Use of Uninitialized Variable| ID: 457 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
The code uses a variable that has not been initialized, leading
to unpredictable or unintended results.
Extended DescriptionIn some languages, such as C, an uninitialized variable contains contents
of previously-used memory. An attacker can sometimes control or read these
contents.
Likelihood of Exploit: High
Applicable PlatformsLanguage: SometimesLanguage: CLanguage: SometimesLanguage: C++Language: OftenLanguage: PerlLanguage Class: All
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| AvailabilityIntegrityOther | Other | Initial variables usually contain junk, which can not be trusted for
consistency. This can lead to denial of service conditions, or modify
control flow in unexpected ways. In some cases, an attacker can
"pre-initialize" the variable using previous actions, which might enable
code execution. This can cause a race condition if a lock variable check
passes when it should not. |
| AuthorizationOther | Other | Strings that are not initialized are especially dangerous, since many
functions expect a null at the end -- and only at the end -- of a
string. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Assign all variables to an initial value. | | |
| Build and Compilation | | Most compilers will complain about the use of uninitialized variables
if warnings are turned on. | | |
| Requirements | | The choice could be made to use a language that is not susceptible to
these issues. | | |
| Architecture and Design | | Mitigating technologies such as safe string libraries and container
abstractions could be introduced. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-457 ChildOf CWE-885 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following switch statement is intended to set the values of the
variables aN and bN before they are used:
- This code prints a greeting using information stored in a POST
request:
Observed Examples
- CVE-2008-0081 : Uninitialized variable leads to code execution in popular desktop application.
- CVE-2007-4682 : Crafted input triggers dereference of an uninitialized object pointer.
- CVE-2007-3468 : Crafted audio file triggers crash when an uninitialized variable is used.
- CVE-2007-2728 : Uninitialized random seed variable used.
For more examples, refer to CVE relations in the bottom box.
White Box DefinitionsA weakness where the code path has:1. start statement that defines variable2. end statement that accesses the variable3. the code path does not contain a statement that assigns value to
the variable
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Uninitialized variable | |
| 7 Pernicious Kingdoms | | Uninitialized Variable | |
References:
- mercy .Exploiting Uninitialized Data. Published on Jan 2006.
- Microsoft Security Vulnerability Research &
Defense .MS08-014 : The Case of the Uninitialized Stack Variable
Vulnerability. 2008-03-11.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 8: C++ Catastrophes." Page 143'. Published on 2010.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 7, "Variable Initialization", Page
312.'. Published on 2006.
