CWE-665Improper Initialization

Description

Common consequences· 3

• Confidentiality — Read Memory, Read Application Data
  When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
• Access Control — Bypass Protection Mechanism
  If security-critical decisions rely on a variable having a "0" or equivalent value, and the programming language performs this initialization on behalf of the programmer, then a bypass of security may occur.
• Availability — DoS: Crash, Exit, or Restart
  The uninitialized data may contain values that cause program flow to change in ways that the programmer did not intend. For example, if an uninitialized variable is used as an array index in C, then its previous contents may produce an index that is outside the range of the array, possibly causing a crash or an exit in other environments.

Potential mitigations· 5

• [Requirements]
• [Architecture and Design]Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
• [Implementation]Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
• [Implementation]Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
• [Implementation]Avoid race conditions (CWE-362) during initialization routines.

Related CAPEC attack patterns· 2

Exploits (incoming)2

(incoming)3

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.