Common Weakness Enumeration

CWE-665

Discouraged

Improper Initialization

Abstraction: Class · Status: Draft

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

425 vulnerabilities reference this CWE, most recent first.

GHSA-X6HR-F96V-HHGG

Vulnerability from github – Published: 2026-06-18 15:32 – Updated: 2026-06-18 15:32
VLAI
Details

Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat model treats as untrusted, can therefore defeat the documented ICMP egress block to perform network reconnaissance and exfiltrate data over an ICMP covert channel, regardless of the configured allowlist.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-18T14:17:22Z",
    "severity": "MODERATE"
  },
  "details": "Docker Sandboxes (sbx) blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat model treats as untrusted, can therefore defeat the documented ICMP egress block to perform network reconnaissance and exfiltrate data over an ICMP covert channel, regardless of the configured allowlist.",
  "id": "GHSA-x6hr-f96v-hhgg",
  "modified": "2026-06-18T15:32:02Z",
  "published": "2026-06-18T15:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12539"
    },
    {
      "type": "WEB",
      "url": "https://docs.docker.com/ai/sandboxes"
    },
    {
      "type": "WEB",
      "url": "https://github.com/docker/sbx-releases/releases/tag/v0.33.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X73J-6C5W-6H22

Vulnerability from github – Published: 2024-12-05 18:31 – Updated: 2025-04-18 18:31
VLAI
Details

An “uninitialized variable” code execution vulnerability exists in the

Rockwell Automation Arena®

that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-05T18:15:21Z",
    "severity": "HIGH"
  },
  "details": "An \u201cuninitialized variable\u201d code execution vulnerability exists in the \n\nRockwell Automation Arena\u00ae\n\n that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.",
  "id": "GHSA-x73j-6c5w-6h22",
  "modified": "2025-04-18T18:31:20Z",
  "published": "2024-12-05T18:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11158"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1713.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X7PH-2VFF-2HX7

Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18
VLAI
Details

The Windows kernel in Windows 10 version 1703. Windows 10 version 1709, and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are handled in memory, aka "Windows Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0746 and CVE-2018-0747.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-04T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The Windows kernel in Windows 10 version 1703. Windows 10 version 1709, and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are handled in memory, aka \"Windows Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2018-0746 and CVE-2018-0747.",
  "id": "GHSA-x7ph-2vff-2hx7",
  "modified": "2022-05-13T01:18:25Z",
  "published": "2022-05-13T01:18:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0745"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0745"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43470"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102353"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040097"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8H5-MF58-6XG9

Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20
VLAI
Details

An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8336, CVE-2018-8442, CVE-2018-8443, CVE-2018-8445, CVE-2018-8446.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-8419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-13T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address, aka \"Windows Kernel Information Disclosure Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8336, CVE-2018-8442, CVE-2018-8443, CVE-2018-8445, CVE-2018-8446.",
  "id": "GHSA-x8h5-mf58-6xg9",
  "modified": "2022-05-13T01:20:53Z",
  "published": "2022-05-13T01:20:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8419"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8419"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105238"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041635"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9C2-RMRG-4H96

Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-14 21:31
VLAI
Details

Improper initialization for some Intel Unison software may allow an authenticated user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T19:15:14Z",
    "severity": "LOW"
  },
  "details": "Improper initialization for some Intel Unison software may allow an authenticated user to potentially enable information disclosure via local access.",
  "id": "GHSA-x9c2-rmrg-4h96",
  "modified": "2023-11-14T21:31:00Z",
  "published": "2023-11-14T21:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45109"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00963.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCG6-8PRP-MXMV

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

Insecure default variable initialization for the Intel BSSA DFT feature may allow a privileged user to potentially enable an escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-16T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure default variable initialization for the Intel BSSA DFT feature may allow a privileged user to potentially enable an escalation of privilege via local access.",
  "id": "GHSA-xcg6-8prp-mxmv",
  "modified": "2022-05-24T19:11:15Z",
  "published": "2022-05-24T19:11:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0114"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220210-0007"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00525.html"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00527.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG6V-VR2F-H5XX

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

Improper memory initialization in Platform Sample/Silicon Reference firmware Intel(R) Server Board, Intel(R) Server System and Intel(R) Compute Module may allow privileged user to potentially enable an escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-14T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Improper memory initialization in Platform Sample/Silicon Reference firmware Intel(R) Server Board, Intel(R) Server System and Intel(R) Compute Module may allow privileged user to potentially enable an escalation of privilege via local access.",
  "id": "GHSA-xg6v-vr2f-h5xx",
  "modified": "2022-05-13T01:49:30Z",
  "published": "2022-05-13T01:49:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12204"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190318-0002"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03912en_us"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03929en_us"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03978en_us"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00191.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJWH-3RM6-W25H

Vulnerability from github – Published: 2024-09-02 18:31 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fuse: Initialize beyond-EOF page contents before setting uptodate

fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents).

So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate.

The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap().

This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-02T18:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: Initialize beyond-EOF page contents before setting uptodate\n\nfuse_notify_store(), unlike fuse_do_readpage(), does not enable page\nzeroing (because it can be used to change partial page contents).\n\nSo fuse_notify_store() must be more careful to fully initialize page\ncontents (including parts of the page that are beyond end-of-file)\nbefore marking the page uptodate.\n\nThe current code can leave beyond-EOF page contents uninitialized, which\nmakes these uninitialized page contents visible to userspace via mmap().\n\nThis is an information leak, but only affects systems which do not\nenable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the\ncorresponding kernel command line parameter).",
  "id": "GHSA-xjwh-3rm6-w25h",
  "modified": "2025-11-04T00:31:19Z",
  "published": "2024-09-02T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44947"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://project-zero.issues.chromium.org/issues/42451729"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMPR-F2G5-9588

Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40
VLAI
Details

A remote code execution vulnerability in the Android media framework (libavc). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37968755.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-09T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability in the Android media framework (libavc). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37968755.",
  "id": "GHSA-xmpr-f2g5-9588",
  "modified": "2022-05-13T01:40:33Z",
  "published": "2022-05-13T01:40:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0723"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-08-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100204"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP39-WHPP-93GX

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2023-12-31 21:30
VLAI
Details

An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2020-16938.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16901"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-16T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory.To exploit this vulnerability, an authenticated attacker could run a specially crafted application, aka \u0027Windows Kernel Information Disclosure Vulnerability\u0027. This CVE ID is unique from CVE-2020-16938.",
  "id": "GHSA-xp39-whpp-93gx",
  "modified": "2023-12-31T21:30:22Z",
  "published": "2022-05-24T17:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16901"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16901"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Architecture and Design

Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.

Mitigation
Implementation

Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile your product with settings that generate warnings about uninitialized variables or data.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.