CWE-665

Nombre

Improper Initialization

Probabilidad

Medio

Estado

Draft

Publicado

2008-04-11
00h00 +00:00

Modificado

2025-12-11
00h00 +00:00

Enlaces oficiales

CWE Mitre.org

Notificaciones para un CWE

Manténgase informado sobre cualquier cambio en un CWE específico.

Gestionar notificaciones

Alertas personalizadas

¡Active sus alertas personalizadas!

Para activar sus alertas, solo necesita iniciar sesión en su cuenta gratuita. Si aún no ha iniciado sesión, elija una de las opciones a continuación.

Iniciar sesión en su cuenta Crear una cuenta gratuita

Notificaciones para un CWE

Manténgase informado sobre cualquier cambio en un CWE específico.

Parámetros

Puede especificar un título que se recuperará en las alertas que se enviarán.

Especifique el ID de CWE que desea monitorear.

Planificación

Mes

Cálculo de la próxima ejecución

Día

Día de la semana

Hora

Minuto

Fecha de creación

Última ejecución

Próxima ejecución

Nombre: Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Descripción CWE

This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.

Informaciones generales

Modos de introducción

Implementation : This weakness can occur in code paths that are not well-tested, such as rare error conditions. This is because the use of uninitialized data would be noticed as a bug during frequently-used functionality.
Operation

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Consecuencias comunes

Alcance	Impacto	Probabilidad
Confidentiality	Read Memory, Read Application Data Note: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
Access Control	Bypass Protection Mechanism Note: If security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.
Availability	DoS: Crash, Exit, or Restart Note: The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a crash or an exit in other environments.

Ejemplos observados

Referencias	Descripción
CVE-2001-1471	chain: an invalid value prevents a library file from being included, skipping initialization of key variables, leading to resultant eval injection.
CVE-2008-3637	Improper error checking in protection mechanism produces an uninitialized variable, allowing security bypass and code execution.
CVE-2008-4197	Use of uninitialized memory may allow code execution.
CVE-2008-2934	Free of an uninitialized pointer leads to crash and possible code execution.
CVE-2007-3749	OS kernel does not reset a port when starting a setuid program, allowing local users to access the port and gain privileges.
CVE-2008-0063	Product does not clear memory contents when generating an error message, leading to information leak.
CVE-2008-0062	Lack of initialization triggers NULL pointer dereference or double-free.
CVE-2008-0081	Uninitialized variable leads to code execution in popular desktop application.
CVE-2008-3688	chain: Uninitialized variable leads to infinite loop.
CVE-2008-3475	chain: Improper initialization leads to memory corruption.
CVE-2008-5021	Composite: race condition allows attacker to modify an object while it is still being initialized, causing software to access uninitialized memory.
CVE-2005-1036	Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
CVE-2008-3597	chain: game server can access player data structures before initialization has happened leading to NULL dereference
CVE-2009-2692	Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476)
CVE-2009-0949	chain: improper initialization of memory can lead to NULL dereference
CVE-2009-3620	chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference

Mitigaciones potenciales

Phases : Requirements
Phases : Architecture and Design
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Phases : Implementation
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Phases : Implementation
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Phases : Implementation
Avoid race conditions (CWE-362) during initialization routines.
Phases : Build and Compilation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
Phases : Testing
Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Métodos de detección

Automated Dynamic Analysis

Efectividad : Moderate

Manual Dynamic Analysis

Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efectividad : High

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is a level-1 Class (i.e., a child of a Pillar). It might have lower-level children that would be more appropriate
Comentario : Examine children of this entry to see if there is a better fit

Patrones de ataque relacionados

CAPEC-ID	Nombre del patrón de ataque
CAPEC-26	Leveraging Race Conditions The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29	Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

Referencias

REF-436

Exploiting Uninitialized Data
mercy.
https://web.archive.org/web/20070403193636/http://www.felinemenace.org/~mercy/papers/UBehavior/UBehavior.zip

REF-437

MS08-014 : The Case of the Uninitialized Stack Variable Vulnerability
Microsoft Security Vulnerability Research & Defense.
https://msrc.microsoft.com/blog/2008/03/ms08-014-the-case-of-the-uninitialized-stack-variable-vulnerability/

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

Envío

Nombre	Organización	Fecha	Fecha de lanzamiento	Version
PLOVER		2008-04-11 +00:00	2008-04-11 +00:00	Draft 9

Modificaciones

Nombre	Organización	Fecha	Comentario
Sean Eidemiller	Cigital	2008-07-01 +00:00	added/updated demonstrative examples
Eric Dalci	Cigital	2008-07-01 +00:00	updated Potential_Mitigations, Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2008-11-24 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2009-01-12 +00:00	updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Weakness_Ordinalities
CWE Content Team	MITRE	2009-03-10 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2009-05-27 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2009-07-27 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2009-10-29 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2010-02-16 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2010-04-05 +00:00	updated Applicable_Platforms
CWE Content Team	MITRE	2010-06-21 +00:00	updated Detection_Factors, Potential_Mitigations
CWE Content Team	MITRE	2010-09-27 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2011-09-13 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2012-05-11 +00:00	updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2013-02-21 +00:00	updated Demonstrative_Examples, Relationships
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2015-12-07 +00:00	updated Relationships
CWE Content Team	MITRE	2017-01-19 +00:00	updated Type
CWE Content Team	MITRE	2017-11-08 +00:00	updated References, Taxonomy_Mappings
CWE Content Team	MITRE	2019-01-03 +00:00	updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2019-06-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2020-06-25 +00:00	updated Relationships
CWE Content Team	MITRE	2020-08-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-12-10 +00:00	updated Relationships
CWE Content Team	MITRE	2021-03-15 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description, Potential_Mitigations, Relationships
CWE Content Team	MITRE	2023-04-27 +00:00	updated Detection_Factors, References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Relationships
CWE Content Team	MITRE	2024-02-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2025-09-09 +00:00	updated References, Relationships
CWE Content Team	MITRE	2025-12-11 +00:00	updated Observed_Examples

Detalle CWE-665