CWE•Class•Draft•8 recent CVEs
CWE-665Improper Initialization
Description
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.
Common consequences
- Confidentiality→Read Memory,Read Application DataWhen reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
- Access Control→Bypass Protection MechanismIf security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.
- Availability→DoS: Crash, Exit, or RestartThe uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an inde
Potential mitigations
- Requirements[object Object]
- Architecture and DesignIdentify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
- ImplementationExplicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
- ImplementationPay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
- ImplementationAvoid race conditions (CWE-362) during initialization routines.
- Build and CompilationRun or compile your product with settings that generate warnings about uninitialized variables or data.