Common Weakness Enumeration

CWE-909

Allowed-with-Review

Missing Initialization of Resource

Abstraction: Class · Status: Incomplete

The product does not initialize a critical resource.

96 vulnerabilities reference this CWE, most recent first.

GHSA-5JV4-93FG-HVQC

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2026-01-23 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network

When copying a struct ifaddrlblmsg to the network, __ifal_reserved remained uninitialized, resulting in a 1-byte infoleak:

BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 __netdev_start_xmit ./include/linux/netdevice.h:4841 netdev_start_xmit ./include/linux/netdevice.h:4857 xmit_one net/core/dev.c:3590 dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 dev_queue_xmit ./include/linux/netdevice.h:3009 __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 __netlink_sendskb net/netlink/af_netlink.c:1263 netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 nlmsg_unicast ./include/net/netlink.h:1061 rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 ... Uninit was created at: slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 slab_alloc_node mm/slub.c:3398 __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 __do_kmalloc_node mm/slab_common.c:954 __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 kmalloc_reserve net/core/skbuff.c:437 __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 alloc_skb ./include/linux/skbuff.h:1267 nlmsg_new ./include/net/netlink.h:964 ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 netlink_unicast_kernel net/netlink/af_netlink.c:1319 netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 ...

This patch ensures that the reserved field is always initialized.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:11Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network\n\nWhen copying a `struct ifaddrlblmsg` to the network, __ifal_reserved\nremained uninitialized, resulting in a 1-byte infoleak:\n\n  BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841\n   __netdev_start_xmit ./include/linux/netdevice.h:4841\n   netdev_start_xmit ./include/linux/netdevice.h:4857\n   xmit_one net/core/dev.c:3590\n   dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606\n   __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256\n   dev_queue_xmit ./include/linux/netdevice.h:3009\n   __netlink_deliver_tap_skb net/netlink/af_netlink.c:307\n   __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325\n   netlink_deliver_tap net/netlink/af_netlink.c:338\n   __netlink_sendskb net/netlink/af_netlink.c:1263\n   netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272\n   netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360\n   nlmsg_unicast ./include/net/netlink.h:1061\n   rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758\n   ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628\n   rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n  ...\n  Uninit was created at:\n   slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742\n   slab_alloc_node mm/slub.c:3398\n   __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437\n   __do_kmalloc_node mm/slab_common.c:954\n   __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975\n   kmalloc_reserve net/core/skbuff.c:437\n   __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509\n   alloc_skb ./include/linux/skbuff.h:1267\n   nlmsg_new ./include/net/netlink.h:964\n   ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608\n   rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082\n   netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540\n   rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109\n   netlink_unicast_kernel net/netlink/af_netlink.c:1319\n   netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345\n   netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921\n  ...\n\nThis patch ensures that the reserved field is always initialized.",
  "id": "GHSA-5jv4-93fg-hvqc",
  "modified": "2026-01-23T18:31:22Z",
  "published": "2025-05-01T15:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49865"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f85b7ae7c4b5d7b4bbf7ac653a733c181a8a2bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2acb2779b147decd300c117683d5a32ce61c75d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49e92ba5ecd7d72ba369dde2ccff738edd028a47"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/568a47ff756f913e8b374c2af9d22cd2c772c744"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/58cd7fdc8c1e6c7873acc08f190069fed88d1c12"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d26d0587abccb9835382a0b53faa7b9b1cd83e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a033b86c7f7621fde31f0364af8986f43b44914f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c23fb2c82267638f9d206cb96bb93e1f93ad7828"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W5F-PVC9-XXPH

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-17T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 78.13, Thunderbird \u003c 91, Firefox ESR \u003c 78.13, and Firefox \u003c 91.",
  "id": "GHSA-5w5f-pvc9-xxph",
  "modified": "2022-05-24T19:11:22Z",
  "published": "2022-05-24T19:11:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29980"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1722204"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202202-03"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-14"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2021-33"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2021-34"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2021-35"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2021-36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62HP-W5VM-G7XM

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2024-02-09 00:31
VLAI
Details

im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-20739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908",
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-20T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.",
  "id": "GHSA-62hp-w5vm-g7xm",
  "modified": "2024-02-09T00:31:33Z",
  "published": "2022-05-24T17:34:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20739"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libvips/libvips/issues/1419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libvips/libvips/commit/2ab5aa7bf515135c2b02d42e9a72e4c98e17031a"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZULVPQQ4QDFSQCXFYBUXEM7UXJAOKLSP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZULVPQQ4QDFSQCXFYBUXEM7UXJAOKLSP"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6P9X-F8X6-3GPW

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-07-13 00:00
VLAI
Details

In memory management driver, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05403499; Issue ID: ALPS05385714.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-27T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In memory management driver, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05403499; Issue ID: ALPS05385714.",
  "id": "GHSA-6p9x-f8x6-3gpw",
  "modified": "2022-07-13T00:00:58Z",
  "published": "2022-05-24T19:15:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0423"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/September-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R2H-X874-8MCW

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-11 03:41
VLAI
Details

The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-4083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-11-30T22:14:00Z",
    "severity": "LOW"
  },
  "details": "The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.",
  "id": "GHSA-6r2h-x874-8mcw",
  "modified": "2025-04-11T03:41:28Z",
  "published": "2022-05-13T01:23:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4083"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=648673"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42778"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42789"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42890"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42932"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42963"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43291"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/46397"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2126"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:051"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/09/25/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/10/06/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/10/07/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/10/25/3"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0958.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0004.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0007.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0162.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/520102/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/43809"
    },
    {
      "type": "WEB",
      "url": "http://www.spinics.net/lists/mm-commits/msg80234.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2011-0012.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0012"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0024"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0124"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0168"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0298"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6WP2-FW3V-MFMC

Vulnerability from github – Published: 2021-08-25 20:57 – Updated: 2021-08-24 18:54
VLAI
Summary
Memory corruption in array-tools
Details

An issue was discovered in the array-tools crate before 0.3.2 for Rust. Affected versions of this crate don't guard against panics, so that partially uninitialized buffer is dropped when user-provided T::clone() panics in FixedCapacityDequeLike<T, A>::clone(). This causes memory corruption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "array-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-908",
      "CWE-909"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:24:55Z",
    "nvd_published_at": "2021-08-08T06:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the array-tools crate before 0.3.2 for Rust. Affected versions of this crate don\u0027t guard against panics, so that partially uninitialized buffer is dropped when user-provided `T::clone()` panics in `FixedCapacityDequeLike\u003cT, A\u003e::clone()`. This causes memory corruption.\n",
  "id": "GHSA-6wp2-fw3v-mfmc",
  "modified": "2021-08-24T18:54:26Z",
  "published": "2021-08-25T20:57:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36452"
    },
    {
      "type": "WEB",
      "url": "https://github.com/L117/array-tools/issues/2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/L117/array-tools"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/array-tools/RUSTSEC-2020-0132.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0132.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Memory corruption in array-tools"
}

GHSA-7W8R-Q58W-5WCR

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2024-03-27 18:32
VLAI
Details

curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.",
  "id": "GHSA-7w8r-q58w-5wcr",
  "modified": "2024-03-27T18:32:37Z",
  "published": "2022-05-24T19:05:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898"
    },
    {
      "type": "WEB",
      "url": "https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1176461"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5197"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2021-22898.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/07/21/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-82VQ-G77C-V2H9

Vulnerability from github – Published: 2024-10-29 03:31 – Updated: 2024-11-08 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

vt: prevent kernel-infoleak in con_font_get()

font.data may not initialize all memory spaces depending on the implementation of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it is safest to modify it to initialize the allocated memory space to 0, and it generally does not affect the overall performance of the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T01:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: prevent kernel-infoleak in con_font_get()\n\nfont.data may not initialize all memory spaces depending on the implementation\nof vc-\u003evc_sw-\u003econ_font_get. This may cause info-leak, so to prevent this, it\nis safest to modify it to initialize the allocated memory space to 0, and it\ngenerally does not affect the overall performance of the system.",
  "id": "GHSA-82vq-g77c-v2h9",
  "modified": "2024-11-08T18:30:47Z",
  "published": "2024-10-29T03:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50076"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e5a17dc77d8a8bbe67040b32e2ef755901aba44"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23c4cb8a56978e5b1baa171d42e616e316c2039d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/adb1f312f38f0d2c928ceaff089262798cc260b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3959d5eca136e0588f9af3867b34032160cb826"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc2d5f02636c7587bdd6d1f60fc59c55860b00a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc794e878e6d79f75205be456b1042a289c5759d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/efc67cee700b89ffbdb74a0603a083ec1290ae31"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f956052e00de211b5c9ebaa1958366c23f82ee9e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8545-CVQV-6PV6

Vulnerability from github – Published: 2022-01-04 00:00 – Updated: 2022-01-14 00:03
VLAI
Details

There is an Uninitialized AOD driver structure in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-03T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an Uninitialized AOD driver structure in Smartphones.Successful exploitation of this vulnerability may affect service confidentiality.",
  "id": "GHSA-8545-cvqv-6pv6",
  "modified": "2022-01-14T00:03:24Z",
  "published": "2022-01-04T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39966"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2021/11"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202111-0000001217889667"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8CW2-JV5C-C825

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-10-21 21:04
VLAI
Summary
Missing Initialization of Resource in Apache Arrow
Details

It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyarrow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "red-arrow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-12408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-909"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T14:36:34Z",
    "nvd_published_at": "2019-11-08T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.",
  "id": "GHSA-8cw2-jv5c-c825",
  "modified": "2024-10-21T21:04:09Z",
  "published": "2022-05-24T17:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12408"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyarrow/PYSEC-2019-195.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/red-arrow/CVE-2019-12408.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Missing Initialization of Resource in Apache Arrow"
}

Mitigation
Implementation

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.

Mitigation
Implementation

Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

Mitigation
Implementation

Avoid race conditions (CWE-362) during initialization routines.

Mitigation
Build and Compilation

Run or compile your product with settings that generate warnings about uninitialized variables or data.

No CAPEC attack patterns related to this CWE.