Common Weakness Enumeration

CWE-908

Allowed

Use of Uninitialized Resource

Abstraction: Base · Status: Incomplete

The product uses or accesses a resource that has not been initialized.

822 vulnerabilities reference this CWE, most recent first.

GHSA-JQ95-P6V7-8MXR

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-28 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bnge: return after auxiliary_device_uninit() in error path

When auxiliary_device_add() fails, the error block calls auxiliary_device_uninit() but does not return. The uninit drops the last reference and synchronously runs bnge_aux_dev_release(), which sets bd->auxr_dev = NULL and frees the underlying object. The subsequent bd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a good thing to have happen when trying to clean up from an error.

Add the missing return, as the auxiliary bus documentation states is a requirement (seems that LLM tools read documentation better than humans do...)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:41Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnge: return after auxiliary_device_uninit() in error path\n\nWhen auxiliary_device_add() fails, the error block calls\nauxiliary_device_uninit() but does not return.  The uninit drops the\nlast reference and synchronously runs bnge_aux_dev_release(), which sets\nbd-\u003eauxr_dev = NULL and frees the underlying object.  The subsequent\nbd-\u003eauxr_dev-\u003enet = bd-\u003enetdev then dereferences NULL, which is not a\ngood thing to have happen when trying to clean up from an error.\n\nAdd the missing return, as the auxiliary bus documentation states is a\nrequirement (seems that LLM tools read documentation better than humans\ndo...)",
  "id": "GHSA-jq95-p6v7-8mxr",
  "modified": "2026-04-28T15:30:48Z",
  "published": "2026-04-24T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31621"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87bc3557c708110d83086bf091328271298a44e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQJJ-R4QP-X2GH

Vulnerability from github – Published: 2022-01-06 22:12 – Updated: 2022-01-07 16:25
VLAI
Summary
Use of Uninitialized Resource in messagepack-rs.
Details

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string_primitive may read from uninitialized memory locations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "messagepack-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-45693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T14:38:22Z",
    "nvd_published_at": "2021-12-27T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string_primitive may read from uninitialized memory locations.",
  "id": "GHSA-jqjj-r4qp-x2gh",
  "modified": "2022-01-07T16:25:54Z",
  "published": "2022-01-06T22:12:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45693"
    },
    {
      "type": "WEB",
      "url": "https://github.com/otake84/messagepack-rs/issues/2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/otake84/messagepack-rs"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/messagepack-rs/RUSTSEC-2021-0092.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0092.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Uninitialized Resource in messagepack-rs."
}

GHSA-JQQC-VV26-H55V

Vulnerability from github – Published: 2023-10-12 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-457",
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-12T16:15:11Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in the ClientConnect() functionality of SoftEther VPN 5.01.9674. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.",
  "id": "GHSA-jqqc-vv26-h55v",
  "modified": "2025-11-04T21:30:44Z",
  "published": "2023-10-12T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31192"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1768"
    },
    {
      "type": "WEB",
      "url": "https://www.softether.org/9-about/News/904-SEVPN202301"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1768"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQXF-F2X7-9G34

Vulnerability from github – Published: 2023-04-18 00:32 – Updated: 2024-04-04 03:31
VLAI
Details

A Use of Uninitialized Resource vulnerability in the Border Gateway Protocol (BGP) software of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker to send specific genuine BGP packets to a device configured with BGP to cause a Denial of Service (DoS) by crashing the Routing Protocol Daemon (rpd). This issue is triggered when the packets attempt to initiate a BGP connection before a BGP session is successfully established. Continued receipt of these specific BGP packets will cause a sustained Denial of Service condition. This issue is triggerable in both iBGP and eBGP deployments. This issue affects: Juniper Networks Junos OS 21.1 version 21.1R1 and later versions prior to 21.1R3-S5; 21.2 version 21.2R1 and later versions prior to 21.2R3-S2; 21.3 version 21.3R1 and later versions prior to 21.3R3-S2; 21.4 versions prior to 21.4R3; 22.1 versions prior to 22.1R3; 22.2 versions prior to 22.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 21.1R1. This issue affects: Juniper Networks Junos OS Evolved 21.1-EVO version 21.1R1-EVO and later versions prior to 21.4R3-EVO; 22.1-EVO versions prior to 22.1R3-EVO; 22.2-EVO versions prior to 22.2R2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 21.1R1-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-17T22:15:08Z",
    "severity": "HIGH"
  },
  "details": "A Use of Uninitialized Resource vulnerability in the Border Gateway Protocol (BGP) software of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker to send specific genuine BGP packets to a device configured with BGP to cause a Denial of Service (DoS) by crashing the Routing Protocol Daemon (rpd). This issue is triggered when the packets attempt to initiate a BGP connection before a BGP session is successfully established. Continued receipt of these specific BGP packets will cause a sustained Denial of Service condition. This issue is triggerable in both iBGP and eBGP deployments. This issue affects: Juniper Networks Junos OS 21.1 version 21.1R1 and later versions prior to 21.1R3-S5; 21.2 version 21.2R1 and later versions prior to 21.2R3-S2; 21.3 version 21.3R1 and later versions prior to 21.3R3-S2; 21.4 versions prior to 21.4R3; 22.1 versions prior to 22.1R3; 22.2 versions prior to 22.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 21.1R1. This issue affects: Juniper Networks Junos OS Evolved 21.1-EVO version 21.1R1-EVO and later versions prior to 21.4R3-EVO; 22.1-EVO versions prior to 22.1R3-EVO; 22.2-EVO versions prior to 22.2R2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 21.1R1-EVO.",
  "id": "GHSA-jqxf-f2x7-9g34",
  "modified": "2024-04-04T03:31:26Z",
  "published": "2023-04-18T00:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28967"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA70591"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRJJ-G8HJ-84FG

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure

syzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1], for rcu_sync_enter() is called without rcu_sync_init() due to hci_uart_tty_open() ignoring percpu_init_rwsem() failure.

While we are at it, fix that hci_uart_register_device() ignores percpu_init_rwsem() failure and hci_uart_unregister_device() does not call percpu_free_rwsem().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure\n\nsyzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1],\nfor rcu_sync_enter() is called without rcu_sync_init() due to\nhci_uart_tty_open() ignoring percpu_init_rwsem() failure.\n\nWhile we are at it, fix that hci_uart_register_device() ignores\npercpu_init_rwsem() failure and hci_uart_unregister_device() does not\ncall percpu_free_rwsem().",
  "id": "GHSA-jrjj-g8hj-84fg",
  "modified": "2025-12-11T18:30:32Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50374"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3124d320c22f3f4388d9ac5c8f37eaad0cefd6b1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75b2c71ea581c7bb1303860d89366a42ad0506d2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98ce10f3f345e61fc6c83bff9cd11cda252b05ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8917dce2134739b39bc0a5648b18427f2cad569"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7cc0d51ffcbfd1caaa809fcf9cff05c46d0fb4d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JV2R-JX6Q-89JG

Vulnerability from github – Published: 2022-01-06 22:16 – Updated: 2022-01-07 16:16
VLAI
Summary
Use of Uninitialized Resource in bronzedb-protocol.
Details

An issue was discovered in the bronzedb-protocol crate through 2021-01-03 for Rust. ReadKVExt may read from uninitialized memory locations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "bronzedb-protocol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-45682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T17:49:03Z",
    "nvd_published_at": "2021-12-27T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the bronzedb-protocol crate through 2021-01-03 for Rust. ReadKVExt may read from uninitialized memory locations.",
  "id": "GHSA-jv2r-jx6q-89jg",
  "modified": "2022-01-07T16:16:57Z",
  "published": "2022-01-06T22:16:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45682"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Hexilee/BronzeDB/issues/1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Hexilee/BronzeDB"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/bronzedb-protocol/RUSTSEC-2021-0084.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0084.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Uninitialized Resource in bronzedb-protocol."
}

GHSA-JWFH-J623-M97H

Vulnerability from github – Published: 2022-01-06 22:12 – Updated: 2022-01-07 17:12
VLAI
Summary
Use of Uninitialized Resource in messagepack-rs
Details

An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string may read from uninitialized memory locations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "messagepack-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-45691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T14:33:33Z",
    "nvd_published_at": "2021-12-27T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the messagepack-rs crate through 2021-01-26 for Rust. deserialize_string may read from uninitialized memory locations.",
  "id": "GHSA-jwfh-j623-m97h",
  "modified": "2022-01-07T17:12:54Z",
  "published": "2022-01-06T22:12:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45691"
    },
    {
      "type": "WEB",
      "url": "https://github.com/otake84/messagepack-rs/issues/2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/otake84/messagepack-rs"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/messagepack-rs/RUSTSEC-2021-0092.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0092.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Uninitialized Resource in messagepack-rs"
}

GHSA-JWQH-57HR-2GGG

Vulnerability from github – Published: 2024-04-17 12:32 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak

syzbot identified a kernel information leak vulnerability in do_sys_name_to_handle() and issued the following report [1].

[1] "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x100 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] do_sys_name_to_handle fs/fhandle.c:73 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ...

Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] do_sys_name_to_handle fs/fhandle.c:39 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ...

Bytes 18-19 of 20 are uninitialized Memory access of size 20 starts at ffff888128a46380 Data copied to user address 0000000020000240"

Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to solve the problem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26901"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-17T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\n\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\n\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\n\nPer Chuck Lever\u0027s suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.",
  "id": "GHSA-jwqh-57hr-2ggg",
  "modified": "2026-05-12T12:31:39Z",
  "published": "2024-04-17T12:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26901"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3948abaa4e2be938ccdfc289385a27342fb13d43"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/423b6bdf19bbc5e1f7e7461045099917378f7e71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bac28f441e3cc9d3f1a84c8d023228a68d8a7c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/772a7def9868091da3bcb0d6c6ff9f0c03d7fa8b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf9ec1b24ab4e94345aa1c60811dd329f069c38b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1362eae861db28b1608b9dc23e49634fe87b63b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cba138f1ef37ec6f961baeab62f312dedc7cf730"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cde76b3af247f615447bcfecf610bb76c3529126"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6450d5e46a737a008b4885aa223486113bf0ad6"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M29J-F39X-2R24

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-11-25 21:30
VLAI
Details

HDF5 Library through 1.14.3 may attempt to dereference uninitialized values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from h5tools_dump_simple_data in tools/lib/h5tools_dump.c).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:36:45Z",
    "severity": "MODERATE"
  },
  "details": "HDF5 Library through 1.14.3 may attempt to dereference uninitialized values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from h5tools_dump_simple_data in tools/lib/h5tools_dump.c).",
  "id": "GHSA-m29j-f39x-2r24",
  "modified": "2024-11-25T21:30:48Z",
  "published": "2024-05-14T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32606"
    },
    {
      "type": "WEB",
      "url": "https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M35H-5XHM-6J2C

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32
VLAI
Details

Windows COM Server Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Windows COM Server Information Disclosure Vulnerability",
  "id": "GHSA-m35h-5xhm-6j2c",
  "modified": "2025-01-14T18:32:03Z",
  "published": "2025-01-14T18:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21272"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21272"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile the product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.