CWE-456: Missing Initialization of a Variable
The product does not initialize critical variables, which causes the execution environment to use unexpected values.
Last updated
Overview
CWE-456 (Missing Initialization of a Variable) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
8 recorded CVEs are caused by CWE-456 (Missing Initialization of a Variable). The highest-severity and most recent are shown first.
- CVE-2024-32878High · CVSS 8.8 · EPSS 49th2024-04-26
- CVE-2023-20226High · CVSS 8.6 · EPSS 49th2023-09-27
- CVE-2024-9780
Missing Initialization of a Variable in Wireshark
High · CVSS 7.8 · EPSS 16th2024-10-10 - CVE-2019-3836High · CVSS 7.5 · EPSS 87th2019-04-01
- CVE-2024-54131High · CVSS 7.3 · EPSS 7th2024-12-03
- CVE-2021-34703Medium · CVSS 6.8 · EPSS 63th2021-09-23
- CVE-2018-14641Medium · CVSS 6.5 · EPSS 85th2018-09-18
- CVE-2021-40403Medium · CVSS 6.3 · EPSS 61th2022-02-04
Common consequences
What can happen when CWE-456 is exploited.
Unexpected State, Quality Degradation, Varies by Context
Affects: Integrity, Other
The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-456, grouped by where in the lifecycle they apply.
Ensure that critical variables are initialized before first use [REF-1485].
Choose a language that is not susceptible to these issues.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This function attempts to extract a pair of numbers from a user-supplied string.
Vulnerable example
void parse_data(char *untrusted_input){Attack input
123:Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.
Vulnerable example
private User user;This code first authenticates a user, then allows a delete command if the user is an administrator.
Vulnerable example
/.../
if (authenticate($username,$password) && setAdmin($username)){The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.
In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.
Vulnerable example
public class BankManager {Safe example
public class BankManager {However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.
This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address.
Vulnerable example
test_string = "Hello World!";Safe example
test_string = "Hello World!";Consider the following merchant server application as implemented in [REF-1475]. It receives card payment information (orderPgData instance in OrderPgData.java) from the payment gateway (such as PayPal). The next step is to complete the payment (finalizeOrder() in Main.java). The merchant server validates the amount (validateAmount() in OrderPgData.java), and if the validation is successful, then the payment is completed.
Vulnerable example
public OrderPgData getOrderPgDataByPgType(String pgType, int productPrice, int paymentAmount) {Vulnerable example
public static void main(String[] args) {Safe example
private boolean isPaymentAmountTampered = true;Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2020-6078 — Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
- CVE-2019-3836 — Chain: secure communications library does not initialize a local variable for a data structure (CWE-456), leading to access of an uninitialized pointer (CWE-824).
- CVE-2018-14641 — Chain: C union member is not initialized (CWE-456), leading to access of invalid pointer (CWE-824)
- CVE-2009-2692 — Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476)
- CVE-2020-20739 — A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
- CVE-2005-2978 — Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
- CVE-2005-2109 — Internal variable in PHP application is not initialized, allowing external modification.
- CVE-2005-2193 — Array variable not initialized in PHP application, leading to resultant SQL injection.
Terminology & mappings
Mapped taxonomies
- PLOVER: Missing Initialization
- Software Fault Patterns: Glitch in computation (SFP1)
- CERT C Secure Coding: Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure (ERR30-C) — CWE More Abstract fit
- SEI CERT Perl Coding Standard: Always initialize local variables (DCL04-PL) — Exact fit
- SEI CERT Perl Coding Standard: Declare identifiers before using them (DCL33-PL) — Imprecise fit
- OMG ASCSM (ASCSM-CWE-456)
- OMG ASCRM (ASCRM-CWE-456)
Frequently asked questions
Common questions about CWE-456.
- What is CWE-456?
- The product does not initialize critical variables, which causes the execution environment to use unexpected values.
- What CVEs are caused by CWE-456?
- 8 recorded CVEs are attributed to CWE-456, including CVE-2024-32878, CVE-2023-20226, CVE-2024-9780.
- How do you prevent CWE-456?
- Ensure that critical variables are initialized before first use [REF-1485].
- How is CWE-456 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-456?
- Exploiting CWE-456 can lead to: Unexpected State, Quality Degradation, Varies by Context.
- Is CWE-456 actively exploited?
- 8 recorded CVEs are caused by CWE-456; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-456) (opens in a new tab)
- CWE-456 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-456
Get alerted the moment a new CWE-456 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.