CWE-824
AllowedAccess of Uninitialized Pointer
Abstraction: Base · Status: Incomplete
The product accesses or uses a pointer that has not been initialized.
451 vulnerabilities reference this CWE, most recent first.
GHSA-MV6Q-6XX6-CMH5
Vulnerability from github – Published: 2023-11-16 18:30 – Updated: 2023-11-16 18:30Adobe Audition version 24.0 (and earlier) and 23.6.1 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-47053"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-16T16:15:33Z",
"severity": "MODERATE"
},
"details": "Adobe Audition version 24.0 (and earlier) and 23.6.1 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-mv6q-6xx6-cmh5",
"modified": "2023-11-16T18:30:31Z",
"published": "2023-11-16T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47053"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/audition/apsb23-64.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MW5R-WQ2M-397C
Vulnerability from github – Published: 2026-07-01 17:45 – Updated: 2026-07-01 17:45Summary
A memory-safety vulnerability in Open Babel's GRO parser caused an uninitialized pointer dereference when reading a crafted input file.
Details
The flaw was in the residue handling of the GRO reader. A malformed record caused the parser to use a residue pointer that had never been initialized.
Impact
Open Babel is a C++ library and CLI used to read and write chemistry
file formats; it is shipped by Linux distributions and embedded in
services that may parse untrusted input. Triggering this vulnerability
requires the victim to open a malicious GRO file with the obabel
tool, the OBConversion API, or any of the language bindings (Python,
Ruby, Java, R, Perl, C#, PHP).
Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
Fix commit: https://github.com/openbabel/openbabel/commit/fa9a2d9a
A minimized reproducer for this CVE is checked in under
test/files/fuzz_regress/ and is exercised on every CI build under
ASAN+UBSAN by the fuzzregresstest harness.
Credit
Reported by Cisco TALOS.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openbabel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-42885"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T17:45:46Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nA memory-safety vulnerability in Open Babel\u0027s GRO parser caused an\nuninitialized pointer dereference when reading a crafted input file.\n\n### Details\n\nThe flaw was in the residue handling of the GRO reader. A malformed\nrecord caused the parser to use a residue pointer that had never been\ninitialized.\n\n### Impact\n\nOpen Babel is a C++ library and CLI used to read and write chemistry\nfile formats; it is shipped by Linux distributions and embedded in\nservices that may parse untrusted input. Triggering this vulnerability\nrequires the victim to open a malicious GRO file with the `obabel`\ntool, the `OBConversion` API, or any of the language bindings (Python,\nRuby, Java, R, Perl, C#, PHP).\n\n### Affected versions\n\nAll releases up to and including 3.1.1.\n\n### Patched version\n\n3.2.0 (released 2026-05-26).\n\n### Patch\n\nFix commit: https://github.com/openbabel/openbabel/commit/fa9a2d9a\n\nA minimized reproducer for this CVE is checked in under\n`test/files/fuzz_regress/` and is exercised on every CI build under\nASAN+UBSAN by the `fuzzregresstest` harness.\n\n### Credit\n\nReported by Cisco TALOS.",
"id": "GHSA-mw5r-wq2m-397c",
"modified": "2026-07-01T17:45:47Z",
"published": "2026-07-01T17:45:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/security/advisories/GHSA-mw5r-wq2m-397c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42885"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/commit/fa9a2d9a2eb75154b7a884dfe679ff41a8f9c547"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbabel/openbabel"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1668"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1668"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open Babel has uninitialized pointer dereference in GRO residue parser"
}
GHSA-MWVH-C89Q-73J6
Vulnerability from github – Published: 2026-04-21 15:32 – Updated: 2026-06-30 03:36Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
{
"affected": [],
"aliases": [
"CVE-2026-6751"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T13:16:21Z",
"severity": "HIGH"
},
"details": "Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.",
"id": "GHSA-mwvh-c89q-73j6",
"modified": "2026-06-30T03:36:20Z",
"published": "2026-04-21T15:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6751"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19464"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19465"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19466"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19467"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19468"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19469"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19655"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19704"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-6751"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2025883"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460109"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6751.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-32"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-34"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10757"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10766"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10767"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:12285"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13537"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:15892"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17687"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17688"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17689"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17690"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19041"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19131"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19201"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19348"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19461"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19463"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MX89-4JM3-JMV3
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10An uninitialized pointer in FATEK Automation FvDesigner, Versions 1.5.88 and prior may be exploited while the application is processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2021-32931"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T13:15:00Z",
"severity": "HIGH"
},
"details": "An uninitialized pointer in FATEK Automation FvDesigner, Versions 1.5.88 and prior may be exploited while the application is processing project files, allowing an attacker to craft a special project file that may permit arbitrary code execution.",
"id": "GHSA-mx89-4jm3-jmv3",
"modified": "2022-05-24T19:10:42Z",
"published": "2022-05-24T19:10:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32931"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-217-02"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1027"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1030"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MX92-M8M9-32FQ
Vulnerability from github – Published: 2024-12-19 09:30 – Updated: 2025-01-21 21:30An access of uninitialized pointer (CWE-824) vulnerability in FortiWLC versions 8.6.0, 8.5.3 and earlier may allow a local and authenticated attacker to crash the access point being managed by the controller by executing a crafted CLI command.
{
"affected": [],
"aliases": [
"CVE-2021-26093"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-19T08:15:14Z",
"severity": "HIGH"
},
"details": "An access of uninitialized pointer (CWE-824) vulnerability\u00a0in FortiWLC versions 8.6.0, 8.5.3 and earlier may allow a local and authenticated attacker to crash the access point\u00a0being managed by the controller by executing a crafted CLI command.",
"id": "GHSA-mx92-m8m9-32fq",
"modified": "2025-01-21T21:30:49Z",
"published": "2024-12-19T09:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26093"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-21-002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P48C-W36X-45WJ
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2024-02-23 21:30Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
{
"affected": [],
"aliases": [
"CVE-2021-29095"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-25T21:15:00Z",
"severity": "MODERATE"
},
"details": "Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.",
"id": "GHSA-p48c-w36x-45wj",
"modified": "2024-02-23T21:30:47Z",
"published": "2022-05-24T17:45:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29095"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/security-advisory-server-image"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P5W9-856P-8Q4G
Vulnerability from github – Published: 2021-08-25 21:00 – Updated: 2021-08-24 17:42The socket2 crate has assumed std::net::SocketAddrV4
and std::net::SocketAddrV6 have the same memory layout as the system C representation
sockaddr. It has simply casted the pointers to convert the socket addresses to the
system representation. The standard library does not say anything about the memory
layout, and this will cause invalid memory access if the standard library
changes the implementation. No warnings or errors will be emitted once the
change happens.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "socket2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-06T17:25:39Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The [`socket2`](https://crates.io/crates/socket2) crate has assumed `std::net::SocketAddrV4`\nand `std::net::SocketAddrV6` have the same memory layout as the system C representation\n`sockaddr`. It has simply casted the pointers to convert the socket addresses to the\nsystem representation. The standard library does not say anything about the memory\nlayout, and this will cause invalid memory access if the standard library\nchanges the implementation. No warnings or errors will be emitted once the\nchange happens.\n",
"id": "GHSA-p5w9-856p-8q4g",
"modified": "2021-08-24T17:42:08Z",
"published": "2021-08-25T21:00:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rust-lang/socket2-rs/issues/119"
},
{
"type": "PACKAGE",
"url": "https://github.com/rust-lang/socket2-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0079.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Assumed memory layout of std::net::SocketAddr",
"withdrawn": "2021-08-24T17:42:08Z"
}
GHSA-P87J-5W46-H7W5
Vulnerability from github – Published: 2023-08-10 15:30 – Updated: 2024-04-04 06:47Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-38226"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-10T14:15:12Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-p87j-5w46-h7w5",
"modified": "2024-04-04T06:47:28Z",
"published": "2023-08-10T15:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38226"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-30.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P942-F2JQ-6857
Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-20 00:00This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ansys SpaceClaim 2022 R1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of X_B files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17565.
{
"affected": [],
"aliases": [
"CVE-2022-40649"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-15T16:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ansys SpaceClaim 2022 R1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of X_B files. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17565.",
"id": "GHSA-p942-f2jq-6857",
"modified": "2022-09-20T00:00:29Z",
"published": "2022-09-16T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40649"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1205"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P996-826H-XHFR
Vulnerability from github – Published: 2026-01-13 21:31 – Updated: 2026-01-13 21:31InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2026-21275"
],
"database_specific": {
"cwe_ids": [
"CWE-824"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T19:16:25Z",
"severity": "HIGH"
},
"details": "InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-p996-826h-xhfr",
"modified": "2026-01-13T21:31:44Z",
"published": "2026-01-13T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21275"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/indesign/apsb26-02.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.