Skip to main content

CWE-908

Use of Uninitialized Resource

556 CVEs Avg CVSS 6.4 MITRE
38
CRITICAL
137
HIGH
372
MEDIUM
9
LOW
41
POC
2
KEV

Monthly

CVE-2026-60005 HIGH PATCH This Week

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. There is no public exploit identified at time of analysis and no CISA KEV listing; F5 has released a patch and the issue does not affect the control plane.

Nginx Information Disclosure Nginx Plus Nginx Open Source
NVD
CVSS 4.0
8.8
CVE-2026-58546 MEDIUM PATCH Exploit Unlikely This Month

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58535 MEDIUM PATCH Exploit Unlikely This Month

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2026-58533 MEDIUM PATCH Exploit Unlikely This Month

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2026-57982 MEDIUM PATCH Exploit Unlikely This Month

Information disclosure via uninitialized resource use in Windows Remote Desktop Protocol (RDP) exposes sensitive memory contents to authenticated remote attackers across a wide range of Microsoft Windows desktop and server editions. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is exploitable over the network by any low-privileged authenticated user with no complexity or interaction requirements, yielding high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low barrier to exploitation and the ubiquitous deployment of Windows RDP make this a meaningful patching priority.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2026-57084 MEDIUM PATCH Exploit Unlikely This Month

Use of uninitialized resource in Windows File Explorer allows an unauthorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
5.5
EPSS
0.5%
CVE-2026-57083 MEDIUM PATCH This Month

Use of uninitialized resource in Microsoft Windows Codecs Library allows an unauthorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
5.5
EPSS
0.5%
CVE-2026-56190 CRITICAL PATCH Exploit Unlikely Act Now

Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary code by triggering the use of an uninitialized resource (CWE-908). All currently supported Windows client and server releases are affected, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. The CVSS 3.1 base score is 9.8 with a network, no-privileges, no-interaction vector; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Microsoft Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2026-55949 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Excel (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, Office for Mac, and Office Online Server) allows an attacker to run arbitrary code in the context of the current user when a victim opens a maliciously crafted spreadsheet. The flaw stems from use of an uninitialized resource (CWE-908) and carries a CVSS 7.8; it requires user interaction (opening the file) and no prior privileges. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but a vendor patch is available.

Authentication Bypass Microsoft Microsoft 365 Apps For Enterprise Microsoft Excel 2016 Microsoft Office 2019 +6
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-55042 MEDIUM PATCH This Month

Uninitialized memory disclosure in Microsoft Office exposes sensitive data locally when a user interacts with a crafted document. The vulnerability, rooted in CWE-908 (Use of Uninitialized Resource), affects the full breadth of current Office deployments across Windows and macOS, including Office 2016 through LTSC 2024 and Microsoft 365 Apps for Enterprise. No public exploit code has been identified at time of analysis, and SSVC signals confirm no observed exploitation; however, the High confidentiality impact warrants prompt patching given Office's ubiquitous deployment footprint.

Microsoft Information Disclosure Microsoft 365 Apps For Enterprise Microsoft Office 2016 Microsoft Office 2019 +5
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVSS 8.8
HIGH PATCH This Week

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. There is no public exploit identified at time of analysis and no CISA KEV listing; F5 has released a patch and the issue does not affect the control plane.

Nginx Information Disclosure Nginx Plus +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Information disclosure via uninitialized resource use in Windows Remote Desktop Protocol (RDP) exposes sensitive memory contents to authenticated remote attackers across a wide range of Microsoft Windows desktop and server editions. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is exploitable over the network by any low-privileged authenticated user with no complexity or interaction requirements, yielding high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low barrier to exploitation and the ubiquitous deployment of Windows RDP make this a meaningful patching priority.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH Exploit Unlikely This Month

Use of uninitialized resource in Windows File Explorer allows an unauthorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

Use of uninitialized resource in Microsoft Windows Codecs Library allows an unauthorized attacker to disclose information locally.

Microsoft Information Disclosure Windows 10 Version 1607 +17
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Exploit Unlikely Act Now

Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary code by triggering the use of an uninitialized resource (CWE-908). All currently supported Windows client and server releases are affected, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. The CVSS 3.1 base score is 9.8 with a network, no-privileges, no-interaction vector; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office Excel (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, Office for Mac, and Office Online Server) allows an attacker to run arbitrary code in the context of the current user when a victim opens a maliciously crafted spreadsheet. The flaw stems from use of an uninitialized resource (CWE-908) and carries a CVSS 7.8; it requires user interaction (opening the file) and no prior privileges. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but a vendor patch is available.

Authentication Bypass Microsoft Microsoft 365 Apps For Enterprise +8
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Uninitialized memory disclosure in Microsoft Office exposes sensitive data locally when a user interacts with a crafted document. The vulnerability, rooted in CWE-908 (Use of Uninitialized Resource), affects the full breadth of current Office deployments across Windows and macOS, including Office 2016 through LTSC 2024 and Microsoft 365 Apps for Enterprise. No public exploit code has been identified at time of analysis, and SSVC signals confirm no observed exploitation; however, the High confidentiality impact warrants prompt patching given Office's ubiquitous deployment footprint.

Microsoft Information Disclosure Microsoft 365 Apps For Enterprise +7
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy