logo

Assignment to Variable without Use

Draft Base
Structure: Simple
Description

This vulnerability occurs when a value is stored in a variable, but that variable is never read or used in subsequent code, creating a 'dead store.'

Extended Description

A dead store happens when a variable is assigned a value, only to be immediately overwritten by another assignment or to fall out of scope without being referenced. This often indicates leftover code from a previous implementation or refactoring, but it can also be a subtle sign of a logic error—perhaps a critical calculation was meant to be used but was accidentally omitted. While these issues can seem minor, they clutter code, harm performance, and may mask deeper bugs. Managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack by identifying dead stores and using AI to suggest precise clean-up actions, turning security hygiene into an automated process.
Common Consequences 1
Scope: Other

Impact: Quality DegradationVaries by Context

This weakness could be an indication of a bug in the program or a deprecated variable that was not removed and is an indication of poor quality. This could lead to further bugs and the introduction of weaknesses.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Implementation
Remove unused variables from the code.
Demonstrative Examples 1

ID : DX-218

The following code excerpt assigns to the variable r and then overwrites the value without using it.

Code Example:

Bad
C
c
Modes of Introduction
Implementation
Alternate Terms

Unused Variable
Related Weaknesses
ChildOf: Irrelevant Code (CWE-1164)
Taxonomy Mapping
  • CERT C Secure Coding
  • SEI CERT Perl Coding Standard
  • Software Fault Patterns