1. Home
  2. CWE Database
  3. CWE-456
Variant · Low-Medium

CWE-456: Missing Initialization of a Variable

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

CWE-456 · Variant Level ·8 CVEs ·2 Mitigations

Description

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

Potential Impact

Integrity, Other

Unexpected State, Quality Degradation, Varies by Context

Demonstrative Examples

This function attempts to extract a pair of numbers from a user-supplied string.
Bad
void parse_data(char *untrusted_input){
                        int m, n, error;error = sscanf(untrusted_input, "%d:%d", &m, &n);if ( EOF == error ){die("Did not specify integer value. Die evil hacker!\n");}
                           /* proceed assuming n and m are initialized correctly */
                           
                        
                     }
This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:
Attack
123:
then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).
Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.
Bad
private User user;public void someMethod() {
                        
                           
                           // Do something interesting.
                           ...
                           
                           // Throws NPE if user hasn't been properly initialized.
                           String username = user.getName();
                     }
This code first authenticates a user, then allows a delete command if the user is an administrator.
Bad
if (authenticate($username,$password) && setAdmin($username)){$isAdmin = true;}
                     /.../
                     
                     if ($isAdmin){deleteUser($userToDelete);}
The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.
In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.
Bad
public class BankManager {
                     
                        
                           
                           // user allowed to perform bank manager tasks
                           private User user = null;private boolean isUserAuthentic = false;
                           
                           // constructor for BankManager class
                           public BankManager() {...}
                           
                           // retrieve user from database of users
                           public User getUserFromUserDatabase(String username){...}
                           
                           // set user variable using username
                           public void setUser(String username) {this.user = getUserFromUserDatabase(username);}
                           
                           // authenticate user
                           public boolean authenticateUser(String username, String password) {if (username.equals(user.getUsername()) && password.equals(user.getPassword())) {isUserAuthentic = true;}return isUserAuthentic;}
                           
                           // methods for performing bank manager tasks
                           ...
                     }
However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.
Good
public class BankManager {
                     
                        
                           
                           // user allowed to perform bank manager tasks
                           private User user = null;private boolean isUserAuthentic = false;
                           
                           // constructor for BankManager class
                           public BankManager(String username) {user = getUserFromUserDatabase(username);}
                           
                           // retrieve user from database of users
                           public User getUserFromUserDatabase(String username) {...}
                           
                           // authenticate user
                           public boolean authenticateUser(String username, String password) {
                              if (user == null) {System.out.println("Cannot find user " + username);}else {if (password.equals(user.getPassword())) {isUserAuthentic = true;}}return isUserAuthentic;
                           }
                           
                              
                                 
                                 // methods for performing bank manager tasks
                                 ...
                           
                           
                        
                     }

Mitigations & Prevention

Implementation

Ensure that critical variables are initialized before first use [REF-1485].

Requirements

Choose a language that is not susceptible to these issues.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2020-6078Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476
CVE-2019-3836Chain: secure communications library does not initialize a local variable for a data structure (CWE-456), leading to access of an uninitialized pointer (CWE-824).
CVE-2018-14641Chain: C union member is not initialized (CWE-456), leading to access of invalid pointer (CWE-824)
CVE-2009-2692Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476)
CVE-2020-20739A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
CVE-2005-2978Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
CVE-2005-2109Internal variable in PHP application is not initialized, allowing external modification.
CVE-2005-2193Array variable not initialized in PHP application, leading to resultant SQL injection.

CWE-909: Missing Initialization of Resource

The product does not initialize a critical resource.

CWE-665: Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected s...

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but i...

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than ...

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the inp...

CWE-457: Use of Uninitialized Variable

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

Taxonomy Mappings

  • PLOVER: — Missing Initialization
  • Software Fault Patterns: SFP1 — Glitch in computation
  • CERT C Secure Coding: ERR30-C — Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure
  • SEI CERT Perl Coding Standard: DCL04-PL — Always initialize local variables
  • SEI CERT Perl Coding Standard: DCL33-PL — Declare identifiers before using them
  • OMG ASCSM: ASCSM-CWE-456 —
  • OMG ASCRM: ASCRM-CWE-456 —

Frequently Asked Questions

What is CWE-456?

CWE-456 (Missing Initialization of a Variable) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product does not initialize critical variables, which causes the execution environment to use unexpected values.

How can CWE-456 be exploited?

Attackers can exploit CWE-456 (Missing Initialization of a Variable) to unexpected state, quality degradation, varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-456?

Key mitigations include: Ensure that critical variables are initialized before first use [REF-1485].

What is the severity of CWE-456?

CWE-456 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 8 real-world CVEs.