logo

Missing Initialization of a Variable

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.

Extended Description

Missing initialization is a common coding mistake that can lead to crashes, incorrect calculations, or security bypasses. The risk is highest when the uninitialized variable controls security logic, like an authentication flag, or influences critical operations. Developers should proactively initialize all variables upon declaration, especially those used in security checks or before any conditional assignment. While SAST tools can detect this pattern, managing it across a large, evolving codebase is challenging. An ASPM platform like Plexicus uses AI to not only identify these flaws but also to suggest the precise code fix, automating remediation and saving significant manual review time.
Common Consequences 1
Scope: IntegrityOther

Impact: Unexpected StateQuality DegradationVaries by Context

The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 2
Phase: Implementation

Strategy: Attack Surface Reduction

Ensure that critical variables are initialized before first use [REF-1485].
Phase: Requirements

Strategy: Language Selection

Choose a language that is not susceptible to these issues.
Demonstrative Examples 6
This function attempts to extract a pair of numbers from a user-supplied string.

Code Example:

Bad
C
c

/* proceed assuming n and m are initialized correctly / }

This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:

Code Example:

Attack
bash
then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (Use of Uninitialized Variable).
Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.

Code Example:

Bad
Java
java

// Do something interesting.* ...

java
This code first authenticates a user, then allows a delete command if the user is an administrator.

Code Example:

Bad
PHP
php

/.../*

php
The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.
In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.
Code Example:
Bad
Java
java


// user allowed to perform bank manager tasks*
private User user = null;
private boolean isUserAuthentic = false;


java


java


// set user variable using username*
public void setUser(String username) {
```
this.user = getUserFromUserDatabase(username);
}


java


// methods for performing bank manager tasks*
...}
However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.
Code Example:
Good
Java
java


// user allowed to perform bank manager tasks*
private User user = null;
private boolean isUserAuthentic = false;


java


java


// methods for performing bank manager tasks*
...
}
ID : DX-144
This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (Missing Initialization of a Variable). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address.
Code Example:
Bad
C
char *test_string;
if (i != err_val)
{


c
When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (Use of Uninitialized Variable).


 To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf().


One solution would be to set test_string to an acceptable default before the conditional:
Code Example:
Good
C
char *test_string = "Done at the beginning";
if (i != err_val)
{


c
Another solution is to ensure that each branch of the conditional - including the default/else branch - could ensure that test_string is set:
Code Example:
Good
C
char *test_string;
if (i != err_val)
{


c
Consider the following merchant server application as implemented in [REF-1475]. It receives card payment information (orderPgData instance in OrderPgData.java) from the payment gateway (such as PayPal). The next step is to complete the payment (finalizeOrder() in Main.java). The merchant server validates the amount (validateAmount() in OrderPgData.java), and if the validation is successful, then the payment is completed.
Code Example:
Bad
Java
File: OrderPgData.java


public class OrderPgData {


java
Code Example:
Bad
Java
File: PgServiceResolver.java


public class PgServiceResolver {


java
Code Example:
Bad
Java
File: Main.java


public class Main {


java
In PgServiceResolver.java, when pgType is "card" indicating a card payment, orderPgData.validateAmount() is not called - that is, the amount is not validated to be the same as the expected price.


Since isPaymentAmountTampered is declared as a private boolean, but it is not initialized, it is forcibly initialized to false by the Java compiler [REF-1476].


If the adversary modifies the price, e.g., changing paymentAmount from 100 to 10, then no validation is performed. Since isPaymentAmountTampered is "false" because of the default initialization, the code finishes processing the payment because it does not believe that the amount has been changed.
This weakness could be addressed by setting the value of isPaymentAmountTampered to true. This is a "secure-by-default" value that reflects a "default deny" policy - i.e., it's assumed that the payment amount is tampered, and only a special validation step can change this assumption.
Code Example:
Good
Java
File: OrderPgData.java
...


java
  
Observed Examples 8
CVE-2020-6078Chain: The return value of a function returning a pointer is not checked for success (Unchecked Return Value) resulting in the later use of an uninitialized variable (Missing Initialization of a Variable) and a null pointer dereference (NULL Pointer Dereference)
CVE-2019-3836Chain: secure communications library does not initialize a local variable for a data structure (Missing Initialization of a Variable), leading to access of an uninitialized pointer (Access of Uninitialized Pointer).
CVE-2018-14641Chain: C union member is not initialized (Missing Initialization of a Variable), leading to access of invalid pointer (Access of Uninitialized Pointer)
CVE-2009-2692Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (Missing Initialization of a Variable) causes a crash because of a null pointer dereference (NULL Pointer Dereference).
CVE-2020-20739A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
CVE-2005-2978Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
CVE-2005-2109Internal variable in PHP application is not initialized, allowing external modification.
CVE-2005-2193Array variable not initialized in PHP application, leading to resultant SQL injection.
  
References 6
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Automated Source Code Reliability Measure (ASCRM)
Object Management Group (OMG)
01-2016
http://www.omg.org/spec/ASCRM/1.0/
ID: REF-961
Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG)
01-2016
http://www.omg.org/spec/ASCSM/1.0/
ID: REF-962
uninitialized variable vulnerability - Problem with boolean variables that are forcibly initialized to false by the Java compiler
windshock
13-09-2022
https://github.com/windshock/uninitialized-variable-vulnerability/blob/main/README.md(2025-04-02)
ID: REF-1475
The Java Language Specification, Java SE 7 Edition
James Gosling, Bill Joy, Guy Steele, Gilad Bracha, and Alex Buckley
28-02-2013
https://docs.oracle.com/javase/specs/jls/se7/html/jls-4.html#jls-4.12.5(2025-04-02)
ID: REF-1476
D3FEND: D3-VI Variable Initialization
D3FEND
https://d3fend.mitre.org/technique/d3f:VariableInitialization/(2025-09-08)
ID: REF-1485
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Missing Initialization of Resource (CWE-909) 
  ChildOf:
 Improper Initialization (CWE-665) 
  ChildOf:
 Improper Initialization (CWE-665) 
  CanPrecede:
 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) 
  CanPrecede:
 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE-120) 
  CanPrecede:
 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98) 
  CanPrecede:
 Use of Uninitialized Variable (CWE-457) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  • Software Fault Patterns
  • CERT C Secure Coding
  • SEI CERT Perl Coding Standard
  • SEI CERT Perl Coding Standard
  • OMG ASCSM
  • OMG ASCRM
  
Notes 
RelationshipThis weakness is a major factor in a number of resultant weaknesses, especially in web applications that allow global variable initialization (such as PHP) with libraries that can be directly requested.
Research GapIt is highly likely that a large number of resultant weaknesses have missing initialization as a primary factor, but researcher reports generally do not provide this level of detail.