Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

966 vulnerabilities reference this CWE, most recent first.

GHSA-2HWQ-42HC-RHQV

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: usb: lan78xx: Fix double free issue with interrupt buffer allocation

In lan78xx_probe(), the buffer buf was being freed twice: once implicitly through usb_free_urb(dev->urb_intr) with the URB_FREE_BUFFER flag and again explicitly by kfree(buf). This caused a double free issue.

To resolve this, reordered kmalloc() and usb_alloc_urb() calls to simplify the initialization sequence and removed the redundant kfree(buf). Now, buf is allocated after usb_alloc_urb(), ensuring it is correctly managed by usb_fill_int_urb() and freed by usb_free_urb() as intended.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:29Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: Fix double free issue with interrupt buffer allocation\n\nIn lan78xx_probe(), the buffer `buf` was being freed twice: once\nimplicitly through `usb_free_urb(dev-\u003eurb_intr)` with the\n`URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused\na double free issue.\n\nTo resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to\nsimplify the initialization sequence and removed the redundant\n`kfree(buf)`.  Now, `buf` is allocated after `usb_alloc_urb()`, ensuring\nit is correctly managed by  `usb_fill_int_urb()` and freed by\n`usb_free_urb()` as intended.",
  "id": "GHSA-2hwq-42hc-rhqv",
  "modified": "2026-06-01T18:31:19Z",
  "published": "2024-12-27T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53213"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03819abbeb11117dcbba40bfe322b88c0c88a6b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2970ef2fce90c661952ec2b451b0276d5f8d6180"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ac9f3c981eeceee2ec4d30d850f4a6f50a1ec40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/977128343fc2a30737399b58df8ea77e94f164bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a422ebec863d99d5607fb41bb7af3347fcb436d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b09512aea6223eec756f52aa584fc29eeab57480"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc5aa8e3ad69dcedeba79e667d4a2efb72a305af"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2MG6-CGRH-MG4J

Vulnerability from github – Published: 2025-02-27 03:33 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: uvcvideo: Fix double free in error path

If the uvc_status_init() function fails to allocate the int_urb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvc_status_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it.

Reviewed by: Ricardo Ribalda ribalda@chromium.org

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:11Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix double free in error path\n\nIf the uvc_status_init() function fails to allocate the int_urb, it will\nfree the dev-\u003estatus pointer but doesn\u0027t reset the pointer to NULL. This\nresults in the kfree() call in uvc_status_cleanup() trying to\ndouble-free the memory. Fix it by resetting the dev-\u003estatus pointer to\nNULL after freeing it.\n\nReviewed by: Ricardo Ribalda \u003cribalda@chromium.org\u003e",
  "id": "GHSA-2mg6-cgrh-mg4j",
  "modified": "2025-11-03T21:32:52Z",
  "published": "2025-02-27T03:33:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57980"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c36dcd662ec5276782838660f8533a7cb26be49"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87522ef165e5b6de8ef98cc318f3335166a1512c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9232719ac9ce4d5c213cebda23d72aec3e1c4c0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d1f8e69eec91d5a75ef079778a5d0151db2a7f22"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6e5ba2516c5bef87c1fcb8189b6f3cad7c64b2d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8e63dd7b6683969d3d47c7b8e9635f96d554ad4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2MJ9-CV5H-VQXP

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2024-09-20 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix double free of 'buf' in error path

smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf'

In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful.

But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:03Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix double free of \u0027buf\u0027 in error path\n\nsmatch warning:\ndrivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of \u0027buf\u0027\n\nIn fastrpc_req_mmap() error path, the fastrpc buffer is freed in\nfastrpc_req_munmap_impl() if unmap is successful.\n\nBut in the end, there is an unconditional call to fastrpc_buf_free().\nSo the above case triggers the double free of fastrpc buf.",
  "id": "GHSA-2mj9-cv5h-vqxp",
  "modified": "2024-09-20T21:31:38Z",
  "published": "2024-09-18T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46741"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfc1704d909dc9911a558b1a5833d3d61a43a1f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8c276d4dc0e19ee48385f74426aebc855b49aaf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f77dc8a75859e559f3238a6d906206259227985e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2P8M-H2Q6-92V8

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-02-02 21:33
VLAI
Details

A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-19T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).",
  "id": "GHSA-2p8m-h2q6-92v8",
  "modified": "2023-02-02T21:33:42Z",
  "published": "2022-05-24T22:00:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3896"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1488"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1489"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1490"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2019-3896"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694812"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3896"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190710-0002"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K04327111"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108814"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PJ7-4M32-XVMQ

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30
VLAI
Details

Windows MultiPoint Services Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T17:15:15Z",
    "severity": "HIGH"
  },
  "details": "Windows MultiPoint Services Remote Code Execution Vulnerability",
  "id": "GHSA-2pj7-4m32-xvmq",
  "modified": "2024-07-09T18:30:49Z",
  "published": "2024-07-09T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30013"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PVH-447J-V7M6

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-06-19 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

spi: meson-spicc: Fix double-put in remove path

meson_spicc_probe() registers the controller with devm_spi_register_controller(), so teardown already drops the controller reference via devm cleanup.

Calling spi_controller_put() again in meson_spicc_remove() causes a double-put.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:16:46Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: meson-spicc: Fix double-put in remove path\n\nmeson_spicc_probe() registers the controller with\ndevm_spi_register_controller(), so teardown already drops the\ncontroller reference via devm cleanup.\n\nCalling spi_controller_put() again in meson_spicc_remove()\ncauses a double-put.",
  "id": "GHSA-2pvh-447j-v7m6",
  "modified": "2026-06-19T15:33:08Z",
  "published": "2026-04-22T15:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31489"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01f5f7976c24d6e9beef6b5a410af3b9b1d4d476"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d645c6d13fa0597935d3d16b09a7ba5d24ed284"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/40ad0334c17b23d8b66b1082ad1478a6202e90e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/63542bb402b7013171c9f621c28b609eda4dbf1f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7434c64ddae88a02e7fb478bc256cc100d48d3e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b812ceb75a6260c17c91db4b9e74ead8cfa06f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d61bcec3aec6f0244a9b963e0c76c00f771d49b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da06a104f0486355073ff0d1bcb1fcbebb7080d6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2QF3-2MV6-PGGH

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2024-04-01 15:30
VLAI
Details

A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-06T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
  "id": "GHSA-2qf3-2mv6-pggh",
  "modified": "2024-04-01T15:30:27Z",
  "published": "2022-05-24T17:30:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25637"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881037"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-06"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00072.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00073.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2R6W-8QQX-7JQ3

Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-03-13 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

spi: spi-sprd-adi: Fix double free in probe error path

The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller().

If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure.

Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-04T17:16:17Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-sprd-adi: Fix double free in probe error path\n\nThe driver currently uses spi_alloc_host() to allocate the controller\nbut registers it using devm_spi_register_controller().\n\nIf devm_register_restart_handler() fails, the code jumps to the\nput_ctlr label and calls spi_controller_put(). However, since the\ncontroller was registered via a devm function, the device core will\nautomatically call spi_controller_put() again when the probe fails.\nThis results in a double-free of the spi_controller structure.\n\nFix this by switching to devm_spi_alloc_host() and removing the\nmanual spi_controller_put() call.",
  "id": "GHSA-2r6w-8qqx-7jq3",
  "modified": "2026-03-13T21:31:40Z",
  "published": "2026-02-04T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23068"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/383d4f5cffcc8df930d95b06518a9d25a6d74aac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bddd3d10d039729b81cfb0804520c8832a701a0e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f6d6b3f172df118db582fe5ec43ae223a55d99cf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-346C-J6CG-XP49

Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30
VLAI
Details

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T18:15:33Z",
    "severity": "HIGH"
  },
  "details": "Windows Kernel-Mode Driver Elevation of Privilege Vulnerability",
  "id": "GHSA-346c-j6cg-xp49",
  "modified": "2024-11-12T18:30:59Z",
  "published": "2024-11-12T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43640"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43640"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-349Q-HP2F-R4HF

Vulnerability from github – Published: 2025-07-04 15:31 – Updated: 2025-12-18 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

exfat: fix double free in delayed_free

The double free could happen in the following path.

exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-04T14:15:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n        exfat_create_upcase_table() : return error\n        exfat_free_upcase_table() : free -\u003evol_utbl\n        exfat_load_default_upcase_table : return error\n     exfat_kill_sb()\n           delayed_free()\n                  exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
  "id": "GHSA-349q-hp2f-r4hf",
  "modified": "2025-12-18T21:31:33Z",
  "published": "2025-07-04T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38206"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/13d8de1b6568dcc31a95534ced16bc0c9a67bc15"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f3d9724e16d62c7d42c67d6613b8512f2887c22"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66e84439ec2af776ce749e8540f8fdd257774152"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3cef0e7a5c1aa6217c51faa9ce8ecac35d6e1fd"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.