Common Weakness Enumeration

CWE-908

Allowed

Use of Uninitialized Resource

Abstraction: Base · Status: Incomplete

The product uses or accesses a resource that has not been initialized.

822 vulnerabilities reference this CWE, most recent first.

CVE-2018-25014 (GCVE-0-2018-25014)

Vulnerability from cvelistv5 – Published: 2021-05-21 16:27 – Updated: 2024-08-05 12:26
VLAI
Summary
A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol().
Severity
No CVSS data available.
CWE
Assigner
Impacted products
Vendor Product Version
n/a libwebp Affected: libwebp 1.0.1
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:26:39.521Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956927"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9496"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://chromium.googlesource.com/webm/libwebp/+log/78ad57a36ad69a9c22874b182d49d64125c380f2..907208f97ead639bd52"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libwebp",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "libwebp 1.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol()."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-908",
              "description": "CWE-908",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-05T15:23:22.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956927"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9496"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://chromium.googlesource.com/webm/libwebp/+log/78ad57a36ad69a9c22874b182d49d64125c380f2..907208f97ead639bd52"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2018-25014",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "libwebp",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "libwebp 1.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol()."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-908"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1956927",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956927"
            },
            {
              "name": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9496",
              "refsource": "MISC",
              "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9496"
            },
            {
              "name": "https://chromium.googlesource.com/webm/libwebp/+log/78ad57a36ad69a9c22874b182d49d64125c380f2..907208f97ead639bd52",
              "refsource": "MISC",
              "url": "https://chromium.googlesource.com/webm/libwebp/+log/78ad57a36ad69a9c22874b182d49d64125c380f2..907208f97ead639bd52"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-25014",
    "datePublished": "2021-05-21T16:27:57.000Z",
    "dateReserved": "2021-05-04T00:00:00.000Z",
    "dateUpdated": "2024-08-05T12:26:39.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-238V-Q38R-8XQP

Vulnerability from github – Published: 2024-06-21 12:31 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: Fix uninit-value in nci_rx_work

syzbot reported the following uninit-value access issue [1]

nci_rx_work() parses received packet from ndev->rx_q. It should be validated header size, payload size and total packet size before processing the packet. If an invalid packet is detected, it should be silently discarded.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-21T11:15:10Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_rx_work\n\nsyzbot reported the following uninit-value access issue [1]\n\nnci_rx_work() parses received packet from ndev-\u003erx_q. It should be\nvalidated header size, payload size and total packet size before\nprocessing the packet. If an invalid packet is detected, it should be\nsilently discarded.",
  "id": "GHSA-238v-q38r-8xqp",
  "modified": "2026-05-12T12:31:56Z",
  "published": "2024-06-21T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38381"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/017ff397624930fd7ac7f1761f3c9d6a7100f68c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/406cfac9debd4a6d3dc5d9258ee086372a8c08b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/485ded868ed62ceb2acb3a459d7843fd71472619"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ad4d196d2008c7f413167f0a693feb4f0439d7fe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e4a87abf588536d1cdfb128595e6e680af5cf3ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e53a7f8afcbd2886f2a94c5d56757328109730ea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8c8e0d0d214c877fbad555df5b3ed558cd9b0c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f80b786ab0550d0020191a59077b2c7e069db2d1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23R9-H96J-WJ63

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T17:17:07Z",
    "severity": "MODERATE"
  },
  "details": "Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally.",
  "id": "GHSA-23r9-h96j-wj63",
  "modified": "2026-07-14T18:32:09Z",
  "published": "2026-07-14T18:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54997"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54997"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-242X-7CM6-4W8J

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2026-06-09 10:22
VLAI
Summary
Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability
Details

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-18197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-07T21:30:20Z",
    "nvd_published_at": "2019-10-18T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn\u0027t reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.\n\nNokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.",
  "id": "GHSA-242x-7cm6-4w8j",
  "modified": "2026-06-09T10:22:03Z",
  "published": "2022-05-24T16:59:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/issues/1943"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0514"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-18197.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/blob/01ab95f3e37429ed8d3b380a8d2f73902eb325d9/CHANGELOG.md?plain=1#L934"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00037.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191031-0004"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200416-0004"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4164-1"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/11/17/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability"
}

GHSA-2583-337F-6VP9

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction

AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") while 'deferrable' flag can be uninitialized for non-control/notify AV/C transactions. UBSAN reports it:

kernel: ================================================================================ kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9 kernel: load of value 158 is not a valid value for type '_Bool' kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019 kernel: Call Trace: kernel: kernel: show_stack+0x52/0x58 kernel: dump_stack_lvl+0x4a/0x5f kernel: dump_stack+0x10/0x12 kernel: ubsan_epilogue+0x9/0x45 kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49 kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib] kernel: fcp_response+0x28/0x30 [snd_firewire_lib] kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core] kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core] kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci] kernel: tasklet_action_common.constprop.0+0xea/0xf0 kernel: tasklet_action+0x22/0x30 kernel: __do_softirq+0xd9/0x2e3 kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0 kernel: do_softirq+0x75/0xa0 kernel: kernel: kernel: __local_bh_enable_ip+0x50/0x60 kernel: irq_forced_thread_fn+0x7e/0x90 kernel: irq_thread+0xba/0x190 kernel: ? irq_thread_fn+0x60/0x60 kernel: kthread+0x11e/0x140 kernel: ? irq_thread_check_affinity+0xf0/0xf0 kernel: ? set_kthread_struct+0x50/0x50 kernel: ret_from_fork+0x22/0x30 kernel: kernel: ================================================================================

This commit fixes the bug. The bug has no disadvantage for the non- control/notify AV/C transactions since the flag has an effect for AV/C response with INTERIM (0x0f) status which is not used for the transactions in AV/C general specification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:01Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction\n\nAV/C deferred transaction was supported at a commit 00a7bb81c20f (\"ALSA:\nfirewire-lib: Add support for deferred transaction\") while \u0027deferrable\u0027\nflag can be uninitialized for non-control/notify AV/C transactions.\nUBSAN reports it:\n\nkernel: ================================================================================\nkernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9\nkernel: load of value 158 is not a valid value for type \u0027_Bool\u0027\nkernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P           OE     5.15.0-18-generic #18-Ubuntu\nkernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019\nkernel: Call Trace:\nkernel:  \u003cIRQ\u003e\nkernel:  show_stack+0x52/0x58\nkernel:  dump_stack_lvl+0x4a/0x5f\nkernel:  dump_stack+0x10/0x12\nkernel:  ubsan_epilogue+0x9/0x45\nkernel:  __ubsan_handle_load_invalid_value.cold+0x44/0x49\nkernel:  fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]\nkernel:  fcp_response+0x28/0x30 [snd_firewire_lib]\nkernel:  fw_core_handle_request+0x230/0x3d0 [firewire_core]\nkernel:  handle_ar_packet+0x1d9/0x200 [firewire_ohci]\nkernel:  ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]\nkernel:  ? transmit_complete_callback+0x9f/0x120 [firewire_core]\nkernel:  ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]\nkernel:  tasklet_action_common.constprop.0+0xea/0xf0\nkernel:  tasklet_action+0x22/0x30\nkernel:  __do_softirq+0xd9/0x2e3\nkernel:  ? irq_finalize_oneshot.part.0+0xf0/0xf0\nkernel:  do_softirq+0x75/0xa0\nkernel:  \u003c/IRQ\u003e\nkernel:  \u003cTASK\u003e\nkernel:  __local_bh_enable_ip+0x50/0x60\nkernel:  irq_forced_thread_fn+0x7e/0x90\nkernel:  irq_thread+0xba/0x190\nkernel:  ? irq_thread_fn+0x60/0x60\nkernel:  kthread+0x11e/0x140\nkernel:  ? irq_thread_check_affinity+0xf0/0xf0\nkernel:  ? set_kthread_struct+0x50/0x50\nkernel:  ret_from_fork+0x22/0x30\nkernel:  \u003c/TASK\u003e\nkernel: ================================================================================\n\nThis commit fixes the bug. The bug has no disadvantage for the non-\ncontrol/notify AV/C transactions since the flag has an effect for AV/C\nresponse with INTERIM (0x0f) status which is not used for the transactions\nin AV/C general specification.",
  "id": "GHSA-2583-337f-6vp9",
  "modified": "2025-09-22T21:30:15Z",
  "published": "2025-09-22T21:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49248"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/39d2c4a33dc1b4402cec68a3c8f82c6588b6edce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60e5d391805d70458a01998de00d0c28cba40bf3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7025f40690a235a118c87674cfb93072694aa66d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e6f5786621df060f8296f074efd275eaf20361a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99582e4b19f367fa95bdd150b3034d7ce8113342"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2b65c9013dc28836d82e25d0f0c94d794a14aba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d07e4bbaff6fbba6f70c04b092ea7d9afcdf392e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eab74c41612083bd627b60da650e19234e4f1051"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25RX-R3WR-MPVR

Vulnerability from github – Published: 2025-11-18 00:30 – Updated: 2025-11-18 00:30
VLAI
Details

A hard-coded password vulnerability exists in the ControlVault WBDI Driver functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to execute priviledged operation. An attacker can issue an api call to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-17T23:15:51Z",
    "severity": "HIGH"
  },
  "details": "A hard-coded password vulnerability exists in the ControlVault WBDI Driver functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to execute priviledged operation. An attacker can issue an api call to trigger this vulnerability.",
  "id": "GHSA-25rx-r3wr-mpvr",
  "modified": "2025-11-18T00:30:18Z",
  "published": "2025-11-18T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31649"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2173"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2173"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-26WJ-QWF9-FHG9

Vulnerability from github – Published: 2025-09-04 12:30 – Updated: 2025-09-04 15:30
VLAI
Details

In ReadTachyonCommands of gxp_main_actor.cc, there is a possible information leak due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T10:42:29Z",
    "severity": "MODERATE"
  },
  "details": "In ReadTachyonCommands of gxp_main_actor.cc, there is a possible information leak due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-26wj-qwf9-fhg9",
  "modified": "2025-09-04T15:30:28Z",
  "published": "2025-09-04T12:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36893"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2025-09-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2745-Q3QJ-Q4J6

Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-13 00:01
VLAI
Details

The function wav_format_write in libwav.c in libwav through 2017-04-20 has an Use of Uninitialized Variable vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "The function wav_format_write in libwav.c in libwav through 2017-04-20 has an Use of Uninitialized Variable vulnerability.",
  "id": "GHSA-2745-q3qj-q4j6",
  "modified": "2022-05-13T00:01:07Z",
  "published": "2022-05-05T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28488"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marc-q/libwav/issues/29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tin-z/Stuff_and_POCs/blob/main/poc_libwav/POC"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-27RX-W643-MRJG

Vulnerability from github – Published: 2024-07-30 09:32 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: replace skb_put with skb_put_zero

Avoid potentially reusing uninitialized data

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T08:15:07Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: replace skb_put with skb_put_zero\n\nAvoid potentially reusing uninitialized data",
  "id": "GHSA-27rx-w643-mrjg",
  "modified": "2025-11-04T00:31:09Z",
  "published": "2024-07-30T09:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42225"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22ea2a7f0b64d323625950414a4496520fb33657"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64f86337ccfe77fe3be5a9356b0dabde23fbb074"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f819a2f4fbc510e088b49c79addcf1734503578"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc7f14d00d0c4c21898f3504607f4a31079065a2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff6b26be13032c5fbd6b6a0b24358f8eaac4f3af"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-298P-MMC8-J4X9

Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33
VLAI
Details

Windows Kernel Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-08T18:15:11Z",
    "severity": "HIGH"
  },
  "details": "Windows Kernel Elevation of Privilege Vulnerability",
  "id": "GHSA-298p-mmc8-j4x9",
  "modified": "2024-10-08T18:33:15Z",
  "published": "2024-10-08T18:33:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43502"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43502"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile the product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.