CVEbaza.plSłownik CWECWE-824
Common Weakness Enumeration

CWE-824

Access of Uninitialized Pointer

Kategoria: BaseCVE: 356
Opis

Produkt uzyskuje dostęp lub używa wskaźnika, który nie został zainicjalizowany. Może to prowadzić do nieprzewidywalnego zachowania programu i potencjalnych vulnerabilności bezpieczeństwa.

Description (EN)

The product accesses or uses a pointer that has not been initialized.

Podatności CVE z CWE-824 (356)
10.0
CVSS
HIGH
CVE-2009-0846

The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.

pub. 2009-04-09
10.0
CVSS
HIGH
CVE-2007-2442

The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.

pub. 2007-06-26
9.8
CVSS
CRITICAL
CVE-2026-6748

Podatność klasy CWE-457 (użycie niezainicjowanej pamięci) w komponencie Audio/Video Web Codecs aplikacji Mozilla Firefox i Thunderbird pozwala zdalnemu atakującemu na wykonanie arbitralnego kodu bez jakiejkolwiek interakcji użytkownika. Ocena CVSS 9.8 (CRITICAL) wskazuje na wyjątkowo wysokie ryzyko dla organizacji korzystających z tych produktów.

pub. 2026-04-21
9.8
CVSS
CRITICAL
CVE-2026-2785

Podatność klasy CWE-824 (dostęp do niezainicjowanego wskaźnika) w komponencie silnika JavaScript przeglądarki Firefox oraz klienta poczty Thunderbird. Oceniona jako krytyczna (CVSS 9.8), może być wykorzystana zdalnie bez uwierzytelnienia i interakcji użytkownika.

pub. 2026-02-24
9.8
CVSS
CRITICAL
CVE-2026-2805

Podatność krytyczna w Mozilla Firefox i Thunderbird polega na użyciu nieprawidłowego wskaźnika (invalid pointer) w komponencie DOM: Core & HTML. Błąd umożliwia potencjalnie zdalne wykonanie kodu bez żadnej interakcji użytkownika ani uwierzytelnienia.

pub. 2026-02-24
9.8
CVSS
CRITICAL
CVE-2022-42885

A use of uninitialized pointer vulnerability exists in the GRO format res functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

pub. 2023-07-21
9.8
CVSS
CRITICAL
CVE-2022-44451

A use of uninitialized pointer vulnerability exists in the MSI format atom functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

pub. 2023-07-21
9.8
CVSS
CRITICAL
CVE-2022-46280

A use of uninitialized pointer vulnerability exists in the PQS format pFormat functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

pub. 2023-07-21
9.8
CVSS
CRITICAL
CVE-2021-36219

An issue was discovered in SKALE sgxwallet 1.58.3. The provided input for ECALL 14 triggers a branch in trustedEcdsaSign that frees a non-initialized pointer from the stack. An attacker can chain multiple enclave calls to prepare a stack that contains a valid address. This address is then freed, resulting in compromised integrity of the enclave. This was resolved after v1.58.3 and not reproducible in sgxwallet v1.77.0.

pub. 2021-09-27
9.8
CVSS
CRITICAL
CVE-2021-1619

A vulnerability in the authentication, authorization, and accounting (AAA) function of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass NETCONF or RESTCONF authentication and do either of the following: Install, manipulate, or delete the configuration of an affected device Cause memory corruption that results in a denial of service (DoS) on an affected device This vulnerability is due to an uninitialized variable. An attacker could exploit this vulnerability by sending a series of NETCONF or RESTCONF requests to an affected device. A successful exploit could allow the attacker to use NETCONF or RESTCONF to install, manipulate, or delete the configuration of a network device or to corrupt memory on the device, resulting a DoS.

pub. 2021-09-23
9.8
CVSS
CRITICAL
CVE-2020-11138

Uninitialized pointers accessed during music play back with incorrect bit stream due to an uninitialized heap memory result in instability in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking

pub. 2021-01-21
9.8
CVSS
CRITICAL
CVE-2020-25573

An issue was discovered in the linked-hash-map crate before 0.5.3 for Rust. It creates an uninitialized NonNull pointer, which violates a non-null constraint.

pub. 2020-09-14
9.8
CVSS
CRITICAL
CVE-2020-17446

asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.

pub. 2020-08-12
9.8
CVSS
CRITICAL
CVE-2018-17141

HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData() in the faxd/CopyQuality.c++ file.

pub. 2018-09-21
9.8
CVSS
CRITICAL
CVE-2018-14356

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c mishandles a zero-length UID.

pub. 2018-07-17
9.8
CVSS
CRITICAL
CVE-2018-11743

The init_copy function in kernel.c in mruby 1.4.1 makes initialize_copy calls for TT_ICLASS objects, which allows attackers to cause a denial of service (mrb_hash_keys uninitialized pointer and application crash) or possibly have unspecified other impact.

pub. 2018-06-05
9.8
CVSS
CRITICAL
CVE-2017-12561

A remote code execution vulnerability in HPE intelligent Management Center (iMC) PLAT version Plat 7.3 E0504P4 and earlier was found.

pub. 2018-02-15
9.3
CVSS
HIGH
CVE-2010-1818

The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x before 7.6.8, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshalling of an untrusted pointer.

pub. 2010-08-31
9.3
CVSS
HIGH
CVE-2006-6143

The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.

pub. 2006-12-31
9.1
CVSS
CRITICAL
CVE-2018-19857

The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player 3.0.4 may read memory from an uninitialized pointer when processing magic cookies in CAF files, because a ReadKukiChunk() cast converts a return value to an unsigned int even if that value is negative. This could result in a denial of service and/or a potential infoleak.

pub. 2018-12-05
Pokazano 20 z 356 podatności
Informacje
ID: CWE-824
Typ: Base
Podatności: 356
MITRE CWE ↗
← Słownik CWE
CWE-824 — Dostęp do niezainicjowanego wskaźnika | Słownik CWE | CVEbaza.pl