CWE-908 - Use of Uninitialized Resource
- Abstraction:Base
- Structure:Simple
- Status:Incomplete
- Release Date:2013-02-21
- Latest Modification Date:2023-06-29
Weakness Name
Use of Uninitialized Resource
Description
The product uses or accesses a resource that has not been initialized.
When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.
Common Consequences
Scope: Confidentiality
Impact: Read Memory, Read Application Data
Notes: When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
Scope: Availability
Impact: DoS: Crash, Exit, or Restart
Notes: The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
Related Weaknesses
Legacy Stripe API Exploited to Validate Stolen Payment Cards in Web Skimmer Campaign
Europol Dismantles Kidflix With 72,000 CSAM Videos Seized in Major Operation
Genetic data site openSNP to close and delete data over privacy concerns
Verizon Call Filter API flaw exposed customers' incoming call history
GitHub expands security tools after 39 million secrets leaked in 2024
Royal Mail investigates data leak claims, no impact on operations
Police shuts down KidFlix child sexual exploitation platform
The Reality Behind Security Control Failures—And How to Prevent Them
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
HighPath Traversal
InformationalCross Site Scripting (Persistent) - Spider
InformationalCookie Poisoning
InformationalInformation Disclosure - Suspicious Comments