VYPR

CWE-909

Missing Initialization of Resource

ClassIncompleteLikelihood: Medium

Description

The product does not initialize a critical resource.

Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.

Hierarchy (View 1000)

Parents

CVEs mapped to this weakness (26)

page 1 of 2
  • CVE-2005-1036HigMay 2, 2005
    risk 0.51cvss 7.8epss 0.00

    FreeBSD 5.x to 5.4 on AMD64 does not properly initialize the IO permission bitmap used to allow user access to certain hardware, which allows local users to bypass intended access restrictions to cause a denial of service, obtain sensitive information, and possibly gain…

  • CVE-2018-14647HigSep 25, 2018
    risk 0.50cvss 7.5epss 0.11

    Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data…

  • CVE-2018-1000224HigAug 20, 2018
    risk 0.49cvss 7.5epss 0.04

    Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can…

  • CVE-2018-10811HigJun 19, 2018
    risk 0.49cvss 7.5epss 0.07

    strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.

  • CVE-2024-52870HigJan 17, 2025
    risk 0.46cvss 7.1epss 0.00

    Teradata Vantage Editor 1.0.1 is mostly intended for SQL database access and docs.teradata.com access, but provides unintended functionality (including Chromium Developer Tools) that can result in a client user accessing arbitrary remote websites.

  • CVE-2026-43040HigMay 1, 2026
    risk 0.39cvss 7.1epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak When processing Router Advertisements with user options the kernel builds an RTM_NEWNDUSEROPT netlink…

  • CVE-2024-53845MedDec 12, 2024
    risk 0.36cvss epss 0.01

    ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and…

  • CVE-2018-9511MedOct 2, 2018
    risk 0.36cvss 5.5epss 0.00

    In ipSecSetEncapSocketOwner of XfrmController.cpp, there is a possible failure to initialize a security feature due to uninitialized data. This could lead to local denial of service of IPsec on sockets with no additional execution privileges needed. User interaction is not…

  • CVE-2017-0730MedAug 9, 2017
    risk 0.36cvss 5.5epss 0.00

    A denial of service vulnerability in the Android media framework (h264 decoder). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36279112.

  • CVE-2026-40687MedApr 30, 2026
    risk 0.31cvss 4.8epss 0.00

    In Exim before 4.99.2, when the SPA authentication driver is used with an adversarial SPA resource, there can be an out-of-bounds write that crashes the connection instance, or erroneous data processing that divulges data from uninitialized heap memory.

  • CVE-2021-22898LowJun 11, 2021
    risk 0.13cvss 3.1epss 0.04

    curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl…

  • CVE-2025-54410Jul 30, 2025
    risk 0.00cvss epss 0.00

    Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker…

  • CVE-2025-54388Jul 30, 2025
    risk 0.00cvss epss 0.00

    Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables…

  • CVE-2019-25054Dec 26, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the pnet crate before 0.27.2 for Rust. There is a segmentation fault (upon attempted dereference of an uninitialized descriptor) because of an erroneous IcmpTransportChannelIterator compiler optimization.

  • CVE-2020-36452Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the array-tools crate before 0.3.2 for Rust. FixedCapacityDequeLike::clone() has a drop of uninitialized memory.

  • CVE-2019-12408Nov 8, 2019
    risk 0.00cvss epss 0.03

    It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally…

  • CVE-2019-12410Nov 8, 2019
    risk 0.00cvss epss 0.05

    While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The…

  • CVE-2011-1044Feb 18, 2011
    risk 0.00cvss epss 0.00

    The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to…

  • CVE-2010-3877Jan 3, 2011
    risk 0.00cvss epss 0.00

    The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

  • CVE-2010-3876Jan 3, 2011
    risk 0.00cvss epss 0.00

    net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the…