CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-W3J5-QJF6-G9GF
Vulnerability from github – Published: 2022-05-01 02:14 – Updated: 2022-05-01 02:14Memory leak in the request_key_auth_destroy function in request_key_auth in Linux kernel 2.6.10 up to 2.6.13 allows local users to cause a denial of service (memory consumption) via a large number of authorization token keys.
{
"affected": [],
"aliases": [
"CVE-2005-3119"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-10-12T13:03:00Z",
"severity": "LOW"
},
"details": "Memory leak in the request_key_auth_destroy function in request_key_auth in Linux kernel 2.6.10 up to 2.6.13 allows local users to cause a denial of service (memory consumption) via a large number of authorization token keys.",
"id": "GHSA-w3j5-qjf6-g9gf",
"modified": "2022-05-01T02:14:37Z",
"published": "2022-05-01T02:14:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-3119"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11236"
},
{
"type": "WEB",
"url": "http://linux.bkbits.net:8080/linux-2.6/cset%4043483fddCiQX1WyG_orbko06TrjMVA"
},
{
"type": "WEB",
"url": "http://linux.bkbits.net:8080/linux-2.6/cset@43483fddCiQX1WyG_orbko06TrjMVA"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/17114"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/17364"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2005-808.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/15076"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W3PX-8QW9-WJ6X
Vulnerability from github – Published: 2024-03-01 00:30 – Updated: 2024-12-10 18:31In the Linux kernel, the following vulnerability has been resolved:
soundwire: stream: fix memory leak in stream config error path
When stream config is failed, master runtime will release all slave runtime in the slave_rt_list, but slave runtime is not added to the list at this time. This patch frees slave runtime in the config error path to fix the memory leak.
{
"affected": [],
"aliases": [
"CVE-2021-47020"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T23:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: stream: fix memory leak in stream config error path\n\nWhen stream config is failed, master runtime will release all\nslave runtime in the slave_rt_list, but slave runtime is not\nadded to the list at this time. This patch frees slave runtime\nin the config error path to fix the memory leak.",
"id": "GHSA-w3px-8qw9-wj6x",
"modified": "2024-12-10T18:31:06Z",
"published": "2024-03-01T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47020"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f17ac005b320c85d686088cfd4c2e7017912b88"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/342260fe821047c3d515e3d28085d73fbdce3e80"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48f17f96a81763c7c8bf5500460a359b9939359f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c468deae306d0cbbd539408c26cfec04c66159a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/870533403ffa28ff63e173045fc5369365642002"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/effd2bd62b416f6629e18e3ce077c60de14cfdea"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W3Q4-XR8H-32GF
Vulnerability from github – Published: 2022-02-15 00:02 – Updated: 2024-03-21 03:34A Memory Leak vulnerabilty exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicous user obtain sensitive information..
{
"affected": [],
"aliases": [
"CVE-2021-45346"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-14T19:15:00Z",
"severity": "MODERATE"
},
"details": "A Memory Leak vulnerabilty exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicous user obtain sensitive information..",
"id": "GHSA-w3q4-xr8h-32gf",
"modified": "2024-03-21T03:34:11Z",
"published": "2022-02-15T00:02:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45346"
},
{
"type": "WEB",
"url": "https://github.com/guyinatuxedo/sqlite3_record_leaking"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220303-0001"
},
{
"type": "WEB",
"url": "https://sqlite.org/forum/forumpost/056d557c2f8c452ed5"
},
{
"type": "WEB",
"url": "https://sqlite.org/forum/forumpost/53de8864ba114bf6"
},
{
"type": "WEB",
"url": "https://www.sqlite.org/cves.html#status_of_recent_sqlite_cves"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3WG-MHJG-F88W
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-16 03:30In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()
In amdgpu_acpi_enumerate_xcc(), if amdgpu_acpi_dev_init() returns -ENOMEM, the function returns directly without releasing the allocated xcc_info, resulting in a memory leak.
Fix this by ensuring that xcc_info is properly freed in the error paths.
Compile tested only. Issue found using a prototype static analysis tool and code review.
{
"affected": [],
"aliases": [
"CVE-2026-45947"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:11Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc()\n\nIn amdgpu_acpi_enumerate_xcc(), if amdgpu_acpi_dev_init() returns -ENOMEM,\nthe function returns directly without releasing the allocated xcc_info,\nresulting in a memory leak.\n\nFix this by ensuring that xcc_info is properly freed in the error paths.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review.",
"id": "GHSA-w3wg-mhjg-f88w",
"modified": "2026-06-16T03:30:32Z",
"published": "2026-05-27T15:33:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45947"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18a7bbd11f17a7cd4c42fd5955d3675d68c692df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e4b612fe7a960d610c20260c9ee220bddd1b215"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c9be63d565789b56ca7b0197e2cb78a3671f95a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d1370ef2ecf7d4df25e3e1e430cd191b1e7f8596"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e87c73a80a12d337cf5f493c0956f6c2c9eafd80"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W3X6-6F6F-54F3
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-16 03:30In the Linux kernel, the following vulnerability has been resolved:
s390/cio: Fix device lifecycle handling in css_alloc_subchannel()
css_alloc_subchannel() calls device_initialize() before setting up
the DMA masks. If dma_set_coherent_mask() or dma_set_mask() fails,
the error path frees the subchannel structure directly, bypassing
the device model reference counting.
Once device_initialize() has been called, the embedded struct device
must be released via put_device(), allowing the release callback to
free the container structure.
Fix the error path by dropping the initial device reference with
put_device() instead of calling kfree() directly.
This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues.
{
"affected": [],
"aliases": [
"CVE-2026-45981"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:15Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: Fix device lifecycle handling in css_alloc_subchannel()\n\n`css_alloc_subchannel()` calls `device_initialize()` before setting up\nthe DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails,\nthe error path frees the subchannel structure directly, bypassing\nthe device model reference counting.\n\nOnce `device_initialize()` has been called, the embedded struct device\nmust be released via `put_device()`, allowing the release callback to\nfree the container structure.\n\nFix the error path by dropping the initial device reference with\n`put_device()` instead of calling `kfree()` directly.\n\nThis ensures correct device lifetime handling and avoids potential\nuse-after-free or double-free issues.",
"id": "GHSA-w3x6-6f6f-54f3",
"modified": "2026-06-16T03:30:33Z",
"published": "2026-05-27T15:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45981"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2b2ad7ad4a28ffdb9f94e6d979b88a5b12b71681"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6715560527e343a387e4a0d2e6c401748e89fa55"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/abb6e07f46a740cda4f07d1b561ae4eaa7a1df42"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b1d4e6fb241672850296956c4d782a69363a3807"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c35cfbb5341ba05ad1b4476ffc3c21cc3ff8f603"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f96c5ccf95ae5f27218c1ce2d6a3ad2d3e105424"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd295a75d828c11acfcc6869c2a12cdaaf9b7722"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W46W-6CR6-6PVH
Vulnerability from github – Published: 2024-08-26 12:31 – Updated: 2024-12-09 15:31In the Linux kernel, the following vulnerability has been resolved:
nvme: apple: fix device reference counting
Drivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl. Split the allocation side out to make the error handling boundary easier to navigate. The apple driver had been doing this wrong, leaking the controller device memory on a tagset failure.
{
"affected": [],
"aliases": [
"CVE-2024-43913"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-26T11:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: apple: fix device reference counting\n\nDrivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl.\nSplit the allocation side out to make the error handling boundary easier\nto navigate. The apple driver had been doing this wrong, leaking the\ncontroller device memory on a tagset failure.",
"id": "GHSA-w46w-6cr6-6pvh",
"modified": "2024-12-09T15:31:33Z",
"published": "2024-08-26T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43913"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9ecbfa45516182cd062fecd286db7907ba84210"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d59c4d0eb6adc24c2201f153ccb7fd0a335b0d3d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7d9a18572fcd7130459b7691bd19ee2a2e951ad"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4CH-7P82-3M56
Vulnerability from github – Published: 2026-01-23 18:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net: fix memory leak in skb_segment_list for GRO packets
When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine.
Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments.
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket.
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated.
As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak.
The leak can be observed via KMEMLEAK when tearing down the networking environment:
unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed.
The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header().
{
"affected": [],
"aliases": [
"CVE-2026-22979"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T16:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in skb_segment_list for GRO packets\n\nWhen skb_segment_list() is called during packet forwarding, it handles\npackets that were aggregated by the GRO engine.\n\nHistorically, the segmentation logic in skb_segment_list assumes that\nindividual segments are split from a parent SKB and may need to carry\ntheir own socket memory accounting. Accordingly, the code transfers\ntruesize from the parent to the newly created segments.\n\nPrior to commit ed4cccef64c1 (\"gro: fix ownership transfer\"), this\ntruesize subtraction in skb_segment_list() was valid because fragments\nstill carry a reference to the original socket.\n\nHowever, commit ed4cccef64c1 (\"gro: fix ownership transfer\") changed\nthis behavior by ensuring that fraglist entries are explicitly\norphaned (skb-\u003esk = NULL) to prevent illegal orphaning later in the\nstack. This change meant that the entire socket memory charge remained\nwith the head SKB, but the corresponding accounting logic in\nskb_segment_list() was never updated.\n\nAs a result, the current code unconditionally adds each fragment\u0027s\ntruesize to delta_truesize and subtracts it from the parent SKB. Since\nthe fragments are no longer charged to the socket, this subtraction\nresults in an effective under-count of memory when the head is freed.\nThis causes sk_wmem_alloc to remain non-zero, preventing socket\ndestruction and leading to a persistent memory leak.\n\nThe leak can be observed via KMEMLEAK when tearing down the networking\nenvironment:\n\nunreferenced object 0xffff8881e6eb9100 (size 2048):\n comm \"ping\", pid 6720, jiffies 4295492526\n backtrace:\n kmem_cache_alloc_noprof+0x5c6/0x800\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x35/0xa00\n inet6_create.part.0+0x303/0x10d0\n __sock_create+0x248/0x640\n __sys_socket+0x11b/0x1d0\n\nSince skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST\npackets constructed by GRO, the truesize adjustment is removed.\n\nThe call to skb_release_head_state() must be preserved. As documented in\ncommit cf673ed0e057 (\"net: fix fraglist segmentation reference count\nleak\"), it is still required to correctly drop references to SKB\nextensions that may be overwritten during __copy_skb_header().",
"id": "GHSA-w4ch-7p82-3m56",
"modified": "2026-07-14T15:31:32Z",
"published": "2026-01-23T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22979"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W55R-6729-MR2M
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-21 00:30In the Linux kernel, the following vulnerability has been resolved:
intel_th: Fix a resource leak in an error handling path
If an error occurs after calling 'pci_alloc_irq_vectors()', 'pci_free_irq_vectors()' must be called as already done in the remove function.
{
"affected": [],
"aliases": [
"CVE-2022-50143"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:44Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nintel_th: Fix a resource leak in an error handling path\n\nIf an error occurs after calling \u0027pci_alloc_irq_vectors()\u0027,\n\u0027pci_free_irq_vectors()\u0027 must be called as already done in the remove\nfunction.",
"id": "GHSA-w55r-6729-mr2m",
"modified": "2025-11-21T00:30:18Z",
"published": "2025-06-18T12:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50143"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/086c28ab7c5699256aced0049aae9c42f1410313"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/859342220accd0d332864fafbf4e3d2d0492bc3f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b5469573a274729bdb04b60a8d71f8d09940a31"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a8f3b78b1f8e959d06801ae82149f140a75724e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ed4d5ecb7d7fd80336afb2f9ac6685651a6aa32f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fae9da7d4c2ccad3792de03e3cac1fe2bfabb73d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W58M-8MJ8-HH8W
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()
In ntfs_fill_super(), the fc->fs_private pointer is set to NULL without first freeing the memory it points to. This causes the subsequent call to ntfs_fs_free() to skip freeing the ntfs_mount_options structure.
This results in a kmemleak report:
unreferenced object 0xff1100015378b800 (size 32): comm "mount", pid 582, jiffies 4294890685 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ed ff ed ff 00 04 00 00 ................ backtrace (crc ed541d8c): __kmalloc_cache_noprof+0x424/0x5a0 __ntfs_init_fs_context+0x47/0x590 alloc_fs_context+0x5d8/0x960 __x64_sys_fsopen+0xb1/0x190 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
This issue can be reproduced using the following commands: fallocate -l 100M test.file mount test.file /tmp/test
Since sbi->options is duplicated from fc->fs_private and does not directly use the memory allocated for fs_private, it is unnecessary to set fc->fs_private to NULL.
Additionally, this patch simplifies the code by utilizing the helper function put_mount_options() instead of open-coding the cleanup logic.
{
"affected": [],
"aliases": [
"CVE-2025-71312"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:16:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super()\n\nIn ntfs_fill_super(), the fc-\u003efs_private pointer is set to NULL without\nfirst freeing the memory it points to. This causes the subsequent call to\nntfs_fs_free() to skip freeing the ntfs_mount_options structure.\n\nThis results in a kmemleak report:\n\n unreferenced object 0xff1100015378b800 (size 32):\n comm \"mount\", pid 582, jiffies 4294890685\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 ed ff ed ff 00 04 00 00 ................\n backtrace (crc ed541d8c):\n __kmalloc_cache_noprof+0x424/0x5a0\n __ntfs_init_fs_context+0x47/0x590\n alloc_fs_context+0x5d8/0x960\n __x64_sys_fsopen+0xb1/0x190\n do_syscall_64+0x50/0x1f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThis issue can be reproduced using the following commands:\n fallocate -l 100M test.file\n mount test.file /tmp/test\n\nSince sbi-\u003eoptions is duplicated from fc-\u003efs_private and does not\ndirectly use the memory allocated for fs_private, it is unnecessary to\nset fc-\u003efs_private to NULL.\n\nAdditionally, this patch simplifies the code by utilizing the helper\nfunction put_mount_options() instead of open-coding the cleanup logic.",
"id": "GHSA-w58m-8mj8-hh8w",
"modified": "2026-06-25T21:31:18Z",
"published": "2026-05-27T15:33:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71312"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dac871d833b09495198dcac81d2ebaa8db11acbc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7edab0cee03a1cbe0e55a7bcab8d2d8b6b74278"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W642-F79M-MR3C
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-10 21:30In the Linux kernel, the following vulnerability has been resolved:
mISDN: fix possible memory leak in mISDN_dsp_element_register()
Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically, use put_device() to give up the reference, so that the name can be freed in kobject_cleanup() when the refcount is 0.
The 'entry' is going to be freed in mISDN_dsp_dev_release(), so the kfree() is removed. list_del() is called in mISDN_dsp_dev_release(), so it need be initialized.
{
"affected": [],
"aliases": [
"CVE-2022-49821"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: fix possible memory leak in mISDN_dsp_element_register()\n\nAfer commit 1fa5ae857bb1 (\"driver core: get rid of struct device\u0027s\nbus_id string array\"), the name of device is allocated dynamically,\nuse put_device() to give up the reference, so that the name can be\nfreed in kobject_cleanup() when the refcount is 0.\n\nThe \u0027entry\u0027 is going to be freed in mISDN_dsp_dev_release(), so the\nkfree() is removed. list_del() is called in mISDN_dsp_dev_release(),\nso it need be initialized.",
"id": "GHSA-w642-f79m-mr3c",
"modified": "2025-11-10T21:30:27Z",
"published": "2025-05-01T15:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49821"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/083a2c9ef82e184bdf0b9f9a1e5fc38d32afbb47"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f2c681900a01e3f23789bca26d88268c3d5b51d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/727ed7d28348c026c7ef4d852f3d0e5054d376e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a05e3929668c8cfef495c69752a9e91fac4878f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98a2ac1ca8fd6eca6867726fe238d06e75eb1acd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b119bedbefb7dd9ed8bf8cb9f1056504250d610e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bbd53d05c4c892080ef3b617eff4f57903acecb9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d4b8394725079670be309f9a35ad88a8cbbaaefd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.