VYPR

CWE-457

Use of Uninitialized Variable

VariantDraftLikelihood: High

Description

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (75)

page 3 of 4
  • CVE-2026-26824MedJun 3, 2026
    risk 0.42cvss 6.5epss 0.00

    libxls through version 1.6.3 contains a use of uninitialized memory vulnerability in the OLE container parser. Memory allocated for the Master Sector Allocation Table (MSAT) in read_MSAT() is not fully initialized before being consumed by ole2_validate_sector_chain(), which may…

  • CVE-2026-9917MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.00

    Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-10008MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.00

    Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-7982MedMay 6, 2026
    risk 0.42cvss 6.5epss 0.00

    Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-7924MedMay 6, 2026
    risk 0.42cvss 6.5epss 0.00

    Uninitialized Use in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-5888MedApr 8, 2026
    risk 0.42cvss 6.5epss 0.00

    Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-4147MedMar 17, 2026
    risk 0.42cvss 6.5epss 0.00

    An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.

  • CVE-2025-9181MedAug 19, 2025
    risk 0.42cvss 6.5epss 0.00

    Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

  • CVE-2025-8027MedJul 22, 2025
    risk 0.42cvss 6.5epss 0.00

    On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141,…

  • CVE-2025-26383MedJun 11, 2025
    risk 0.41cvss epss 0.00

    The iSTAR Configuration Utility (ICU) tool leaks memory, which could result in the unintended exposure of unauthorized data from the Windows PC that ICU is running on.

  • CVE-2025-29952MedFeb 10, 2026
    risk 0.38cvss epss 0.00

    Improper Initialization within the AMD Secure Encrypted Virtualization (SEV) firmware can allow an admin privileged attacker to corrupt RMP covered memory, potentially resulting in loss of guest memory integrity

  • CVE-2025-13763MedApr 23, 2026
    risk 0.37cvss 5.7epss 0.00

    Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs

  • CVE-2026-22188MedJan 7, 2026
    risk 0.36cvss 5.5epss 0.00

    The deploy-stub component in Panda3D versions up to and including 1.10.16 contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc…

  • CVE-2024-9355MedOct 1, 2024
    risk 0.35cvss 6.5epss 0.00

    A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when…

  • CVE-2026-11696MedJun 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Uninitialized Use in Video in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-8020MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-7955MedMay 6, 2026
    risk 0.34cvss 5.3epss 0.00

    Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-9942MedMay 28, 2026
    risk 0.33cvss 5.0epss 0.00

    Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

  • CVE-2026-11668MedJun 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Uninitialized Use in Codecs in Google Chrome on Linux, ChromeOS prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted video file. (Chromium security severity: High)

  • CVE-2026-11159MedJun 4, 2026
    risk 0.28cvss 4.3epss 0.00

    Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)