CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-QMP7-W9R2-H28J
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:30In the Linux kernel, the following vulnerability has been resolved:
drm/i915/bios: fix a memory leak in generate_lfp_data_ptrs
When (size != 0 || ptrs->lvds_ entries != 3), the program tries to free() the ptrs. However, the ptrs is not created by calling kzmalloc(), but is obtained by pointer offset operation. This may lead to memory leaks or undefined behavior.
Fix this by replacing the arguments of kfree() with ptrs_block.
(cherry picked from commit 7674cd0b7d28b952151c3df26bbfa7e07eb2b4ec)
{
"affected": [],
"aliases": [
"CVE-2022-50287"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:39Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: fix a memory leak in generate_lfp_data_ptrs\n\nWhen (size != 0 || ptrs-\u003elvds_ entries != 3), the program tries to\nfree() the ptrs. However, the ptrs is not created by calling kzmalloc(),\nbut is obtained by pointer offset operation.\nThis may lead to memory leaks or undefined behavior.\n\nFix this by replacing the arguments of kfree() with ptrs_block.\n\n(cherry picked from commit 7674cd0b7d28b952151c3df26bbfa7e07eb2b4ec)",
"id": "GHSA-qmp7-w9r2-h28j",
"modified": "2025-12-03T21:30:59Z",
"published": "2025-09-15T15:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50287"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1382901f75a5a7dc8eac05059fd0c7816def4eae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4758d04014cfe6cdb6e9b4738d1d6728487bbb3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c852e8f93f04e57c1e3883caa72542469c6c4c4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QP34-4R23-MCWX
Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-06-14 06:30In the Linux kernel, the following vulnerability has been resolved:
lib/scatterlist: fix length calculations in extract_kvec_to_sg
Patch series "Fix bugs in extract_iter_to_sg()", v3.
Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev.
The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist.
The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself.
The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+.
This patch (of 5):
When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended.
Adjust the copied length if the loop runs out of sglist entries without extracting everything.
While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.
A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.
{
"affected": [],
"aliases": [
"CVE-2026-46289"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T17:16:47Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/scatterlist: fix length calculations in extract_kvec_to_sg\n\nPatch series \"Fix bugs in extract_iter_to_sg()\", v3.\n\nFix bugs in the kvec and user variants of extract_iter_to_sg. This series\nis growing due to useful remarks made by sashiko.dev.\n\nThe main bugs are:\n- The length for an sglist entry when extracting from\n a kvec can exceed the number of bytes in the page. This\n is obviously not intended.\n- When extracting a user buffer the sglist is temporarily\n used as a scratch buffer for extracted page pointers.\n If the sglist already contains some elements this scratch\n buffer could overlap with existing entries in the sglist.\n\nThe series adds test cases to the kunit_iov_iter test that demonstrate all\nof these bugs. Additionally, there is a memory leak fix for the test\nitself.\n\nThe bugs were orignally introduced into kernel v6.3 where the function\nlived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in\nv6.5. Thus the actual fix is only marked for backports to v6.5+.\n\n\nThis patch (of 5):\n\nWhen extracting from a kvec to a scatterlist, do not cross page\nboundaries. The required length was already calculated but not used as\nintended.\n\nAdjust the copied length if the loop runs out of sglist entries without\nextracting everything.\n\nWhile there, return immediately from extract_iter_to_sg if there are no\nsglist entries at all.\n\nA subsequent commit will add kunit test cases that demonstrate that the\npatch is necessary.",
"id": "GHSA-qp34-4r23-mcwx",
"modified": "2026-06-14T06:30:23Z",
"published": "2026-06-08T18:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46289"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f17500e86d730c76db638bb3ae52f9b5e496c76"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8fbba6829057979149d1b37d65690c037f3ddf4d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9d38756d0a93b66163554219fa9c3365f40c4035"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e5e22fc9963469e678c4f4bb38d26adcec107f1e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QP5H-MM28-4JQ3
Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-12-06 21:30Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.
{
"affected": [],
"aliases": [
"CVE-2024-26458"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T01:44:18Z",
"severity": "MODERATE"
},
"details": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.",
"id": "GHSA-qp5h-mm28-4jq3",
"modified": "2024-12-06T21:30:35Z",
"published": "2024-02-29T03:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458"
},
{
"type": "WEB",
"url": "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240415-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QPF5-PJ4J-J3VF
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-10 21:31In the Linux kernel, the following vulnerability has been resolved:
spi: ch341: fix devres lifetime
USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).
Fix the controller and driver data lifetime so that they are released on driver unbind.
Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.
{
"affected": [],
"aliases": [
"CVE-2026-46228"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: ch341: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the controller and driver data lifetime so that they are released\non driver unbind.\n\nNote that this also makes sure that the SPI controller is placed\ncorrectly under the USB interface in the device tree.",
"id": "GHSA-qpf5-pj4j-j3vf",
"modified": "2026-06-10T21:31:26Z",
"published": "2026-05-28T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46228"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPPM-CHHM-XM42
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:30In the Linux kernel, the following vulnerability has been resolved:
mtd: maps: pxa2xx-flash: fix memory leak in probe
Free 'info' upon remapping error to avoid a memory leak.
[miquel.raynal@bootlin.com: Reword the commit log]
{
"affected": [],
"aliases": [
"CVE-2022-50324"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:44Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: maps: pxa2xx-flash: fix memory leak in probe\n\nFree \u0027info\u0027 upon remapping error to avoid a memory leak.\n\n[\u003cmiquel.raynal@bootlin.com\u003e: Reword the commit log]",
"id": "GHSA-qppm-chhm-xm42",
"modified": "2025-12-03T21:30:59Z",
"published": "2025-09-15T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50324"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1d0c2b762dad2b8dd166e17c0e90b88b86a3284f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2399401feee27c639addc5b7e6ba519d3ca341bf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6fa9550ef3e13d7e9b2d4db6dd57292ccd072a90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/932baf593eb63dff40e40d7674f076fb7932cd5b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a1b061cafdbcb1ff259731f30e2bdc1de64dcaba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb3f35f44887a8486737fe88d58050f1df290758"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf9c4c25caad05c6b492cbba739a467511814279"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e2324a0912ad26a0ea5baaf81aed0ca880804158"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f35981083cb3fc1ba6427c1543152c5e3f59d104"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QPVJ-752H-7R4R
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Internet Explorer and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allow information disclosure, due to how the scripting engine handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0939.
{
"affected": [],
"aliases": [
"CVE-2018-0891"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T17:29:00Z",
"severity": "MODERATE"
},
"details": "ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Internet Explorer and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allow information disclosure, due to how the scripting engine handles objects in memory, aka \"Scripting Engine Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2018-0939.",
"id": "GHSA-qpvj-752h-7r4r",
"modified": "2022-05-13T01:18:36Z",
"published": "2022-05-13T01:18:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0891"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0891"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44312"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103309"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040507"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QPW5-GVF2-CQ42
Vulnerability from github – Published: 2024-04-01 15:30 – Updated: 2026-02-06 18:30In the Linux kernel, the following vulnerability has been resolved:
Fix memory leak in posix_clock_open()
If the clk ops.open() function returns an error, we don't release the pccontext we allocated for this clock.
Re-organize the code slightly to make it all more obvious.
{
"affected": [],
"aliases": [
"CVE-2024-26655"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T15:15:49Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix memory leak in posix_clock_open()\n\nIf the clk ops.open() function returns an error, we don\u0027t release the\npccontext we allocated for this clock.\n\nRe-organize the code slightly to make it all more obvious.",
"id": "GHSA-qpw5-gvf2-cq42",
"modified": "2026-02-06T18:30:26Z",
"published": "2024-04-01T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26655"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0200dd7ed2335469955d7e69cc1a6fa7df1f3847"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/375abf52353ca5e1a2e5f763629a870f91d0c38a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b4cdd9c5676559b8a7c944ac5269b914b8c0bb8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/62a5adf57b56ee94075c889abea518b9dc66895d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a88649b49523e8cbe95254440d803e38c19d2341"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea2d9bfd422e92fd197f6a0b1fe7d81413b871e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f845cfa1a5ae697782bfcb843c9d06d3bc0cbbb6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQF8-29GP-9WQX
Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-11-03 21:32In the Linux kernel, the following vulnerability has been resolved:
x86/kexec: fix memory leak of elf header buffer
This is reported by kmemleak detector:
unreferenced object 0xffffc900002a9000 (size 4096): comm "kexec", pid 14950, jiffies 4295110793 (age 373.951s) hex dump (first 32 bytes): 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............ 04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..>............. backtrace: [<0000000016a8ef9f>] __vmalloc_node_range+0x101/0x170 [<000000002b66b6c0>] __vmalloc_node+0xb4/0x160 [<00000000ad40107d>] crash_prepare_elf64_headers+0x8e/0xcd0 [<0000000019afff23>] crash_load_segments+0x260/0x470 [<0000000019ebe95c>] bzImage64_load+0x814/0xad0 [<0000000093e16b05>] arch_kexec_kernel_image_load+0x1be/0x2a0 [<000000009ef2fc88>] kimage_file_alloc_init+0x2ec/0x5a0 [<0000000038f5a97a>] __do_sys_kexec_file_load+0x28d/0x530 [<0000000087c19992>] do_syscall_64+0x3b/0x90 [<0000000066e063a4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
In crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to store elf headers. While it's not freed back to system correctly when kdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it by introducing x86 specific function arch_kimage_file_post_load_cleanup(), and freeing the buffer there.
And also remove the incorrect elf header buffer freeing code. Before calling arch specific kexec_file loading function, the image instance has been initialized. So 'image->elf_headers' must be NULL. It doesn't make sense to free the elf header buffer in the place.
Three different people have reported three bugs about the memory leak on x86_64 inside Redhat.
{
"affected": [],
"aliases": [
"CVE-2022-49546"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: fix memory leak of elf header buffer\n\nThis is reported by kmemleak detector:\n\nunreferenced object 0xffffc900002a9000 (size 4096):\n comm \"kexec\", pid 14950, jiffies 4295110793 (age 373.951s)\n hex dump (first 32 bytes):\n 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............\n 04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..\u003e.............\n backtrace:\n [\u003c0000000016a8ef9f\u003e] __vmalloc_node_range+0x101/0x170\n [\u003c000000002b66b6c0\u003e] __vmalloc_node+0xb4/0x160\n [\u003c00000000ad40107d\u003e] crash_prepare_elf64_headers+0x8e/0xcd0\n [\u003c0000000019afff23\u003e] crash_load_segments+0x260/0x470\n [\u003c0000000019ebe95c\u003e] bzImage64_load+0x814/0xad0\n [\u003c0000000093e16b05\u003e] arch_kexec_kernel_image_load+0x1be/0x2a0\n [\u003c000000009ef2fc88\u003e] kimage_file_alloc_init+0x2ec/0x5a0\n [\u003c0000000038f5a97a\u003e] __do_sys_kexec_file_load+0x28d/0x530\n [\u003c0000000087c19992\u003e] do_syscall_64+0x3b/0x90\n [\u003c0000000066e063a4\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to\nstore elf headers. While it\u0027s not freed back to system correctly when\nkdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it\nby introducing x86 specific function arch_kimage_file_post_load_cleanup(),\nand freeing the buffer there.\n\nAnd also remove the incorrect elf header buffer freeing code. Before\ncalling arch specific kexec_file loading function, the image instance has\nbeen initialized. So \u0027image-\u003eelf_headers\u0027 must be NULL. It doesn\u0027t make\nsense to free the elf header buffer in the place.\n\nThree different people have reported three bugs about the memory leak on\nx86_64 inside Redhat.",
"id": "GHSA-qqf8-29gp-9wqx",
"modified": "2025-11-03T21:32:52Z",
"published": "2025-03-10T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49546"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/115ee42a4c2f26ba2b4ace2668a3f004621f6833"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23cf39dccf7653650701a6f39b119e9116a27f1a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8765a423a87d74ef24ea02b43b2728fe4039f248"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3e34a47f98974d0844444c5121aaff123004e57"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f675e3a9189d84a9324ab45b0cb19906c2bc8fcb"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQFQ-W9V9-983H
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-01 18:30In Softing uaToolkit Embedded before 1.41, a malformed CreateMonitoredItems request may cause a memory leak.
{
"affected": [],
"aliases": [
"CVE-2022-45920"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T21:17:00Z",
"severity": "HIGH"
},
"details": "In Softing uaToolkit Embedded before 1.41, a malformed CreateMonitoredItems request may cause a memory leak.",
"id": "GHSA-qqfq-w9v9-983h",
"modified": "2023-02-01T18:30:31Z",
"published": "2023-01-26T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45920"
},
{
"type": "WEB",
"url": "https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-10.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQV2-5QVX-V346
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-08 18:30In the Linux kernel, the following vulnerability has been resolved:
sched/numa: fix memory leak due to the overwritten vma->numab_state
[Problem Description] When running the hackbench program of LTP, the following memory leak is reported by kmemleak.
# /opt/ltp/testcases/bin/hackbench 20 thread 1000 Running with 20*40 (== 800) tasks.
# dmesg | grep kmemleak ... kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
# cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888cd8ca2c40 (size 64): comm "hackbench", pid 17142, jiffies 4299780315 hex dump (first 32 bytes): ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc bff18fd4): [] __kmalloc_cache_noprof+0x2f9/0x3f0 [] task_numa_work+0x725/0xa00 [] task_work_run+0x58/0x90 [] syscall_exit_to_user_mode+0x1c8/0x1e0 [] do_syscall_64+0x85/0x150 [] entry_SYSCALL_64_after_hwframe+0x76/0x7e ...
This issue can be consistently reproduced on three different servers: * a 448-core server * a 256-core server * a 192-core server
[Root Cause] Since multiple threads are created by the hackbench program (along with the command argument 'thread'), a shared vma might be accessed by two or more cores simultaneously. When two or more cores observe that vma->numab_state is NULL at the same time, vma->numab_state will be overwritten.
Although current code ensures that only one thread scans the VMAs in a single 'numa_scan_period', there might be a chance for another thread to enter in the next 'numa_scan_period' while we have not gotten till numab_state allocation [1].
Note that the command /opt/ltp/testcases/bin/hackbench 50 process 1000
cannot the reproduce the issue. It is verified with 200+ test runs.
[Solution] Use the cmpxchg atomic operation to ensure that only one thread executes the vma->numab_state assignment.
[1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/
{
"affected": [],
"aliases": [
"CVE-2024-56613"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T15:15:20Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/numa: fix memory leak due to the overwritten vma-\u003enumab_state\n\n[Problem Description]\nWhen running the hackbench program of LTP, the following memory leak is\nreported by kmemleak.\n\n # /opt/ltp/testcases/bin/hackbench 20 thread 1000\n Running with 20*40 (== 800) tasks.\n\n # dmesg | grep kmemleak\n ...\n kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n\n # cat /sys/kernel/debug/kmemleak\n unreferenced object 0xffff888cd8ca2c40 (size 64):\n comm \"hackbench\", pid 17142, jiffies 4299780315\n hex dump (first 32 bytes):\n ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00 .tI.....L.I.....\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc bff18fd4):\n [\u003cffffffff81419a89\u003e] __kmalloc_cache_noprof+0x2f9/0x3f0\n [\u003cffffffff8113f715\u003e] task_numa_work+0x725/0xa00\n [\u003cffffffff8110f878\u003e] task_work_run+0x58/0x90\n [\u003cffffffff81ddd9f8\u003e] syscall_exit_to_user_mode+0x1c8/0x1e0\n [\u003cffffffff81dd78d5\u003e] do_syscall_64+0x85/0x150\n [\u003cffffffff81e0012b\u003e] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n ...\n\nThis issue can be consistently reproduced on three different servers:\n * a 448-core server\n * a 256-core server\n * a 192-core server\n\n[Root Cause]\nSince multiple threads are created by the hackbench program (along with\nthe command argument \u0027thread\u0027), a shared vma might be accessed by two or\nmore cores simultaneously. When two or more cores observe that\nvma-\u003enumab_state is NULL at the same time, vma-\u003enumab_state will be\noverwritten.\n\nAlthough current code ensures that only one thread scans the VMAs in a\nsingle \u0027numa_scan_period\u0027, there might be a chance for another thread\nto enter in the next \u0027numa_scan_period\u0027 while we have not gotten till\nnumab_state allocation [1].\n\nNote that the command `/opt/ltp/testcases/bin/hackbench 50 process 1000`\ncannot the reproduce the issue. It is verified with 200+ test runs.\n\n[Solution]\nUse the cmpxchg atomic operation to ensure that only one thread executes\nthe vma-\u003enumab_state assignment.\n\n[1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/",
"id": "GHSA-qqv2-5qvx-v346",
"modified": "2025-01-08T18:30:47Z",
"published": "2024-12-27T15:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56613"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f1b64e9a9b7ee9cfd32c6b2fab796e29bfed075"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8f149bcc4d91ac92b32ff4949b291e6ed883dc42"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a71ddd5b87cda687efa28e049e85e923689bcef9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.