Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-456 Variante Borrador
Missing Initialization of a Variable
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
Definición
What is CWE-456?
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
Missing initialization is a common coding mistake that can lead to crashes, incorrect calculations, or security bypasses. The risk is highest when the uninitialized variable controls security logic, like an authentication flag, or influences critical operations. Developers should proactively initialize all variables upon declaration, especially those used in security checks or before any conditional assignment.
While SAST tools can detect this pattern, managing it across a large, evolving codebase is challenging. An ASPM platform like Plexicus uses AI to not only identify these flaws but also to suggest the precise code fix, automating remediation and saving significant manual review time.
Impacto en el mundo real
Real-world CVEs caused by CWE-456
-
Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
-
Chain: secure communications library does not initialize a local variable for a data structure (CWE-456), leading to access of an uninitialized pointer (CWE-824).
-
Chain: C union member is not initialized (CWE-456), leading to access of invalid pointer (CWE-824)
-
Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
-
A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
-
Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
-
Internal variable in PHP application is not initialized, allowing external modification.
-
Array variable not initialized in PHP application, leading to resultant SQL injection.
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
This function attempts to extract a pair of numbers from a user-supplied string.
- 2
This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:
- 3
then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).
- 4
Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.
- 5
This code first authenticates a user, then allows a delete command if the user is an administrator.
Ejemplo de código vulnerable
Vulnerable C
This function attempts to extract a pair of numbers from a user-supplied string.
void parse_data(char *untrusted_input){
int m, n, error;
error = sscanf(untrusted_input, "%d:%d", &m, &n);
if ( EOF == error ){
die("Did not specify integer value. Die evil hacker!\n");
}
```
/* proceed assuming n and m are initialized correctly */*
} Payload del atacante
This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:
123: Ejemplo de código seguro
Secure Java
However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.
public class BankManager {
```
// user allowed to perform bank manager tasks*
private User user = null;
private boolean isUserAuthentic = false;
*// constructor for BankManager class*
public BankManager(String username) {
```
user = getUserFromUserDatabase(username);
}
```
// retrieve user from database of users*
public User getUserFromUserDatabase(String username) {...}
*// authenticate user*
public boolean authenticateUser(String username, String password) {
```
if (user == null) {
System.out.println("Cannot find user " + username);
}
else {
if (password.equals(user.getPassword())) {
isUserAuthentic = true;
}
}
return isUserAuthentic;
}
```
// methods for performing bank manager tasks*
...
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-456
- Implementation Ensure that critical variables are initialized before first use [REF-1485].
- Requirements Choose a language that is not susceptible to these issues.
Señales de detección
How to detect CWE-456
Plexicus detecta automáticamente CWE-456 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-456?
¿Qué gravedad tiene CWE-456?
¿Qué lenguajes o plataformas se ven afectados por CWE-456?
¿Cómo puedo prevenir CWE-456?
¿Cómo detecta y corrige Plexicus CWE-456?
¿Dónde puedo aprender más sobre CWE-456?
Frequently asked questions
¿Qué es CWE-456?
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
¿Qué gravedad tiene CWE-456?
MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.
¿Qué lenguajes o plataformas se ven afectados por CWE-456?
MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.
¿Cómo puedo prevenir CWE-456?
Ensure that critical variables are initialized before first use [REF-1485]. Choose a language that is not susceptible to these issues.
¿Cómo detecta y corrige Plexicus CWE-456?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-456 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-456?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/456.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-456
CWE-909 Padre
Missing Initialization of Resource
The software fails to properly set up a critical resource before using it.
CWE-1271 Hermano
Uninitialized Value on Reset for Registers Holding Security Settings
Security-critical hardware registers start with random, unpredictable values when a device powers on or resets, creating an immediate…
CWE-89 Puede preceder
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an…
CWE-120 Puede preceder
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
This vulnerability occurs when a program copies data from one memory location to another without first verifying that the source data will…
CWE-98 Puede preceder
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
This vulnerability occurs when a PHP application uses unvalidated or insufficiently restricted user input directly within file inclusion…
CWE-457 Puede preceder
Use of Uninitialized Variable
This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and…
Recursos
Further reading
- MITRE — CWE-456 oficial https://cwe.mitre.org/data/definitions/456.html
- Automated Source Code Reliability Measure (ASCRM) http://www.omg.org/spec/ASCRM/1.0/
- Automated Source Code Security Measure (ASCSM) http://www.omg.org/spec/ASCSM/1.0/
- uninitialized variable vulnerability - Problem with boolean variables that are forcibly initialized to false by the Java compiler https://github.com/windshock/uninitialized-variable-vulnerability/blob/main/README.md
- The Java Language Specification, Java SE 7 Edition https://docs.oracle.com/javase/specs/jls/se7/html/jls-4.html#jls-4.12.5
- D3FEND: D3-VI Variable Initialization https://d3fend.mitre.org/technique/d3f:VariableInitialization/
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.