ClassIncomplete

CWE-909Missing Initialization of Resource

Category: logic

Description

The product does not initialize a critical resource. Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.

Common consequences· 2

  • Confidentiality — Read Memory, Read Application Data
    When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
  • Availability — DoS: Crash, Exit, or Restart
    The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.

Potential mitigations· 4

  • [Implementation]Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
  • [Implementation]Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
  • [Implementation]Avoid race conditions (CWE-362) during initialization routines.
  • [Build and Compilation]Run or compile your product with settings that generate warnings about uninitialized variables or data.

References

  1. https://cwe.mitre.org/data/definitions/909.html

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2026-40687cve-2026-406870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Incorrect Initialization of Resource
CWE
Improper Initialization
CWE
Use of Uninitialized Resource
CWE
Initialization of a Resource with an Insecure Default
CWE
Unverified Ownership
CWE
Initialization with Hard-Coded Network Resource Configuration Data
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.