initialized before first use [REF-1485].

Mitigation
Build and Compilation

Strategy: Compilation or Build Hardening

Most compilers will complain about the use of uninitialized variables if warnings are turned on.

Mitigation
Implementation Operation

When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name.

Mitigation
Requirements

Strategy: Language Selection

Choose a language that is not susceptible to these issues.

Mitigation
Architecture and Design

Mitigating technologies such as safe string libraries and container abstractions could be introduced.

No CAPEC attack patterns related to this CWE.