CWE-909: Missing Initialization of Resource
The product does not initialize a critical resource.
Last updated
Overview
Many resources require initialization before they can be properly used. If a resource is not initialized, it could contain unpredictable or expired data, or it could be initialized to defaults that are invalid. This can have security implications when the resource is expected to have certain properties or values.
Real-world CVEs
14 recorded CVEs are caused by CWE-909 (Missing Initialization of Resource). The highest-severity and most recent are shown first. 1 new CWE-909 CVE has been recorded so far in 2026 (4 in 2025).
- CVE-2026-40687Critical · CVSS 9.1 · EPSS 30th2026-04-30
- CVE-2020-12523Critical · CVSS 9.1 · EPSS 55th2020-12-17
- CVE-2025-8117
Account Takeover via Reset Password Functionality in PAD CMS
High · CVSS 8.7 · EPSS 17th2025-09-30 - CVE-2019-3804High · CVSS 7.5 · EPSS 91th2019-03-26
- CVE-2024-52870High · CVSS 7.1 · EPSS 7th2025-01-17
- CVE-2024-53845
AES/CBC Constant IV Vulnerability in ESPTouch v2
Medium · CVSS 6.6 · EPSS 43th2024-12-11 - CVE-2024-27913Medium · CVSS 6.5 · EPSS 24th2024-02-28
- CVE-2021-28167Medium · CVSS 6.5 · EPSS 62th2021-04-21
- CVE-2022-0175Medium · CVSS 5.5 · EPSS 23th2022-08-26
- CVE-2022-0382Medium · CVSS 5.5 · EPSS 31th2022-02-11
- CVE-2024-32945Medium · CVSS 5.3 · EPSS 15th2024-07-15
- CVE-2025-54410
Moby's Firewalld reload removes bridge network isolation
Medium · CVSS 5.2 · EPSS 5th2025-07-30
Showing 12 of 14 recorded CWE-909 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-909 vulnerabilitiesCommon consequences
What can happen when CWE-909 is exploited.
Read Memory, Read Application Data
Affects: Confidentiality
When reusing a resource such as memory or a program variable, the original contents of that resource may not be cleared before it is sent to an untrusted party.
DoS: Crash, Exit, or Restart
Affects: Availability
The uninitialized resource may contain values that cause program flow to change in ways that the programmer did not intend.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-909, grouped by where in the lifecycle they apply.
Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
Avoid race conditions (CWE-362) during initialization routines.
Run or compile your product with settings that generate warnings about uninitialized variables or data.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.
Vulnerable example
private boolean initialized = true;The following code intends to limit certain operations to the administrator only.
Vulnerable example
# do stuff
$username = GetCurrentUser();If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident.
The following code intends to concatenate a string to a variable and print the string.
Vulnerable example
char str[20];This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address.
Vulnerable example
test_string = "Hello World!";Safe example
test_string = "Hello World!";Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2020-20739 — A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
- CVE-2005-1036 — Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
Frequently asked questions
Common questions about CWE-909.
- What is CWE-909?
- The product does not initialize a critical resource.
- What CVEs are caused by CWE-909?
- 14 recorded CVEs are attributed to CWE-909, including CVE-2026-40687, CVE-2020-12523, CVE-2025-8117.
- How do you prevent CWE-909?
- Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all specified steps.
- How is CWE-909 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-909?
- Exploiting CWE-909 can lead to: Read Memory, Read Application Data, DoS: Crash, Exit, or Restart.
- Is CWE-909 actively exploited?
- 14 recorded CVEs are caused by CWE-909; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-909) (opens in a new tab)
- CWE-909 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-909
Get alerted the moment a new CWE-909 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.