CWE-908— Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.— MITRE CWE catalog
769 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-908page 16 of 16
- CVE-2026-4716CRITICALCVSS 9.1EG 9.12026-03-24
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- CVE-2026-47272HIGHCVSS 7.1EG 7.12026-05-27
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce …
- CVE-2026-48101MEDIUMCVSS 6.5EG 6.52026-06-05
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer o…
- CVE-2026-48104MEDIUMCVSS 4.2EG 4.22026-06-05
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is all…
- CVE-2026-53142MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: drm/xe/display: fix oops in suspend/shutdown without display The xe driver keeps track of whether to probe display, and whether display hardware is there, using xe->info…
- CVE-2026-53167MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios can contain uninitialized data. Since FUSE_…
- CVE-2026-53170HIGHCVSS 8.8EG 8.82026-06-25
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmd_state_init() initializes the command state with memset(0xff), leaving dma->len at U64_MAX to signal missi…
- CVE-2026-53218MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_exthdr: fix register tracking for F_PRESENT flag nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many b…
- CVE-2026-53225CRITICALCVSS 9.1EG 9.12026-06-25
In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in __sctp_rcv_asconf_lookup() __sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a par…
- CVE-2026-53243MEDIUMCVSS 5.5EG 5.52026-06-25
In the Linux kernel, the following vulnerability has been resolved: rseq: Fix using an uninitialized stack variable in rseq_exit_user_update() There is an bug in which an uninitialized stack variable is used in rseq_exit_user_update() as…
- CVE-2026-53311MEDIUMCVSS 5.5EG 5.52026-06-26
In the Linux kernel, the following vulnerability has been resolved: fuse: fix uninit-value in fuse_dentry_revalidate() fuse_dentry_revalidate() may be called with a dentry that didn't had ->d_time initialised. The issue was found with K…
- CVE-2026-53467MEDIUMCVSS 5.3EG 5.32026-07-01
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, the MNG decoder contains a possible heap information disclosure vulnerability because part of the pixe…
- CVE-2026-54500MEDIUMCVSS 5.3EG 5.32026-06-19
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object w…
- CVE-2026-56085LOWCVSS 3.3EG 3.32026-07-03
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an use of uninitia…
- CVE-2026-56968MEDIUMCVSS 5.3EG 3.72026-06-23
GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server.
- CVE-2026-58051MEDIUMCVSS 6.5EG 6.52026-06-28
libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an unini…
- CVE-2026-6686MEDIUMCVSS 4.6EG 4.62026-07-01
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVS…
- CVE-2026-6749HIGHCVSS 7.5EG 7.52026-04-21
Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CVE-2026-7141MEDIUMCVSS 5.6EG 5.62026-04-27
A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component KV Block Handler. Performing a manipulation results in uninitialized resource.…
Map vulnerabilities like CWE-908 to your infrastructure
EchelonGraph correlates every CVE — across CWE-908 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →