Variant weakness

Draft

CWE-456: Missing Initialization of a Variable

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

CWE-456 (Missing Initialization of a Variable) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This function attempts to extract a pair of numbers from a user-supplied string.

Vulnerable example

void parse_data(char *untrusted_input){

Attack input

plaintext

123:

Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.

Vulnerable example

java

private User user;

This code first authenticates a user, then allows a delete command if the user is an administrator.

Vulnerable example

php

/.../
if (authenticate($username,$password) && setAdmin($username)){

The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.

In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.

Vulnerable example

java

public class BankManager {

Safe example

java

public class BankManager {

However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.

This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address.

Vulnerable example

test_string = "Hello World!";

Safe example

test_string = "Hello World!";

Consider the following merchant server application as implemented in [REF-1475]. It receives card payment information (orderPgData instance in OrderPgData.java) from the payment gateway (such as PayPal). The next step is to complete the payment (finalizeOrder() in Main.java). The merchant server validates the amount (validateAmount() in OrderPgData.java), and if the validation is successful, then the payment is completed.

Vulnerable example

java

public OrderPgData getOrderPgDataByPgType(String pgType, int productPrice, int paymentAmount) {

Vulnerable example

java

public static void main(String[] args) {

Safe example

java

private boolean isPaymentAmountTampered = true;

CWE-456: Missing Initialization of a Variable

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-456?

What CVEs are caused by CWE-456?

How do you prevent CWE-456?

How is CWE-456 detected?

What are the consequences of CWE-456?

Is CWE-456 actively exploited?

References

Stay ahead of CWE-456

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Can precede

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-456?

What CVEs are caused by CWE-456?

How do you prevent CWE-456?

How is CWE-456 detected?

What are the consequences of CWE-456?

Is CWE-456 actively exploited?

References

Stay ahead of CWE-456