The product does not initialize critical variables, which causes the execution environment to use unexpected values.
Ensure that critical variables are initialized before first use [REF-1485].
Choose a language that is not susceptible to these issues.
The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2020-6078Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
CVE-2019-3836Chain: secure communications library does not initialize a local variable for a data structure (CWE-456), leading to access of an uninitialized pointer (CWE-824).
CVE-2018-14641Chain: C union member is not initialized (CWE-456), leading to access of invalid pointer (CWE-824)
CVE-2009-2692Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476)
CVE-2020-20739A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage