VYPR

CWE-457

Use of Uninitialized Variable

VariantDraftLikelihood: High

Description

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (75)

page 1 of 4
  • CVE-2026-6748CriApr 21, 2026
    risk 0.64cvss 9.8epss 0.00

    Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

  • CVE-2009-0901HigJul 29, 2009
    risk 0.61cvss 8.8epss 0.42

    The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does…

  • CVE-2026-2806CriFeb 24, 2026
    risk 0.59cvss 9.1epss 0.00

    Uninitialized memory in the Graphics: Text component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

  • CVE-2025-20271HigJun 18, 2025
    risk 0.56cvss 8.6epss 0.00

    A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. This…

  • CVE-2026-10960HigJun 4, 2026
    risk 0.54cvss 8.3epss 0.00

    Uninitialized Use in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-9972HigMay 28, 2026
    risk 0.54cvss 8.3epss 0.00

    Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-6311HigApr 15, 2026
    risk 0.54cvss 8.3epss 0.00

    Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

  • CVE-2025-9450HigSep 17, 2025
    risk 0.51cvss 7.8epss 0.00

    A Use of Uninitialized Variable vulnerability affecting the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 could allow an attacker to execute arbitrary code while opening a specially crafted JT file.

  • CVE-2025-6974HigJul 15, 2025
    risk 0.51cvss 7.8epss 0.00

    Use of Uninitialized Variable vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted JT file.

  • CVE-2024-10204HigNov 19, 2024
    risk 0.51cvss 7.8epss 0.00

    Heap-based Buffer Overflow and Uninitialized Variable vulnerabilities exist in the X_B and SAT file reading procedure in eDrawings from Release SOLIDWORKS 2024 through Release SOLIDWORKS 2025. These vulnerabilities could allow an attacker to execute arbitrary code while opening…

  • CVE-2024-1848HigMar 22, 2024
    risk 0.51cvss 7.8epss 0.00

    Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in SOLIDWORKS Desktop on Release SOLIDWORKS 2024. These…

  • CVE-2025-20212HigApr 2, 2025
    risk 0.50cvss 7.7epss 0.01

    A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. To exploit this…

  • CVE-2026-9963HigMay 28, 2026
    risk 0.49cvss 7.5epss 0.00

    Uninitialized Use in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2025-2520HigJul 10, 2025
    risk 0.49cvss 7.5epss 0.00

    The Honeywell Experion PKS contains an Uninitialized Variable in the common Epic Platform Analyzer (EPA) communications. An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which results in a dereferencing of an…

  • CVE-2011-0539HigFeb 10, 2011
    risk 0.49cvss 7.5epss 0.02

    The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it…

  • CVE-2026-10976HigJun 4, 2026
    risk 0.48cvss 7.4epss 0.00

    Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-10973HigJun 4, 2026
    risk 0.48cvss 7.4epss 0.01

    Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-20051HigFeb 25, 2026
    risk 0.48cvss 7.4epss 0.00

    A vulnerability with the Ethernet VPN (EVPN) Layer 2 ingress packet processing of Cisco Nexus 3600 Platform Switches and Cisco Nexus 9500-R Series Switching Platforms could allow an unauthenticated, adjacent attacker to trigger a Layer 2 traffic loop. This vulnerability is…

  • CVE-2026-6751HigApr 21, 2026
    risk 0.47cvss 7.3epss 0.00

    Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

  • CVE-2025-10021HigDec 22, 2025
    risk 0.46cvss epss 0.00

    A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects…