The product does not initialize critical variables, which causes the execution environment to use unexpected values.

This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Impact	Details
Unexpected State; Quality Degradation; Varies by Context	Scope: Integrity, Other The uninitialized data may be invalid, causing logic errors within the program. In some cases, this could result in a security problem.

Phase(s)	Mitigation
Implementation	Strategy: Attack Surface Reduction Ensure that critical variables are initialized before first use [REF-1485].
Requirements	Strategy: Language Selection Choose a language that is not susceptible to these issues.

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase	Note
Implementation

This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Not Language-Specific (Undetermined Prevalence)

Example 1

This function attempts to extract a pair of numbers from a user-supplied string.

This code attempts to extract two integer values out of a formatted, user-supplied input. However, if an attacker were to provide an input of the form:

then only the m variable will be initialized. Subsequent use of n may result in the use of an uninitialized variable (CWE-457).

Example 2

Here, an uninitialized field in a Java class is used in a seldom-called method, which would cause a NullPointerException to be thrown.

Example 3

This code first authenticates a user, then allows a delete command if the user is an administrator.

The $isAdmin variable is set to true if the user is an admin, but is uninitialized otherwise. If PHP's register_globals feature is enabled, an attacker can set uninitialized variables like $isAdmin to arbitrary values, in this case gaining administrator privileges by setting $isAdmin to true.

Example 4

In the following Java code the BankManager class uses the user variable of the class User to allow authorized users to perform bank manager tasks. The user variable is initialized within the method setUser that retrieves the User from the User database. The user is then authenticated as unauthorized user through the method authenticateUser.

However, if the method setUser is not called before authenticateUser then the user variable will not have been initialized and will result in a NullPointerException. The code should verify that the user variable has been initialized before it is used, as in the following code.

Example 5

This example will leave test_string in an unknown condition when i is the same value as err_val, because test_string is not initialized (CWE-456). Depending on where this code segment appears (e.g. within a function body), test_string might be random if it is stored on the heap or stack. If the variable is declared in static memory, it might be zero or NULL. Compiler optimization might contribute to the unpredictability of this address.

When the printf() is reached, test_string might be an unexpected address, so the printf might print junk strings (CWE-457).

To fix this code, there are a couple approaches to making sure that test_string has been properly set once it reaches the printf().

One solution would be to set test_string to an acceptable default before the conditional:

Another solution is to ensure that each branch of the conditional - including the default/else branch - could ensure that test_string is set:

Example 6

Consider the following merchant server application as implemented in [REF-1475]. It receives card payment information (orderPgData instance in OrderPgData.java) from the payment gateway (such as PayPal). The next step is to complete the payment (finalizeOrder() in Main.java). The merchant server validates the amount (validateAmount() in OrderPgData.java), and if the validation is successful, then the payment is completed.

In PgServiceResolver.java, when pgType is "card" indicating a card payment, orderPgData.validateAmount() is not called - that is, the amount is not validated to be the same as the expected price.

Since isPaymentAmountTampered is declared as a private boolean, but it is not initialized, it is forcibly initialized to false by the Java compiler [REF-1476].

If the adversary modifies the price, e.g., changing paymentAmount from 100 to 10, then no validation is performed. Since isPaymentAmountTampered is "false" because of the default initialization, the code finishes processing the payment because it does not believe that the amount has been changed.

This weakness could be addressed by setting the value of isPaymentAmountTampered to true. This is a "secure-by-default" value that reflects a "default deny" policy - i.e., it's assumed that the payment amount is tampered, and only a special validation step can change this assumption.

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Ordinality	Description
Primary	(where the weakness exists independent of other weaknesses)
Indirect	(where the weakness is a quality issue that might indirectly make it easier to introduce security-relevant weaknesses or make them more difficult to detect)