CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-XH72-9GPX-W4CX
Vulnerability from github – Published: 2024-02-28 21:30 – Updated: 2024-08-29 21:31A memory leak issue discovered in parseSWF_FREECHARACTER in libming v0.4.8 allows attackers to cause a denial of service via a crafted SWF file.
{
"affected": [],
"aliases": [
"CVE-2024-24148"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-28T20:15:41Z",
"severity": "HIGH"
},
"details": "A memory leak issue discovered in parseSWF_FREECHARACTER in libming v0.4.8 allows attackers to cause a denial of service via a crafted SWF file.",
"id": "GHSA-xh72-9gpx-w4cx",
"modified": "2024-08-29T21:31:01Z",
"published": "2024-02-28T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24148"
},
{
"type": "WEB",
"url": "https://github.com/libming/libming/issues/308"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHHV-VJ84-84FM
Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-12 18:30In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7615: fix tx skb dma unmap
The first pointer in the txp needs to be unmapped as well, otherwise it will leak DMA mapping entries
{
"affected": [],
"aliases": [
"CVE-2021-47033"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-28T09:15:39Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: fix tx skb dma unmap\n\nThe first pointer in the txp needs to be unmapped as well, otherwise it will\nleak DMA mapping entries",
"id": "GHSA-xhhv-vj84-84fm",
"modified": "2024-12-12T18:30:49Z",
"published": "2024-02-28T09:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47033"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/75bc5f779a7664d1fc19cb915039439c6e58bb94"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/821ae236ccea989a1fcc6abfc4d5b74ad4ba39d2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a025277a80add18c33d01042525a74fe5b875f25"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ebee7885bb12a8fe2c2f9bac87dbd87a05b645f9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHJ3-66VG-P2C8
Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-19 00:00ffjpeg commit caade60a69633d74100bd3c2528bddee0b6a1291 was discovered to contain a memory leak via /src/jfif.c.
{
"affected": [],
"aliases": [
"CVE-2022-35433"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-16T21:15:00Z",
"severity": "MODERATE"
},
"details": "ffjpeg commit caade60a69633d74100bd3c2528bddee0b6a1291 was discovered to contain a memory leak via /src/jfif.c.",
"id": "GHSA-xhj3-66vg-p2c8",
"modified": "2022-08-19T00:00:38Z",
"published": "2022-08-17T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35433"
},
{
"type": "WEB",
"url": "https://github.com/rockcarry/ffjpeg/issues/52"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJ33-WWM4-P8MW
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-31 21:30In the Linux kernel, the following vulnerability has been resolved:
bpf, s390: Fix potential memory leak about jit_data
Make sure to free jit_data through kfree() in the error path.
{
"affected": [],
"aliases": [
"CVE-2021-47426"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:28Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, s390: Fix potential memory leak about jit_data\n\nMake sure to free jit_data through kfree() in the error path.",
"id": "GHSA-xj33-wwm4-p8mw",
"modified": "2024-12-31T21:30:44Z",
"published": "2024-05-21T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47426"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/29fdb11ca88d3c490a3d56f0dc77eb9444d086be"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/686cb8b9f6b46787f035afe8fbd132a74e6b1bdd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a326f9c01cfbee4450ae49ce618ae6cbc0f76842"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d590a410e472417a22336c7c37685bfb38e801f2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJF3-WCJC-6JQ8
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to how objects in memory are handled, aka "Windows Information Disclosure Vulnerability". This CVE is unique from CVE-2018-0829 and CVE-2018-0830.
{
"affected": [],
"aliases": [
"CVE-2018-0832"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-15T02:29:00Z",
"severity": "MODERATE"
},
"details": "The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to how objects in memory are handled, aka \"Windows Information Disclosure Vulnerability\". This CVE is unique from CVE-2018-0829 and CVE-2018-0830.",
"id": "GHSA-xjf3-wcjc-6jq8",
"modified": "2022-05-13T01:18:32Z",
"published": "2022-05-13T01:18:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0832"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0832"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44146"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102923"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040373"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XJM5-MRH5-2HC5
Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:31In the Linux kernel, the following vulnerability has been resolved:
scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
If alua_rtpg_queue() failed from alua_activate(), then 'qdata' is not freed, which will cause following memleak:
unreferenced object 0xffff88810b2c6980 (size 32): comm "kworker/u16:2", pid 635322, jiffies 4355801099 (age 1216426.076s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff @9$............. backtrace: [<0000000098f3a26d>] alua_activate+0xb0/0x320 [<000000003b529641>] scsi_dh_activate+0xb2/0x140 [<000000007b296db3>] activate_path_work+0xc6/0xe0 [dm_multipath] [<000000007adc9ace>] process_one_work+0x3c5/0x730 [<00000000c457a985>] worker_thread+0x93/0x650 [<00000000cb80e628>] kthread+0x1ba/0x210 [<00000000a1e61077>] ret_from_fork+0x22/0x30
Fix the problem by freeing 'qdata' in error path.
{
"affected": [],
"aliases": [
"CVE-2023-53078"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T16:15:26Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_dh_alua: Fix memleak for \u0027qdata\u0027 in alua_activate()\n\nIf alua_rtpg_queue() failed from alua_activate(), then \u0027qdata\u0027 is not\nfreed, which will cause following memleak:\n\nunreferenced object 0xffff88810b2c6980 (size 32):\n comm \"kworker/u16:2\", pid 635322, jiffies 4355801099 (age 1216426.076s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff @9$.............\n backtrace:\n [\u003c0000000098f3a26d\u003e] alua_activate+0xb0/0x320\n [\u003c000000003b529641\u003e] scsi_dh_activate+0xb2/0x140\n [\u003c000000007b296db3\u003e] activate_path_work+0xc6/0xe0 [dm_multipath]\n [\u003c000000007adc9ace\u003e] process_one_work+0x3c5/0x730\n [\u003c00000000c457a985\u003e] worker_thread+0x93/0x650\n [\u003c00000000cb80e628\u003e] kthread+0x1ba/0x210\n [\u003c00000000a1e61077\u003e] ret_from_fork+0x22/0x30\n\nFix the problem by freeing \u0027qdata\u0027 in error path.",
"id": "GHSA-xjm5-mrh5-2hc5",
"modified": "2025-11-12T21:31:00Z",
"published": "2025-05-02T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53078"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d89254a4320eb7de0970c478172f764125c6355"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/123483df146492ca22b503ae6dacc2ce7c3a3974"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c55982beb80c7d3c30278fc6cfda8496a31dbe6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c4d71424df34fc23dc5336d09394ce68c849542"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9311e7a554dffd3823499e309a8b86a5cd1540e5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a13faca032acbf2699293587085293bdfaafc8ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c09cdf6eb815ee35e55d6c50ac7f63db58bd20b8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c110051d335ef7f62ad33474b0c23997fee5bfb5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJMQ-X923-HRWQ
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2023-01-20 15:30A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8.
{
"affected": [],
"aliases": [
"CVE-2019-18813"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-07T16:15:00Z",
"severity": "HIGH"
},
"details": "A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering platform_device_add_properties() failures, aka CID-9bbfceea12a8.",
"id": "GHSA-xjmq-x923-hrwq",
"modified": "2023-01-20T15:30:28Z",
"published": "2022-05-24T17:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18813"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9bbfceea12a8f145097a27d7c7267af25893c060"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20191205-0001"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4225-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4225-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4226-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XM9J-X4HP-V2X3
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-30 21:30In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau/kms/nv50-: fix file release memory leak
When using single_open() for opening, single_release() should be called, otherwise the 'op' allocated in single_open() will be leaked.
{
"affected": [],
"aliases": [
"CVE-2021-47422"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/kms/nv50-: fix file release memory leak\n\nWhen using single_open() for opening, single_release() should be\ncalled, otherwise the \u0027op\u0027 allocated in single_open() will be leaked.",
"id": "GHSA-xm9j-x4hp-v2x3",
"modified": "2024-12-30T21:30:46Z",
"published": "2024-05-21T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47422"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0b3d4945cc7e7ea1acd52cb06dfa83bfe265b6d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0b4e9fc14973a94ac0520f19b3633493ae13c912"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65fff0a8efcdca8d84ffe3e23057c3b32403482d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XMFC-6X2R-FQV5
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-24 18:30In the Linux kernel, the following vulnerability has been resolved:
virtio-blk: Fix memory leak among suspend/resume procedure
The vblk->vqs should be freed before we call init_vqs() in virtblk_restore().
{
"affected": [],
"aliases": [
"CVE-2021-47319"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: Fix memory leak among suspend/resume procedure\n\nThe vblk-\u003evqs should be freed before we call init_vqs()\nin virtblk_restore().",
"id": "GHSA-xmfc-6x2r-fqv5",
"modified": "2024-12-24T18:30:48Z",
"published": "2024-05-21T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47319"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/04c6e60b884cb5e94ff32af46867fb41d5848358"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/102d6bc6475ab09bab579c18704e6cf8d898e93c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/29a2f4a3214aa14d61cc9737c9f886dae9dbb710"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/381bde79d11e596002edfd914e6714291826967a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/600942d2fd49b90e44857d20c774b20d16f3130f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/863da837964c80c72e368a4f748c30d25daa1815"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b71ba22e7c6c6b279c66f53ee7818709774efa1f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca2b8ae93a6da9839dc7f9eb9199b18aa03c3dae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd24da0db9f75ca11eaf6060f0ccb90e2f3be3b0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XMJC-7969-FFGM
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-09-19 18:31In the Linux kernel, the following vulnerability has been resolved:
xsk: recycle buffer in case Rx queue was full
Add missing xsk_buff_free() call when __xsk_rcv_zc() failed to produce descriptor to XSK Rx queue.
{
"affected": [],
"aliases": [
"CVE-2024-35834"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T14:15:20Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: recycle buffer in case Rx queue was full\n\nAdd missing xsk_buff_free() call when __xsk_rcv_zc() failed to produce\ndescriptor to XSK Rx queue.",
"id": "GHSA-xmjc-7969-ffgm",
"modified": "2025-09-19T18:31:17Z",
"published": "2024-05-17T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35834"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/269009893146c495f41e9572dd9319e787c2eba9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b4d93d31aade99210d41cd9d4cbd2957c98bc8c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cce713664548284daf977739e7ff1cd59e84189c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.