Use of Uninitialized Variable
Weakness ID: 457 (Weakness Variant)Status: Draft
+ Description

Description Summary

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

Extended Description

In some languages, such as C, an uninitialized variable contains contents of previously-used memory. An attacker can sometimes control or read these contents.

+ Time of Introduction
  • Implementation
+ Applicable Platforms


C: (Sometimes)

C++: (Sometimes)

Perl: (Often)


+ Common Consequences

Initial variables usually contain junk, which can not be trusted for consistency. This can lead to denial of service conditions, or modify control flow in unexpected ways. In some cases, an attacker can "pre-initialize" the variable using previous actions, which might enable code execution. This can cause a race condition if a lock variable check passes when it should not.


Strings that are not initialized are especially dangerous, since many functions expect a null at the end -- and only at the end -- of a string.

+ Likelihood of Exploit


+ Demonstrative Examples

Example 1

The following switch statement is intended to set the values of the variables aN and bN, but in the default case, the programmer has accidentally set the value of aN twice. As a result, bN will have an undefined value.

(Bad Code)
Example Language:
switch (ctl) {
case -1:
aN = 0;
bN = 0;
case 0:
aN = i;
bN = -i;
case 1:
aN = i + NEXT_SZ;
bN = i - NEXT_SZ;
aN = -1;
aN = -1;
repaint(aN, bN);

Most uninitialized variable issues result in general software reliability problems, but if attackers can intentionally trigger the use of an uninitialized variable, they might be able to launch a denial of service attack by crashing the program. Under the right circumstances, an attacker may be able to control the value of an uninitialized variable by affecting the values on the stack prior to the invocation of the function.

Example 2

Example Languages: C++ and Java 
int foo;
void bar() {
if (foo==0)
+ Observed Examples
CVE-2008-0081Uninitialized variable leads to code execution in popular desktop application.
CVE-2007-4682Crafted input triggers dereference of an uninitialized object pointer.
CVE-2007-3468Crafted audio file triggers crash when an uninitialized variable is used.
CVE-2007-2728Uninitialized random seed variable used.
+ Potential Mitigations

Phase: Implementation

Assign all variables to an initial value.

Phase: Build and Compilation

Most compilers will complain about the use of uninitialized variables if warnings are turned on.

Phase: Requirements

The choice could be made to use a language that is not susceptible to these issues.

Phase: Architecture and Design

Mitigating technologies such as safe string libraries and container abstractions could be introduced.

+ Other Notes

Before variables are initialized, they generally contain junk data of what was left in the memory that the variable takes up. This data is very rarely useful, and it is generally advised to pre-initialize variables or set them to their first values early. If one forgets -- in the C language -- to initialize, for example a char *, many of the simple string libraries may often return incorrect results as they expect the null termination to be at the end of a string.

Stack variables in C and C++ are not initialized by default. Their initial values are determined by whatever happens to be in their location on the stack at the time the function is invoked. Programs should never use the value of an uninitialized variable. It is not uncommon for programmers to use an uninitialized variable in code that handles errors or other rare and exceptional circumstances. Uninitialized variable warnings can sometimes indicate the presence of a typographic error in the code.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class398Indicator of Poor Code Quality
Seven Pernicious Kingdoms (primary)700
ChildOfWeakness BaseWeakness Base456Missing Initialization
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView630Weaknesses Examined by SAMATE
Weaknesses Examined by SAMATE (primary)630
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUninitialized variable
7 Pernicious KingdomsUninitialized Variable
+ White Box Definitions

A weakness where the code path has:

1. start statement that defines variable

2. end statement that accesses the variable

3. the code path does not contain a statement that assigns value to the variable

+ References
mercy. "Exploiting Uninitialized Data". Jan 2006. <>.
Microsoft Security Vulnerability Research & Defense. "MS08-014 : The Case of the Uninitialized Stack Variable Vulnerability". 2008-03-11. <>.
+ Content History
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-08-01KDM AnalyticsExternal
added/updated white box definitions
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Common Consequences, Description, Relationships, Observed Example, Other Notes, References, Taxonomy Mappings
2009-01-12CWE Content TeamMITREInternal
updated Common Consequences, Demonstrative Examples, Potential Mitigations
2009-03-10CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Uninitialized Variable