Class weakness
Log in
The product does not initialize a critical resource.
Last updated
Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.
14 recorded CVEs are caused by CWE-909 (Missing Initialization of Resource). The highest-severity and most recent are shown first. 1 new CWE-909 CVE has been recorded so far in 2026 (4 in 2025).
AES/CBC Constant IV Vulnerability in ESPTouch v2
Showing 12 of 14 recorded CWE-909 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-909 vulnerabilitiesWhat can happen when CWE-909 is exploited.
Read Memory, Read Application Data
Affects: Confidentiality
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
DoS: Crash, Exit, or Restart
Affects: Availability
The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
Typically introduced during these phases of the software lifecycle.
Practical mitigations for CWE-909, grouped by where in the lifecycle they apply.
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Avoid race conditions (CWE-362) during initialization routines.
Run or compile your product with settings that generate warnings about uninitialized variables or data.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Illustrative examples from MITRE showing how the weakness appears in code.
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
Vulnerable example
private boolean initialized = true;The following code intends to limit certain operations to the administrator only.
Vulnerable example
# do stuff
$username = GetCurrentUser();If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident.
The following code intends to concatenate a string to a variable and print the string.
Vulnerable example
char str[20];This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address.
Vulnerable example
test_string = "Hello World!";Safe example
test_string = "Hello World!";Real CVEs that MITRE cites as examples of this weakness.
Common questions about CWE-909.
The product does not initialize a critical resource.
14 recorded CVEs are attributed to CWE-909, including CVE-2025-8117, CVE-2019-3804, CVE-2024-52870.
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Exploiting CWE-909 can lead to: Read Memory, Read Application Data, DoS: Crash, Exit, or Restart.
14 recorded CVEs are caused by CWE-909; none are currently in CISA's KEV catalog of actively exploited flaws.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-909 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.