CWE-908
AllowedUse of Uninitialized Resource
Abstraction: Base · Status: Incomplete
The product uses or accesses a resource that has not been initialized.
822 vulnerabilities reference this CWE, most recent first.
GHSA-P7C5-WCMH-3WW2
Vulnerability from github – Published: 2026-05-15 03:30 – Updated: 2026-05-15 03:30Use of uninitialized resource within the AMD Platform Management Framework (PMF) could allow an attacker to read a uninitialized kernel memory resulting in loss of confidentiality or availability.
{
"affected": [],
"aliases": [
"CVE-2025-48513"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-15T03:16:22Z",
"severity": "MODERATE"
},
"details": "Use of uninitialized resource within the AMD Platform Management Framework (PMF) could allow an attacker to read a uninitialized kernel memory resulting in loss of confidentiality or availability.",
"id": "GHSA-p7c5-wcmh-3ww2",
"modified": "2026-05-15T03:30:37Z",
"published": "2026-05-15T03:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48513"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P856-74G9-X6CM
Vulnerability from github – Published: 2022-06-29 00:00 – Updated: 2022-07-08 00:00The gf_hinter_track_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.
{
"affected": [],
"aliases": [
"CVE-2021-40608"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-28T13:15:00Z",
"severity": "MODERATE"
},
"details": "The gf_hinter_track_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.",
"id": "GHSA-p856-74g9-x6cm",
"modified": "2022-07-08T00:00:46Z",
"published": "2022-06-29T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40608"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/1883"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P86V-JQG2-H544
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03Microsoft Internet Explorer 6 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2010-3343"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-12-16T19:33:00Z",
"severity": "HIGH"
},
"details": "Microsoft Internet Explorer 6 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka \"HTML Object Memory Corruption Vulnerability.\"",
"id": "GHSA-p86v-jqg2-h544",
"modified": "2022-05-13T01:03:29Z",
"published": "2022-05-13T01:03:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3343"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-090"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12372"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1024872"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA10-348A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P9GG-WGFJ-48P7
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-02-06 18:30In the Linux kernel, the following vulnerability has been resolved:
sctp: linearize cloned gso packets in sctp_rcv
A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs.
syzbot reported two use-of-uninitialized-memory bugs caused by this:
BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline]
and
BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline]
This patch fixes it by linearizing cloned gso packets in sctp_rcv().
{
"affected": [],
"aliases": [
"CVE-2025-38718"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:41Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: linearize cloned gso packets in sctp_rcv\n\nA cloned head skb still shares these frag skbs in fraglist with the\noriginal head skb. It\u0027s not safe to access these frag skbs.\n\nsyzbot reported two use-of-uninitialized-memory bugs caused by this:\n\n BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211\n sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998\n sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88\n sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331\n sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122\n __release_sock+0x1da/0x330 net/core/sock.c:3106\n release_sock+0x6b/0x250 net/core/sock.c:3660\n sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360\n sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885\n sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031\n inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:718 [inline]\n\nand\n\n BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987\n sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88\n sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331\n sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148\n __release_sock+0x1d3/0x330 net/core/sock.c:3213\n release_sock+0x6b/0x270 net/core/sock.c:3767\n sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367\n sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886\n sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032\n inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n\nThis patch fixes it by linearizing cloned gso packets in sctp_rcv().",
"id": "GHSA-p9gg-wgfj-48p7",
"modified": "2026-02-06T18:30:27Z",
"published": "2025-09-05T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38718"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/03d0cc6889e02420125510b5444b570f4bbf53d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1bd5214ea681584c5886fea3ba03e49f93a43c0e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4506bcaabe004d07be8ff09116a3024fbd6aa965"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d757f17bc2ef2727994ffa6d5d6e4bc4789a770"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd0e92bb2b7542fb96397ffac639b4f5b099d0cb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d0194e391bb493aa6cec56d177b14df6b29188d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea094f38d387d1b0ded5dee4a3e5720aa4ce0139"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc66772607101bd2030a4332b3bd0ea3b3605250"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd60d8a086191fe33c2d719732d2482052fa6805"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PCW5-2CQF-CM8X
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers to cause a denial of service (invalid free and application crash) via a crafted ELF file because of an uninitialized variable in the CPSE handler in libr/anal/p/anal_avr.c.
{
"affected": [],
"aliases": [
"CVE-2018-11383"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-22T19:29:00Z",
"severity": "MODERATE"
},
"details": "The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers to cause a denial of service (invalid free and application crash) via a crafted ELF file because of an uninitialized variable in the CPSE handler in libr/anal/p/anal_avr.c.",
"id": "GHSA-pcw5-2cqf-cm8x",
"modified": "2022-05-13T01:18:54Z",
"published": "2022-05-13T01:18:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11383"
},
{
"type": "WEB",
"url": "https://github.com/radare/radare2/issues/9943"
},
{
"type": "WEB",
"url": "https://github.com/radare/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PGWV-VMHF-QQMW
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-25 21:32In the Linux kernel, the following vulnerability has been resolved:
iio: accel: sca3300: fix uninitialized iio scan data
Fix potential leak of uninitialized stack data to userspace by ensuring
that the channels array is zeroed before use.
{
"affected": [],
"aliases": [
"CVE-2025-39690"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:45Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: sca3300: fix uninitialized iio scan data\n\nFix potential leak of uninitialized stack data to userspace by ensuring\nthat the `channels` array is zeroed before use.",
"id": "GHSA-pgwv-vmhf-qqmw",
"modified": "2025-11-25T21:32:03Z",
"published": "2025-09-05T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39690"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4e5b705cc6147f0b9173c6219079f41416bdd3c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c88c04adb8611e436e1e773fd5db3f8d7397d089"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PH4R-CPRG-444J
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-08-19 21:35HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c.
{
"affected": [],
"aliases": [
"CVE-2024-32611"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:36:46Z",
"severity": "CRITICAL"
},
"details": "HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c.",
"id": "GHSA-ph4r-cprg-444j",
"modified": "2024-08-19T21:35:06Z",
"published": "2024-05-14T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32611"
},
{
"type": "WEB",
"url": "https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PH86-G9R3-5QW4
Vulnerability from github – Published: 2024-02-24 06:30 – Updated: 2025-02-12 21:59Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fastecdsa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21502"
],
"database_specific": {
"cwe_ids": [
"CWE-457",
"CWE-908"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-12T21:59:29Z",
"nvd_published_at": "2024-02-24T05:15:44Z",
"severity": "HIGH"
},
"details": "Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable\u0027s actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.",
"id": "GHSA-ph86-g9r3-5qw4",
"modified": "2025-02-12T21:59:29Z",
"published": "2024-02-24T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21502"
},
{
"type": "WEB",
"url": "https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36"
},
{
"type": "WEB",
"url": "https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26"
},
{
"type": "PACKAGE",
"url": "https://github.com/AntonKueltz/fastecdsa"
},
{
"type": "WEB",
"url": "https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uninitialized Variable in fastecdsa"
}
GHSA-PH99-MX6C-HVF9
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-01-23 18:31In the Linux kernel, the following vulnerability has been resolved:
cpufreq: Init completion before kobject_init_and_add()
In cpufreq_policy_alloc(), it will call uninitialed completion in cpufreq_sysfs_release() when kobject_init_and_add() fails. And that will cause a crash such as the following page fault in complete:
BUG: unable to handle page fault for address: fffffffffffffff8 [..] RIP: 0010:complete+0x98/0x1f0 [..] Call Trace: kobject_put+0x1be/0x4c0 cpufreq_online.cold+0xee/0x1fd cpufreq_add_dev+0x183/0x1e0 subsys_interface_register+0x3f5/0x4e0 cpufreq_register_driver+0x3b7/0x670 acpi_cpufreq_init+0x56c/0x1000 [acpi_cpufreq] do_one_initcall+0x13d/0x780 do_init_module+0x1c3/0x630 load_module+0x6e67/0x73b0 __do_sys_finit_module+0x181/0x240 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
{
"affected": [],
"aliases": [
"CVE-2022-50473"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: Init completion before kobject_init_and_add()\n\nIn cpufreq_policy_alloc(), it will call uninitialed completion in\ncpufreq_sysfs_release() when kobject_init_and_add() fails. And\nthat will cause a crash such as the following page fault in complete:\n\nBUG: unable to handle page fault for address: fffffffffffffff8\n[..]\nRIP: 0010:complete+0x98/0x1f0\n[..]\nCall Trace:\n kobject_put+0x1be/0x4c0\n cpufreq_online.cold+0xee/0x1fd\n cpufreq_add_dev+0x183/0x1e0\n subsys_interface_register+0x3f5/0x4e0\n cpufreq_register_driver+0x3b7/0x670\n acpi_cpufreq_init+0x56c/0x1000 [acpi_cpufreq]\n do_one_initcall+0x13d/0x780\n do_init_module+0x1c3/0x630\n load_module+0x6e67/0x73b0\n __do_sys_finit_module+0x181/0x240\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd",
"id": "GHSA-ph99-mx6c-hvf9",
"modified": "2026-01-23T18:31:23Z",
"published": "2025-10-04T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50473"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cdd91a9163248935720927531066b74f57aa43b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c51054896bcce1d33d39fead2af73fec24f40b6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8fb4c98f20dfca1237de2e3dfdbe78d156784fd3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d88540acfc7a17079021d866de914112c396edb1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e379b88a8f8cffc99b318e028705ed9e3da0e1e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7c0c943ed675b66d4bbb16c51c6a3bb58da047e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJH7-836P-GP8F
Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-10 21:31In the Linux kernel, the following vulnerability has been resolved:
mm/mempolicy: fix uninit-value in mpol_rebind_policy()
mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when pol->mode is MPOL_LOCAL. Check pol->mode before access pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).
BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline] BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368 mpol_rebind_policy mm/mempolicy.c:352 [inline] mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368 cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline] cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278 cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515 cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline] cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804 __cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520 cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539 cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852 kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2162 [inline] new_sync_write fs/read_write.c:503 [inline] vfs_write+0x1318/0x2030 fs/read_write.c:590 ksys_write+0x28b/0x510 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0xdb/0x120 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae
Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] slab_alloc mm/slub.c:3259 [inline] kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264 mpol_new mm/mempolicy.c:293 [inline] do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853 kernel_set_mempolicy mm/mempolicy.c:1504 [inline] __do_sys_set_mempolicy mm/mempolicy.c:1510 [inline] __se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507 __x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae
KMSAN: uninit-value in mpol_rebind_task (2) https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc
This patch seems to fix below bug too. KMSAN: uninit-value in mpol_rebind_mm (2) https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b
The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy(). When syzkaller reproducer runs to the beginning of mpol_new(),
mpol_new() mm/mempolicy.c
do_mbind() mm/mempolicy.c
kernel_mbind() mm/mempolicy.c
mode is 1(MPOL_PREFERRED), nodes_empty(*nodes) is true and flags
is 0. Then
mode = MPOL_LOCAL;
...
policy->mode = mode;
policy->flags = flags;
will be executed. So in mpol_set_nodemask(),
mpol_set_nodemask() mm/mempolicy.c
do_mbind()
kernel_mbind()
pol->mode is 4 (MPOL_LOCAL), that nodemask in pol is not initialized,
which will be accessed in mpol_rebind_policy().
{
"affected": [],
"aliases": [
"CVE-2022-49567"
],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:32Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix uninit-value in mpol_rebind_policy()\n\nmpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when\npol-\u003emode is MPOL_LOCAL. Check pol-\u003emode before access\npol-\u003ew.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).\n\nBUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline]\nBUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368\n mpol_rebind_policy mm/mempolicy.c:352 [inline]\n mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368\n cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline]\n cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278\n cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515\n cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline]\n cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804\n __cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520\n cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539\n cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852\n kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296\n call_write_iter include/linux/fs.h:2162 [inline]\n new_sync_write fs/read_write.c:503 [inline]\n vfs_write+0x1318/0x2030 fs/read_write.c:590\n ksys_write+0x28b/0x510 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0xdb/0x120 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:524 [inline]\n slab_alloc_node mm/slub.c:3251 [inline]\n slab_alloc mm/slub.c:3259 [inline]\n kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264\n mpol_new mm/mempolicy.c:293 [inline]\n do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853\n kernel_set_mempolicy mm/mempolicy.c:1504 [inline]\n __do_sys_set_mempolicy mm/mempolicy.c:1510 [inline]\n __se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507\n __x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nKMSAN: uninit-value in mpol_rebind_task (2)\nhttps://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc\n\nThis patch seems to fix below bug too.\nKMSAN: uninit-value in mpol_rebind_mm (2)\nhttps://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b\n\nThe uninit-value is pol-\u003ew.cpuset_mems_allowed in mpol_rebind_policy().\nWhen syzkaller reproducer runs to the beginning of mpol_new(),\n\n\t mpol_new() mm/mempolicy.c\n\t do_mbind() mm/mempolicy.c\n\tkernel_mbind() mm/mempolicy.c\n\n`mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`\nis 0. Then\n\n\tmode = MPOL_LOCAL;\n\t...\n\tpolicy-\u003emode = mode;\n\tpolicy-\u003eflags = flags;\n\nwill be executed. So in mpol_set_nodemask(),\n\n\t mpol_set_nodemask() mm/mempolicy.c\n\t do_mbind()\n\tkernel_mbind()\n\npol-\u003emode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized,\nwhich will be accessed in mpol_rebind_policy().",
"id": "GHSA-pjh7-836p-gp8f",
"modified": "2025-03-10T21:31:10Z",
"published": "2025-03-10T21:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49567"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/018160ad314d75b1409129b2247b614a9f35894c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/13d51565cec1aa432a6ab363edc2bbc53c6f49cb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5735845906fb1d90fe597f8b503fc0a857d475e3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/777e563f10e91e91130fe06bee85220d508e7b9b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c5429a04ccd8dbcc3c753dab2f4126774ec28d4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a1f8765f68bc9bf5744b365bb9f5e0b6db93edfe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aaa1c5d635a6fca2043513ffb5be169f9cd17d9e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ddb3f0b68863bd1c5f43177eea476bce316d4993"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile the product with settings that generate warnings about uninitialized variables or data.
No CAPEC attack patterns related to this CWE.