LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-908

CWE-908

Use of Uninitialized Resource

Base EXPLOIT LIKELIHOOD: MEDIUM

What it is

The product uses or accesses a resource that has not been initialized.

When a resource has not been properly initialized, the product may behave unexpectedly. This may lead to a crash or invalid memory access, but the consequences vary depending on the type of resource and how it is used within the product.

Impact

ConfidentialityRead Memory, Read Application Data
AvailabilityDoS: Crash, Exit, or Restart

Mitigations

  • [Implementation] Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
  • [Implementation] Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
  • [Implementation] Avoid race conditions (CWE-362) during initialization routines.
  • [Build and Compilation] Run or compile the product with settings that generate warnings about uninitialized variables or data.

Real-world CVE examples

  • CVE-2019-9805 — Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory
  • CVE-2008-4197 — Use of uninitialized memory may allow code execution.
  • CVE-2008-2934 — Free of an uninitialized pointer leads to crash and possible code execution.
  • CVE-2008-0063 — Product does not clear memory contents when generating an error message, leading to information leak.
  • CVE-2008-0062 — Lack of initialization triggers NULL pointer dereference or double-free.
  • CVE-2008-0081 — Uninitialized variable leads to code execution in popular desktop application.
  • CVE-2008-3688 — Chain: Uninitialized variable leads to infinite loop.
  • CVE-2008-3475 — Chain: Improper initialization leads to memory corruption.
  • CVE-2005-1036 — Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
  • CVE-2008-3597 — Chain: game server can access player data structures before initialization has happened leading to NULL dereference
  • CVE-2009-2692 — Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer derefer
  • CVE-2009-0949 — Chain: improper initialization of memory can lead to NULL dereference

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top