LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-665

CWE-665

Improper Initialization

Class EXPLOIT LIKELIHOOD: MEDIUM

What it is

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

This can have security implications when the associated resource is expected to have certain properties or values, such as a variable that determines whether a user has been authenticated or not.

Impact

ConfidentialityRead Memory, Read Application Data
Access ControlBypass Protection Mechanism
AvailabilityDoS: Crash, Exit, or Restart

Mitigations

  • [Requirements]Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initial
  • [Architecture and Design] Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
  • [Implementation] Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
  • [Implementation] Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
  • [Implementation] Avoid race conditions (CWE-362) during initialization routines.
  • [Build and Compilation] Run or compile your product with settings that generate warnings about uninitialized variables or data.

Real-world CVE examples

  • CVE-2001-1471 — chain: an invalid value prevents a library file from being included, skipping initialization of key variables, leading to resultant eval injection.
  • CVE-2008-3637 — Improper error checking in protection mechanism produces an uninitialized variable, allowing security bypass and code execution.
  • CVE-2008-4197 — Use of uninitialized memory may allow code execution.
  • CVE-2008-2934 — Free of an uninitialized pointer leads to crash and possible code execution.
  • CVE-2007-3749 — OS kernel does not reset a port when starting a setuid program, allowing local users to access the port and gain privileges.
  • CVE-2008-0063 — Product does not clear memory contents when generating an error message, leading to information leak.
  • CVE-2008-0062 — Lack of initialization triggers NULL pointer dereference or double-free.
  • CVE-2008-0081 — Uninitialized variable leads to code execution in popular desktop application.
  • CVE-2008-3688 — chain: Uninitialized variable leads to infinite loop.
  • CVE-2008-3475 — chain: Improper initialization leads to memory corruption.
  • CVE-2008-5021 — Composite: race condition allows attacker to modify an object while it is still being initialized, causing software to access uninitialized memory.
  • CVE-2005-1036 — Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top