CWE-457: Use of Uninitialized Variable

VariantDraftExploit Likelihood: High

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

View on MITRE
Back to CWE Lookup

Extended Description

In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.

Technical Details

Structure
Simple

Applicable To

Languages
CC++PerlPHPNot Language-Specific
Platforms

Frequently Asked Questions

What is CWE-457: Use of Uninitialized Variable?+

CWE-457: Use of Uninitialized Variable is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The code uses a variable that has not been initialized, leading to unpredictable or unintended results. In some languages such as C and C++, stack variables are not initialized by default. They generally contain junk data with the contents of stack memory before the function was invoked. An attacker can sometimes control or read these contents. In other languages or conditions, a variable that is not explicitly initialized can be given a default value that has security implications, depending on the logic of the program. The presence of an uninitialized variable can sometimes indicate a typographic error in the code.

What are the security consequences of Use of Uninitialized Variable?+

If exploited, CWE-457 (Use of Uninitialized Variable) it can compromise Availability, Integrity, Other and Authorization, leading to outcomes such as Other.

How do you prevent or mitigate Use of Uninitialized Variable?+

Recommended mitigations for CWE-457 include: Most compilers will complain about the use of uninitialized variables if warnings are turned on. When using a language that does not require explicit declaration of variables, run or compile the software in a mode that reports undeclared or unknown variables. This may indicate the presence of a typographic error in the variable's name. Choose a language that is not susceptible to these issues.

Which programming languages are affected by Use of Uninitialized Variable?+

CWE-457 commonly affects C, C++, Perl, PHP and Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Use of Uninitialized Variable?+

MITRE documents real CVEs mapped to CWE-457, including CVE-2019-15900, CVE-2008-3688, CVE-2008-0081, CVE-2007-4682 and CVE-2007-3468. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-457 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More