CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-MRWC-M279-7475
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07An information disclosure vulnerability exists when Visual Studio improperly discloses limited contents of uninitialized memory while compiling program database (PDB) files, aka "Microsoft Visual Studio Information Disclosure Vulnerability." This affects Microsoft Visual Studio.
{
"affected": [],
"aliases": [
"CVE-2018-1037"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-12T01:29:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists when Visual Studio improperly discloses limited contents of uninitialized memory while compiling program database (PDB) files, aka \"Microsoft Visual Studio Information Disclosure Vulnerability.\" This affects Microsoft Visual Studio.",
"id": "GHSA-mrwc-m279-7475",
"modified": "2022-05-13T01:07:07Z",
"published": "2022-05-13T01:07:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1037"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1037"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103715"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040664"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MWCX-XF66-XWQM
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-14 18:31In the Linux kernel, the following vulnerability has been resolved:
netdevsim: zero initialize struct iphdr in dummy sk_buff
Syzbot reports a KMSAN uninit-value originating from nsim_dev_trap_skb_build, with the allocation also being performed in the same function.
Fix this by calling skb_put_zero instead of skb_put to guarantee zero initialization of the whole IP header.
{
"affected": [],
"aliases": [
"CVE-2026-52985"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: zero initialize struct iphdr in dummy sk_buff\n\nSyzbot reports a KMSAN uninit-value originating from\nnsim_dev_trap_skb_build, with the allocation also\nbeing performed in the same function.\n\nFix this by calling skb_put_zero instead of skb_put to\nguarantee zero initialization of the whole IP header.",
"id": "GHSA-mwcx-xf66-xwqm",
"modified": "2026-07-14T18:31:49Z",
"published": "2026-06-24T18:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52985"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/175556c049eaec14efde8c6475e763b7579b9de7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b7b6ae0e93b8d512e208b1378d74af052e4f4e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35eaa6d8d6c2ee65e96f507add856e0eacf24591"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e2cfd0904976e701d7a76b86b694e72af230ab0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/750d0091bebf44975421268d37484ef87060d263"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/818f7673ed7f4a29d4b9cee8184c47d6e57162b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/978ca6ff789f1f19c03288ac20cc1f4774e88490"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bc6002865e8c4fcf9e94975f7cf023448d8764e2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P23J-C29J-HJGV
Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2025-09-25 21:30In the Linux kernel, the following vulnerability has been resolved:
ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()
In the following concurrency we will access the uninitialized rs->lock:
ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ratelimit(&(EXT4SB(sb)->s_msg_ratelimit_state) if (!rs->interval) // do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, RET_IP) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here
and get the following dump_stack:
========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ratelimit+0xf6/0x220 _ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...] =========================================================
Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems.
{
"affected": [],
"aliases": [
"CVE-2024-40998"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-12T13:15:20Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninitialized ratelimit_state-\u003elock access in __ext4_fill_super()\n\nIn the following concurrency we will access the uninitialized rs-\u003elock:\n\next4_fill_super\n ext4_register_sysfs\n // sysfs registered msg_ratelimit_interval_ms\n // Other processes modify rs-\u003einterval to\n // non-zero via msg_ratelimit_interval_ms\n ext4_orphan_cleanup\n ext4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n __ext4_msg\n ___ratelimit(\u0026(EXT4_SB(sb)-\u003es_msg_ratelimit_state)\n if (!rs-\u003einterval) // do nothing if interval is 0\n return 1;\n raw_spin_trylock_irqsave(\u0026rs-\u003elock, flags)\n raw_spin_trylock(lock)\n _raw_spin_trylock\n __raw_spin_trylock\n spin_acquire(\u0026lock-\u003edep_map, 0, 1, _RET_IP_)\n lock_acquire\n __lock_acquire\n register_lock_class\n assign_lock_key\n dump_stack();\n ratelimit_state_init(\u0026sbi-\u003es_msg_ratelimit_state, 5 * HZ, 10);\n raw_spin_lock_init(\u0026rs-\u003elock);\n // init rs-\u003elock here\n\nand get the following dump_stack:\n\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn\u0027t initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\n dump_stack_lvl+0xc5/0x170\n dump_stack+0x18/0x30\n register_lock_class+0x740/0x7c0\n __lock_acquire+0x69/0x13a0\n lock_acquire+0x120/0x450\n _raw_spin_trylock+0x98/0xd0\n ___ratelimit+0xf6/0x220\n __ext4_msg+0x7f/0x160 [ext4]\n ext4_orphan_cleanup+0x665/0x740 [ext4]\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\n ext4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\n\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs-\u003elock, so it is possible to change rs-\u003einterval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs-\u003elock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs-\u003elock. Therefore register sysfs after all\ninitializations are complete to avoid such problems.",
"id": "GHSA-p23j-c29j-hjgv",
"modified": "2025-09-25T21:30:18Z",
"published": "2024-07-12T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40998"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P3WG-G3GR-3FXJ
Vulnerability from github – Published: 2023-07-28 18:30 – Updated: 2024-04-04 06:25Uninitialized buffer in GBL parser in Silicon Labs GSDK v4.3.0 and earlier allows attacker to leak data from Secure stack via malformed GBL file.
{
"affected": [],
"aliases": [
"CVE-2023-3488"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-28T16:15:12Z",
"severity": "MODERATE"
},
"details": "Uninitialized buffer in GBL parser in Silicon Labs GSDK v4.3.0 and earlier allows attacker to leak data from Secure stack via malformed GBL file.\n\n",
"id": "GHSA-p3wg-g3gr-3fxj",
"modified": "2024-04-04T06:25:03Z",
"published": "2023-07-28T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3488"
},
{
"type": "WEB",
"url": "https://community.silabs.com/sfc/servlet.shepherd/document/download/0698Y00000Wi3HwQAJ?operationContext=S1"
},
{
"type": "WEB",
"url": "https://github.com/SiliconLabs/gecko_sdk/releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P427-CVCM-W3V3
Vulnerability from github – Published: 2024-06-13 21:30 – Updated: 2024-07-11 15:30In aur_get_state of aurora.c, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-29785"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T21:15:52Z",
"severity": "MODERATE"
},
"details": "In aur_get_state of aurora.c, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-p427-cvcm-w3v3",
"modified": "2024-07-11T15:30:42Z",
"published": "2024-06-13T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29785"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2024-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P42V-4MRM-3J3G
Vulnerability from github – Published: 2025-04-03 09:32 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value.
Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these.
Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE.
(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)
{
"affected": [],
"aliases": [
"CVE-2025-21996"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-03T08:15:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()\n\nOn the off chance that command stream passed from userspace via\nioctl() call to radeon_vce_cs_parse() is weirdly crafted and\nfirst command to execute is to encode (case 0x03000001), the function\nin question will attempt to call radeon_vce_cs_reloc() with size\nargument that has not been properly initialized. Specifically, \u0027size\u0027\nwill point to \u0027tmp\u0027 variable before the latter had a chance to be\nassigned any value.\n\nPlay it safe and init \u0027tmp\u0027 with 0, thus ensuring that\nradeon_vce_cs_reloc() will catch an early error in cases like these.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.\n\n(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)",
"id": "GHSA-p42v-4mrm-3j3g",
"modified": "2025-11-03T21:33:29Z",
"published": "2025-04-03T09:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21996"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0effb378ebce52b897f85cd7f828854b8c7cb636"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b4d9d20fd455a97920cf158dd19163b879cf65d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78b07dada3f02f77762d0755a96d35f53b02be69"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b2da9c673a0da1359a2151f7ce773e2f77d71a9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd1801aa01bba1760357f2a641346ae149686713"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd8689b52a24807c2d5ce0a17cb26dc87f75235c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f5e049028124f755283f2c07e7a3708361ed1dc8"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P46C-W9M3-7QR2
Vulnerability from github – Published: 2022-01-06 22:18 – Updated: 2023-06-13 18:08Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. There are two of such cases (go_offset_log::read_entry() & offset_log::read_entry()).
Arbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "flumedb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-45684"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-06T18:10:24Z",
"nvd_published_at": "2021-12-27T00:15:00Z",
"severity": "CRITICAL"
},
"details": "Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. There are two of such cases (go_offset_log::read_entry() \u0026 offset_log::read_entry()).\n\nArbitrary Read implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior.",
"id": "GHSA-p46c-w9m3-7qr2",
"modified": "2023-06-13T18:08:03Z",
"published": "2022-01-06T22:18:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45684"
},
{
"type": "WEB",
"url": "https://github.com/sunrise-choir/flumedb-rs/issues/10"
},
{
"type": "WEB",
"url": "https://github.com/sunrise-choir/flumedb-rs/pull/12"
},
{
"type": "WEB",
"url": "https://github.com/sunrise-choir/flumedb-rs/commit/14b7440271c9d2316fab52c745e21087559364f6"
},
{
"type": "PACKAGE",
"url": "https://github.com/sunrise-choir/flumedb-rs"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/flumedb/RUSTSEC-2021-0086.md"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0086.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use of Uninitialized Resource in flumedb."
}
GHSA-P4CR-64X4-F92F
Vulnerability from github – Published: 2022-01-06 22:17 – Updated: 2022-01-07 16:21An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. fill_buf may read from uninitialized memory locations.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "acc_reader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36514"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-06T18:14:54Z",
"nvd_published_at": "2021-12-27T00:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in the acc_reader crate through 2020-12-27 for Rust. fill_buf may read from uninitialized memory locations.",
"id": "GHSA-p4cr-64x4-f92f",
"modified": "2022-01-07T16:21:25Z",
"published": "2022-01-06T22:17:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36514"
},
{
"type": "WEB",
"url": "https://github.com/netvl/acc_reader/issues/1"
},
{
"type": "PACKAGE",
"url": "https://github.com/netvl/acc_reader"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/acc_reader/RUSTSEC-2020-0155.md"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0155.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use of Uninitialized Resource in acc_reader."
}
GHSA-P59H-7G7V-XP8X
Vulnerability from github – Published: 2025-01-28 18:31 – Updated: 2025-01-28 21:31In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2018-9378"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-28T17:15:08Z",
"severity": "MODERATE"
},
"details": "In BnAudioPolicyService::onTransact of IAudioPolicyService.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-p59h-7g7v-xp8x",
"modified": "2025-01-28T21:31:03Z",
"published": "2025-01-28T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9378"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2018-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P6H4-4RMR-4H27
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use of uninitialized resource in Windows RDP allows an unauthorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-56190"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:29Z",
"severity": "CRITICAL"
},
"details": "Use of uninitialized resource in Windows RDP allows an unauthorized attacker to execute code over a network.",
"id": "GHSA-p6h4-4rmr-4h27",
"modified": "2026-07-14T18:32:38Z",
"published": "2026-07-14T18:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56190"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56190"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.