Common Weakness Enumeration

CWE-665

Discouraged

Improper Initialization

Abstraction: Class · Status: Draft

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

425 vulnerabilities reference this CWE, most recent first.

GHSA-MX54-9G2J-8G2M

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2024-01-01 00:30
VLAI
Details

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-0928, CVE-2020-1033, CVE-2020-1589, CVE-2020-16854.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-11T17:15:00Z",
    "severity": "LOW"
  },
  "details": "An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka \u0027Windows Kernel Information Disclosure Vulnerability\u0027. This CVE ID is unique from CVE-2020-0928, CVE-2020-1033, CVE-2020-1589, CVE-2020-16854.",
  "id": "GHSA-mx54-9g2j-8g2m",
  "modified": "2024-01-01T00:30:42Z",
  "published": "2022-05-24T17:28:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1592"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1592"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXMQ-W35F-5FR4

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Improper initialization in a subsystem in the Intel(R) CSME versions before 11.8.86, 11.12.86, 11.22.86, 12.0.81, 13.0.47, 13.30.17, 14.1.53, 14.5.32, 13.50.11 and 15.0.22 may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper initialization in a subsystem in the Intel(R) CSME versions before 11.8.86, 11.12.86, 11.22.86, 12.0.81, 13.0.47, 13.30.17, 14.1.53, 14.5.32, 13.50.11 and 15.0.22 may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-mxmq-w35f-5fr4",
  "modified": "2022-05-24T19:04:29Z",
  "published": "2022-05-24T19:04:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24507"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210611-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00459.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P2FM-M9QC-J6X3

Vulnerability from github – Published: 2023-12-30 03:30 – Updated: 2025-04-17 21:30
VLAI
Details

Improper initialization of x87 and SSE floating-point configuration registers in the __scone_entry component of SCONE before 5.8.0 for Intel SGX allows a local attacker to compromise the execution integrity of floating-point operations in an enclave or access sensitive information via side-channel analysis.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-30T03:15:08Z",
    "severity": "HIGH"
  },
  "details": "Improper initialization of x87 and SSE floating-point configuration registers in the __scone_entry component of SCONE before 5.8.0 for Intel SGX allows a local attacker to compromise the execution integrity of floating-point operations in an enclave or access sensitive information via side-channel analysis.",
  "id": "GHSA-p2fm-m9qc-j6x3",
  "modified": "2025-04-17T21:30:39Z",
  "published": "2023-12-30T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15107"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46487"
    },
    {
      "type": "WEB",
      "url": "https://jovanbulck.github.io/files/acsac20-fpu.pdf"
    },
    {
      "type": "WEB",
      "url": "https://jovanbulck.github.io/files/oakland24-pandora.pdf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0561#vulnCurrentDescriptionTitle"
    },
    {
      "type": "WEB",
      "url": "https://sconedocs.github.io/release5.7"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html#inpage-nav-3-3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P346-P3V9-5QQ8

Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-25 00:00
VLAI
Details

Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via physical access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-18T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via physical access.",
  "id": "GHSA-p346-p3v9-5qq8",
  "modified": "2022-08-25T00:00:26Z",
  "published": "2022-08-19T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32579"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00712.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P387-C589-X473

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

UnrealIRCd 4.0.13 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command. NOTE: the vendor indicates that there is no common or recommended scenario in which a root script would execute this kill command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-23T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "UnrealIRCd 4.0.13 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command. NOTE: the vendor indicates that there is no common or recommended scenario in which a root script would execute this kill command.",
  "id": "GHSA-p387-c589-x473",
  "modified": "2022-05-13T01:43:11Z",
  "published": "2022-05-13T01:43:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13649"
    },
    {
      "type": "WEB",
      "url": "https://bugs.unrealircd.org/view.php?id=4990"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100507"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3J3-7Q7C-3G53

Vulnerability from github – Published: 2024-04-10 21:30 – Updated: 2024-04-19 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cfg80211: call cfg80211_stop_ap when switch from P2P_GO type

If the userspace tools switch from NL80211_IFTYPE_P2P_GO to NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it does not call the cleanup cfg80211_stop_ap(), this leads to the initialization of in-use data. For example, this path re-init the sdata->assigned_chanctx_list while it is still an element of assigned_vifs list, and makes that linked list corrupt.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-10T19:15:47Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: call cfg80211_stop_ap when switch from P2P_GO type\n\nIf the userspace tools switch from NL80211_IFTYPE_P2P_GO to\nNL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it\ndoes not call the cleanup cfg80211_stop_ap(), this leads to the\ninitialization of in-use data. For example, this path re-init the\nsdata-\u003eassigned_chanctx_list while it is still an element of\nassigned_vifs list, and makes that linked list corrupt.",
  "id": "GHSA-p3j3-7q7c-3g53",
  "modified": "2024-04-19T21:31:07Z",
  "published": "2024-04-10T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47194"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0738cdb636c21ab552eaecf905efa4a6070e3ebc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e458abbb4a523f1413bfe15c079cf4e24c15b21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52affc201fc22a1ab9a59ef0ed641a9adfcb8d13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/563fbefed46ae4c1f70cffb8eb54c02df480b2c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a9b671c8d74a3e1b999e7a0c7f366079bcc93dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b97b5776daa0b39dbdadfea176f9cc0646d4a66"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f06bb8c216bcd172394f61e557727e691b4cb24"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8a045e2a9b234cfbc06cf36923886164358ddec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4P6-GWHQ-Q5Q7

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01
VLAI
Details

On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-19T22:15:00Z",
    "severity": "LOW"
  },
  "details": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.",
  "id": "GHSA-p4p6-gwhq-q5q7",
  "modified": "2022-05-24T17:01:35Z",
  "published": "2022-05-24T17:01:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19126"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FQ5LC6JOYSOYFPRUZ4S45KL6IP3RPPZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFJ5E7NWOL6ROE5QVICHKIOUGCPFJVUH"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=25204"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4416-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5MC-228W-WJFM

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:46
VLAI
Details

Failure to initialize the extra buffer can lead to an out of buffer access in WLAN function in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11949"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-24T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Failure to initialize the extra buffer can lead to an out of buffer access in WLAN function in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM630, SDM660, SDX20, SDX24",
  "id": "GHSA-p5mc-228w-wjfm",
  "modified": "2024-04-04T00:46:59Z",
  "published": "2022-05-24T16:46:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11949"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2019/04/01/april-2019-code-aurora-security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7X9-2GR9-QM7X

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

Microsoft Office 2010 SP2, Microsoft Office 2013 SP1 and RT SP1, Microsoft Office 2016, and Microsoft Office 2016 Click-to-Run (C2R) allow an information disclosure vulnerability, due to how Office initializes the affected variable, aka "Microsoft Office Information Disclosure Vulnerability".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-15T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Office 2010 SP2, Microsoft Office 2013 SP1 and RT SP1, Microsoft Office 2016, and Microsoft Office 2016 Click-to-Run (C2R) allow an information disclosure vulnerability, due to how Office initializes the affected variable, aka \"Microsoft Office Information Disclosure Vulnerability\".",
  "id": "GHSA-p7x9-2gr9-qm7x",
  "modified": "2022-05-13T01:18:33Z",
  "published": "2022-05-13T01:18:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0853"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0853"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102868"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040381"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P84C-PFQC-C27P

Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-01-23 21:30
VLAI
Details

An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).

On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted.

The following reboot reason can be seen in the output of 'show chassis routing-engine' and as a log message:

reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump

This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP:

  • 24.4 versions before 24.4R2,
  • 25.2 versions before 25.2R1-S2, 25.2R2.

This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-15T21:16:07Z",
    "severity": "HIGH"
  },
  "details": "An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).\n\nOn EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP)\u00a0a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted.\n\n\n\n\nThe following reboot reason can be seen in the output of \u0027show chassis routing-engine\u0027 and as a log message:\n\n\u00a0 reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump \n\n\n\n\nThis issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP:\n\n\n\n  *  24.4 versions before 24.4R2,\n  *  25.2 versions before 25.2R1-S2, 25.2R2.\n\n\n\n\nThis issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1.",
  "id": "GHSA-p84c-pfqc-c27p",
  "modified": "2026-01-23T21:30:40Z",
  "published": "2026-01-15T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21913"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA106014"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA106014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile your product with settings that generate warnings about uninitialized variables or data.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.