Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-3274-2965-22FP

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Missing release of memory after effective lifetime in the UEFI OobRasMmbiHandlerDriver module for some Intel(R) reference server platforms may allow a privileged user to enable denial of service via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T17:15:28Z",
    "severity": "MODERATE"
  },
  "details": "Missing release of memory after effective lifetime in the UEFI OobRasMmbiHandlerDriver module for some Intel(R) reference server platforms may allow a privileged user to enable denial of service via local access.",
  "id": "GHSA-3274-2965-22fp",
  "modified": "2025-08-12T18:31:27Z",
  "published": "2025-08-12T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20077"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01300.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-32C5-Q8CJ-XX83

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: mhi: fix memory leak in mhi_mbim_dellink

MHI driver registers network device without setting the needs_free_netdev flag, and does NOT call free_netdev() when unregisters network device, which causes a memory leak.

This patch sets needs_free_netdev to true when registers network device, which makes netdev subsystem call free_netdev() automatically after unregister_netdevice().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: mhi: fix memory leak in mhi_mbim_dellink\n\nMHI driver registers network device without setting the\nneeds_free_netdev flag, and does NOT call free_netdev() when\nunregisters network device, which causes a memory leak.\n\nThis patch sets needs_free_netdev to true when registers\nnetwork device, which makes netdev subsystem call free_netdev()\nautomatically after unregister_netdevice().",
  "id": "GHSA-32c5-q8cj-xx83",
  "modified": "2025-05-07T15:31:25Z",
  "published": "2025-05-01T15:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49866"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2845bc9070cef0c651987487d84d4813d64675dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cd3ffe952f78ec5dadf300cb58d4b38a0c0106d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/668205b9c9f94d5ed6ab00cce9a46a654c2b5d16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32CF-6454-VHQX

Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-06 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: [next] staging: media: atomisp: fix memory leak of object flash

In the case where the call to lm3554_platform_data_func returns an error there is a memory leak on the error return path of object flash. Fix this by adding an error return path that will free flash and rename labels fail2 to fail3 and fail1 to fail2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-28T09:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: [next] staging: media: atomisp: fix memory leak of object flash\n\nIn the case where the call to lm3554_platform_data_func returns an\nerror there is a memory leak on the error return path of object\nflash.  Fix this by adding an error return path that will free\nflash and rename labels fail2 to fail3 and fail1 to fail2.",
  "id": "GHSA-32cf-6454-vhqx",
  "modified": "2024-12-06T18:30:44Z",
  "published": "2024-02-28T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36786"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/27d2eab69f7da8e94e4751ac5c6d22d809275484"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f0f37d03cde8f4341df8454f9b40a67fda94a33"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6045b01dd0e3cd3759eafe7f290ed04c957500b1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc4cc2fb5aaf9adb83c02211eb13b16cfcb7ba64"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32VF-74M9-2952

Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2022-10-21 19:01
VLAI
Details

An issue was discovered in Bento4 1.6.0-639. There is a memory leak in the function AP4_File::ParseStream in /Core/Ap4File.cpp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-19T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Bento4 1.6.0-639. There is a memory leak in the function AP4_File::ParseStream in /Core/Ap4File.cpp.",
  "id": "GHSA-32vf-74m9-2952",
  "modified": "2022-10-21T19:01:15Z",
  "published": "2022-10-19T19:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43037"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/788"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33FG-VCJ3-G326

Vulnerability from github – Published: 2024-02-06 06:30 – Updated: 2024-02-06 06:30
VLAI
Details

Transient DOS in Multi-Mode Call Processor due to UE failure because of heap leakage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-06T06:15:59Z",
    "severity": "HIGH"
  },
  "details": "Transient DOS in Multi-Mode Call Processor due to UE failure because of heap leakage.",
  "id": "GHSA-33fg-vcj3-g326",
  "modified": "2024-02-06T06:30:30Z",
  "published": "2024-02-06T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33049"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33G5-GX8W-X4P5

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19
VLAI
Details

go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-03T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.",
  "id": "GHSA-33g5-gx8w-x4p5",
  "modified": "2022-05-24T17:19:01Z",
  "published": "2022-05-24T17:19:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20810"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9453264ef58638ce8976121ac44c07a3ef375983"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4427-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4439-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4440-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4483-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4485-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-33XV-G39W-2G66

Vulnerability from github – Published: 2024-06-20 12:31 – Updated: 2024-09-18 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

block: fix memory leak in disk_register_independent_access_ranges

kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add()

If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object.

Fix this issue by adding kobject_put(). Callback function blk_ia_ranges_sysfs_release() in kobject_put() can handle the pointer "iars" properly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T12:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix memory leak in disk_register_independent_access_ranges\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()\n\n   If this function returns an error, kobject_put() must be called to\n   properly clean up the memory associated with the object.\n\nFix this issue by adding kobject_put().\nCallback function blk_ia_ranges_sysfs_release() in kobject_put()\ncan handle the pointer \"iars\" properly.",
  "id": "GHSA-33xv-g39w-2g66",
  "modified": "2024-09-18T18:30:49Z",
  "published": "2024-06-20T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48753"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83114df32ae779df57e0af99a8ba6c3968b2ba3d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe4214a07e0b53d2af711f57519e33739c5df23f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3429-2HMM-5VVX

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-08-06 00:00
VLAI
Details

A flaw was found in Privoxy in versions before 3.0.31. A memory leak that occurs when decompression fails unexpectedly may lead to a denial of service. The highest threat from this vulnerability is to system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-25T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Privoxy in versions before 3.0.31. A memory leak that occurs when decompression fails unexpectedly may lead to a denial of service. The highest threat from this vulnerability is to system availability.",
  "id": "GHSA-3429-2hmm-5vvx",
  "modified": "2022-08-06T00:00:40Z",
  "published": "2022-05-24T17:45:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20216"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923256"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-16"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/01/31/2"
    },
    {
      "type": "WEB",
      "url": "https://www.privoxy.org/3.0.31/user-manual/whatsnew.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-342M-FMJ9-855C

Vulnerability from github – Published: 2022-06-29 00:00 – Updated: 2025-11-03 21:30
VLAI
Details

DCMTK through 3.6.6 does not handle memory free properly. The program malloc a heap memory for parsing data, but does not free it when error in parsing. Sending specific requests to the dcmqrdb program incur the memory leak. An attacker can use it to launch a DoS attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-28T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "DCMTK through 3.6.6 does not handle memory free properly. The program malloc a heap memory for parsing data, but does not free it when error in parsing. Sending specific requests to the dcmqrdb program incur the memory leak. An attacker can use it to launch a DoS attack.",
  "id": "GHSA-342m-fmj9-855c",
  "modified": "2025-11-03T21:30:41Z",
  "published": "2022-06-29T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41687"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DCMTK/dcmtk"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00032.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-347M-W2V2-FMV3

Vulnerability from github – Published: 2022-01-20 00:01 – Updated: 2022-02-02 00:02
VLAI
Details

A Missing Release of Memory after Effective Lifetime vulnerability in the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS). In a scenario where Public Key Infrastructure (PKI) is used in combination with Certificate Revocation List (CRL), if the CRL fails to download the memory allocated to store the CRL is not released. Repeated occurrences will eventually consume all available memory and lead to an inoperable state of the affected system causing a DoS. This issue affects Juniper Networks Junos OS: All versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R2-S9, 18.4R3-S10; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R2-S5, 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2, 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2. This issue can be observed by monitoring the memory utilization of the pkid process via: root@jtac-srx1500-r2003> show system processes extensive | match pki 20931 root 20 0 733M 14352K select 0:00 0.00% pkid which increases over time: root@jtac-srx1500-r2003> show system processes extensive | match pki 22587 root 20 0 901M 181M select 0:03 0.00% pkid

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-19T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Missing Release of Memory after Effective Lifetime vulnerability in the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS). In a scenario where Public Key Infrastructure (PKI) is used in combination with Certificate Revocation List (CRL), if the CRL fails to download the memory allocated to store the CRL is not released. Repeated occurrences will eventually consume all available memory and lead to an inoperable state of the affected system causing a DoS. This issue affects Juniper Networks Junos OS: All versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R2-S9, 18.4R3-S10; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R2-S5, 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2, 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2. This issue can be observed by monitoring the memory utilization of the pkid process via: root@jtac-srx1500-r2003\u003e show system processes extensive | match pki 20931 root 20 0 733M 14352K select 0:00 0.00% pkid which increases over time: root@jtac-srx1500-r2003\u003e show system processes extensive | match pki 22587 root 20 0 901M 181M select 0:03 0.00% pkid",
  "id": "GHSA-347m-w2v2-fmv3",
  "modified": "2022-02-02T00:02:21Z",
  "published": "2022-01-20T00:01:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22173"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11279"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.