CWE-908 Base Incompleto Medium likelihood

Use of Uninitialized Resource

This vulnerability occurs when software attempts to use a resource—like memory, a file handle, or an object—before it has been properly set up or assigned a valid starting state.

Definición

What is CWE-908?

This vulnerability occurs when software attempts to use a resource—like memory, a file handle, or an object—before it has been properly set up or assigned a valid starting state.
Using an uninitialized resource is like trying to drive a car without starting the engine; the system doesn't have a valid state to operate from. This often happens due to coding oversights, such as forgetting to assign a value to a variable, failing to open a file before reading it, or not constructing an object before calling its methods. The specific resource could be anything from a block of memory and a database connection to a configuration setting or a network socket. The consequences depend entirely on what the resource is and how the program tries to use it. At best, the software might behave unpredictably or produce incorrect results. More severely, it can crash the application, expose sensitive data leftover in memory, or create a path for attackers to manipulate the program's control flow. This makes it a common root cause for stability issues and a potential gateway to more serious security exploits.
Impacto en el mundo real

Real-world CVEs caused by CWE-908

  • CVE-2019-9805

    Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption.

  • CVE-2008-4197

    Use of uninitialized memory may allow code execution.

  • CVE-2008-2934

    Free of an uninitialized pointer leads to crash and possible code execution.

  • CVE-2008-0063

    Product does not clear memory contents when generating an error message, leading to information leak.

  • CVE-2008-0062

    Lack of initialization triggers NULL pointer dereference or double-free.

  • CVE-2008-0081

    Uninitialized variable leads to code execution in popular desktop application.

  • CVE-2008-3688

    Chain: Uninitialized variable leads to infinite loop.

  • CVE-2008-3475

    Chain: Improper initialization leads to memory corruption.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.

  2. 2

    The following code intends to limit certain operations to the administrator only.

  3. 3

    If the application is unable to extract the state information - say, due to a database timeout - then the $uid variable will not be explicitly set by the programmer. This will cause $uid to be regarded as equivalent to "0" in the conditional, allowing the original user to perform administrator actions. Even if the attacker cannot directly influence the state data, unexpected errors could cause incorrect privileges to be assigned to a user just by accident.

  4. 4

    The following code intends to concatenate a string to a variable and print the string.

  5. 5

    This might seem innocent enough, but str was not initialized, so it contains random memory. As a result, str[0] might not contain the null terminator, so the copy might start at an offset other than 0. The consequences can vary, depending on the underlying memory.

Ejemplo de código vulnerable

Vulnerable Java

Here, a boolean initiailized field is consulted to ensure that initialization tasks are only completed once. However, the field is mistakenly set to true during static initialization, so the initialization code is never reached.

Vulnerable Java 
private boolean initialized = true;
  public void someMethod() {
  		if (!initialized) {
```
// perform initialization tasks* 
  				...
  				
  				initialized = true;}
Ejemplo de código seguro

Secure C

When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457). To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf(). One solution would be to set test_string to an acceptable default before the conditional:

Seguro C 
char *test_string = "Done at the beginning";
 if (i != err_val)
 {

```
  test_string = "Hello World!";
 }
 printf("%s", test_string);
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-908

  • Implementation Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps.
  • Implementation Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.
  • Implementation Avoid race conditions (CWE-362) during initialization routines.
  • Build and Compilation Run or compile the product with settings that generate warnings about uninitialized variables or data.
Señales de detección

How to detect CWE-908

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-908 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-908?

This vulnerability occurs when software attempts to use a resource—like memory, a file handle, or an object—before it has been properly set up or assigned a valid starting state.

¿Qué gravedad tiene CWE-908?

MITRE califica la probabilidad de explotación como Media — la explotación es realista pero suele requerir condiciones específicas.

¿Qué lenguajes o plataformas se ven afectados por CWE-908?

MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.

¿Cómo puedo prevenir CWE-908?

Explicitly initialize the resource before use. If this is performed through an API function or standard procedure, follow all required steps. Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.

¿Cómo detecta y corrige Plexicus CWE-908?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-908 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-908?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/908.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-908

CWE-665 Padre

Improper Initialization

This vulnerability occurs when software fails to properly set up a resource before use, or provides incorrect starting values, leaving it…

CWE-1188 Hermano

Initialization of a Resource with an Insecure Default

This vulnerability occurs when software uses an insecure default setting or value for a resource, assuming an administrator will change it…

CWE-1279 Hermano

Cryptographic Operations are run Before Supporting Units are Ready

This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to…

CWE-1419 Hermano

Incorrect Initialization of Resource

This weakness occurs when a system fails to properly set up a resource during its creation, leaving it in an unstable, incorrect, or…

CWE-1434 Hermano

Insecure Setting of Generative AI/ML Model Inference Parameters

This vulnerability occurs when a generative AI or ML model is deployed with inference parameters that are too permissive, causing it to…

CWE-455 Hermano

Non-exit on Failed Initialization

This vulnerability occurs when software continues to run as normal after encountering a critical security failure during its startup…

CWE-456 Hermano

Missing Initialization of a Variable

This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable…

CWE-457 Hermano

Use of Uninitialized Variable

This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and…

CWE-770 Hermano

Allocation of Resources Without Limits or Throttling

This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo