Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-456 Variante Brouillon
Missing Initialization of a Variable
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
Définition
What is CWE-456?
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
Missing initialization is a common coding mistake that can lead to crashes, incorrect calculations, or security bypasses. The risk is highest when the uninitialized variable controls security logic, like an authentication flag, or influences critical operations. Developers should proactively initialize all variables upon declaration, especially those used in security checks or before any conditional assignment.
While SAST tools can detect this pattern, managing it across a large, evolving codebase is challenging. An ASPM platform like Plexicus uses AI to not only identify these flaws but also to suggest the precise code fix, automating remediation and saving significant manual review time.
Impact réel
Real-world CVEs caused by CWE-456
-
Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
-
Chain: secure communications library does not initialize a local variable for a data structure (CWE-456), leading to access of an uninitialized pointer (CWE-824).
-
Chain: C union member is not initialized (CWE-456), leading to access of invalid pointer (CWE-824)
-
Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
-
A variable that has its value set in a conditional statement is sometimes used when the conditional fails, sometimes causing data leakage
-
Product uses uninitialized variables for size and index, leading to resultant buffer overflow.
-
Internal variable in PHP application is not initialized, allowing external modification.
-
Array variable not initialized in PHP application, leading to resultant SQL injection.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
This function attempts to extract a pair of numbers from a user-supplied string.
- 2
This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:
- 3
then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).
- 4
Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.
- 5
This code first authenticates a user, then allows a delete command if the user is an administrator.
Exemple de code vulnérable
Vulnerable C
This function attempts to extract a pair of numbers from a user-supplied string.
void parse_data(char *untrusted_input){
int m, n, error;
error = sscanf(untrusted_input, "%d:%d", &m, &n);
if ( EOF == error ){
die("Did not specify integer value. Die evil hacker!\n");
}
```
/* proceed assuming n and m are initialized correctly */*
} Charge utile de l'attaquant
This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:
123: Exemple de code sécurisé
Secure Java
However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.
public class BankManager {
```
// user allowed to perform bank manager tasks*
private User user = null;
private boolean isUserAuthentic = false;
*// constructor for BankManager class*
public BankManager(String username) {
```
user = getUserFromUserDatabase(username);
}
```
// retrieve user from database of users*
public User getUserFromUserDatabase(String username) {...}
*// authenticate user*
public boolean authenticateUser(String username, String password) {
```
if (user == null) {
System.out.println("Cannot find user " + username);
}
else {
if (password.equals(user.getPassword())) {
isUserAuthentic = true;
}
}
return isUserAuthentic;
}
```
// methods for performing bank manager tasks*
...
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-456
- Implementation Ensure that critical variables are initialized before first use [REF-1485].
- Requirements Choose a language that is not susceptible to these issues.
Signaux de détection
How to detect CWE-456
Plexicus détecte automatiquement CWE-456 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-456 ?
Quelle est la gravité de CWE-456 ?
Quels langages ou plateformes sont affectés par CWE-456 ?
Comment puis-je prévenir CWE-456 ?
Comment Plexicus détecte et corrige CWE-456 ?
Où puis-je en savoir plus sur CWE-456 ?
Frequently asked questions
Qu'est-ce que CWE-456 ?
This vulnerability occurs when a program uses a variable before giving it a starting value, causing the software to rely on unpredictable data left over in memory.
Quelle est la gravité de CWE-456 ?
MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.
Quels langages ou plateformes sont affectés par CWE-456 ?
MITRE n'a pas spécifié les plateformes affectées pour ce CWE — il peut s'appliquer à la plupart des stacks applicatives.
Comment puis-je prévenir CWE-456 ?
Ensure that critical variables are initialized before first use [REF-1485]. Choose a language that is not susceptible to these issues.
Comment Plexicus détecte et corrige CWE-456 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-456 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-456 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/456.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-456
CWE-909 Parent
Missing Initialization of Resource
The software fails to properly set up a critical resource before using it.
CWE-1271 Frère
Uninitialized Value on Reset for Registers Holding Security Settings
Security-critical hardware registers start with random, unpredictable values when a device powers on or resets, creating an immediate…
CWE-89 Peut précéder
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL Injection occurs when an application builds a database query using untrusted user input without properly sanitizing it. This allows an…
CWE-120 Peut précéder
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
This vulnerability occurs when a program copies data from one memory location to another without first verifying that the source data will…
CWE-98 Peut précéder
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
This vulnerability occurs when a PHP application uses unvalidated or insufficiently restricted user input directly within file inclusion…
CWE-457 Peut précéder
Use of Uninitialized Variable
This vulnerability occurs when a program accesses a variable before it has been assigned a value, leading to unpredictable behavior and…
Ressources
Further reading
- MITRE — CWE-456 officiel https://cwe.mitre.org/data/definitions/456.html
- Automated Source Code Reliability Measure (ASCRM) http://www.omg.org/spec/ASCRM/1.0/
- Automated Source Code Security Measure (ASCSM) http://www.omg.org/spec/ASCSM/1.0/
- uninitialized variable vulnerability - Problem with boolean variables that are forcibly initialized to false by the Java compiler https://github.com/windshock/uninitialized-variable-vulnerability/blob/main/README.md
- The Java Language Specification, Java SE 7 Edition https://docs.oracle.com/javase/specs/jls/se7/html/jls-4.html#jls-4.12.5
- D3FEND: D3-VI Variable Initialization https://d3fend.mitre.org/technique/d3f:VariableInitialization/
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.