...
Reading uninitialized variables is undefined behavior and can result in unexpected program behavior. In some cases, these security flaws may allow the execution of arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP53-CPP | High | Probable | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Clang |
| -Wuninitialized clang-analyzer-core.UndefinedBinaryOperatorResult | Does not catch all instances of this rule, such as uninitialized values read from heap-allocated memory. | ||||||
| CodeSonar |
| LANG.STRUCT.RPL | Return pointer to local Uninitialized variable | ||||||
| Klocwork |
| UNINIT.CTOR.MIGHT |
| LDRA tool suite |
| 53 D, 69 D, 631 S, 652 S | Partially implemented | ||||||
| Parasoft C/C++test |
|
|
| BD-PB-NOTINIT |
| Parasoft Insure++ |
| Runtime detection |
| PRQA QA-C++ | 9.1 | 2961, 2962, 2963, 2966, 2967, 2968, 2971, 2972, 2973, 2976, 2977, 2978 |
| PVS-Studio | 6.22 | V546, V573, V670, V679, V730, V788, V1007 | General analysis rule set |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 14882-2014] | Clause 5, "Expressions" Subclause 5.3.4, "New" Subclause 8.5, "Initializers" Subclause 12.6.2, "Initializing Bases and Members" |
| [Lockheed Martin 2005] | Rule 142, All variables shall be initialized before use |
...
...