Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

967 vulnerabilities reference this CWE, most recent first.

GHSA-66W7-7XM6-WF7V

Vulnerability from github – Published: 2022-05-14 01:57 – Updated: 2022-05-14 01:57
VLAI
Details

In copy_process of fork.c, there is possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-111081202 References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-02T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "In copy_process of fork.c, there is possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-111081202 References: N/A",
  "id": "GHSA-66w7-7xm6-wf7v",
  "modified": "2022-05-14T01:57:52Z",
  "published": "2022-05-14T01:57:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9513"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-10-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105483"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66X2-RPWX-FJFR

Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drivers: base: Free devm resources when unregistering a device

In the current code, devres_release_all() only gets called if the device has a bus and has been probed.

This leads to issues when using bus-less or driver-less devices where the device might never get freed if a managed resource holds a reference to the device. This is happening in the DRM framework for example.

We should thus call devres_release_all() in the device_del() function to make sure that the device-managed actions are properly executed when the device is unregistered, even if it has neither a bus nor a driver.

This is effectively the same change than commit 2f8d16a996da ("devres: release resources on device_del()") that got reverted by commit a525a3ddeaca ("driver core: free devres in device_release") over memory leaks concerns.

This patch effectively combines the two commits mentioned above to release the resources both on device_del() and device_release() and get the best of both worlds.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53596"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:56Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: base: Free devm resources when unregistering a device\n\nIn the current code, devres_release_all() only gets called if the device\nhas a bus and has been probed.\n\nThis leads to issues when using bus-less or driver-less devices where\nthe device might never get freed if a managed resource holds a reference\nto the device. This is happening in the DRM framework for example.\n\nWe should thus call devres_release_all() in the device_del() function to\nmake sure that the device-managed actions are properly executed when the\ndevice is unregistered, even if it has neither a bus nor a driver.\n\nThis is effectively the same change than commit 2f8d16a996da (\"devres:\nrelease resources on device_del()\") that got reverted by commit\na525a3ddeaca (\"driver core: free devres in device_release\") over\nmemory leaks concerns.\n\nThis patch effectively combines the two commits mentioned above to\nrelease the resources both on device_del() and device_release() and get\nthe best of both worlds.",
  "id": "GHSA-66x2-rpwx-fjfr",
  "modified": "2026-06-01T18:31:21Z",
  "published": "2025-10-04T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53596"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/297992e5c63528e603666e36081836204fc36ec9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3bcc4c2a096e8342c8c719e595ce15de212694dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/699fb50d99039a50e7494de644f96c889279aca3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83e2ec36a92432e9445e853c12becbbae353b511"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b9ef4b0aa91d2f9f5951faafdbbd47cf01799ec3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c8c426fae26086a0ca8ab6cc6da2de79810ec038"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-679V-8HV6-2JM9

Vulnerability from github – Published: 2024-12-28 12:30 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

9p/xen: fix release of IRQ

Kernel logs indicate an IRQ was double-freed.

Pass correct device ID during IRQ release.

[Dominique: remove confusing variable reset to 0]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-28T10:15:18Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/xen: fix release of IRQ\n\nKernel logs indicate an IRQ was double-freed.\n\nPass correct device ID during IRQ release.\n\n[Dominique: remove confusing variable reset to 0]",
  "id": "GHSA-679v-8hv6-2jm9",
  "modified": "2025-11-03T21:32:01Z",
  "published": "2024-12-28T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56704"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2bb3ee1bf237557daea1d58007d2e1d4a6502ccf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4950408793b118cb8075bcee1f033b543fb719fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/530bc9f03a102fac95b07cda513bfc16ff69e0ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/692eb06703afc3e24d889d77e94a0e20229f6a4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f5a2ed5c1810661e6b03f5a4ebf17682cdea850"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b9e26059664bd9ebc64a0e8f5216266fc9f84265"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d74b4b297097bd361b8a9abfde9b521ff464ea9c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d888f5f5d76b2722c267e6bdf51d445d60647b7b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e43c608f40c065b30964f0a806348062991b802d"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-67P5-53X6-9J7Q

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: fix double-free of tx_buf skb

If ice_tso() or ice_tx_csum() fail, the error path in ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points to it and is marked as valid (ICE_TX_BUF_SKB). 'next_to_use' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the tx_buf gets overwritten. But if there is no next packet and the interface is brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf() will find the tx_buf and free the skb for the second time.

The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error path, so that ice_unmap_and_free_tx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path.

The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch.

I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN.

I looked for similar bugs in related Intel drivers and did not find any.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1341",
      "CWE-415",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:12Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix double-free of tx_buf skb\n\nIf ice_tso() or ice_tx_csum() fail, the error path in\nice_xmit_frame_ring() frees the skb, but the \u0027first\u0027 tx_buf still points\nto it and is marked as valid (ICE_TX_BUF_SKB).\n\u0027next_to_use\u0027 remains unchanged, so the potential problem will\nlikely fix itself when the next packet is transmitted and the tx_buf\ngets overwritten. But if there is no next packet and the interface is\nbrought down instead, ice_clean_tx_ring() -\u003e ice_unmap_and_free_tx_buf()\nwill find the tx_buf and free the skb for the second time.\n\nThe fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error\npath, so that ice_unmap_and_free_tx_buf().\nMove the initialization of \u0027first\u0027 up, to ensure it\u0027s already valid in\ncase we hit the linearization error path.\n\nThe bug was spotted by AI while I had it looking for something else.\nIt also proposed an initial version of the patch.\n\nI reproduced the bug and tested the fix by adding code to inject\nfailures, on a build with KASAN.\n\nI looked for similar bugs in related Intel drivers and did not find any.",
  "id": "GHSA-67p5-53x6-9j7q",
  "modified": "2026-06-30T03:37:13Z",
  "published": "2026-06-24T18:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53009"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-53009"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492390"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a303baa715e6b78d6a406aaf335f87ff35acfcd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c08fc2119ef0281cfa2cee007acf0a251be55f2"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53009.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6849-HH75-RGVX

Vulnerability from github – Published: 2025-12-02 03:31 – Updated: 2025-12-02 15:30
VLAI
Details

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-02T03:16:19Z",
    "severity": "MODERATE"
  },
  "details": "In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.",
  "id": "GHSA-6849-hh75-rgvx",
  "modified": "2025-12-02T15:30:31Z",
  "published": "2025-12-02T03:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20775"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/December-2025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68F3-CX9X-C5JF

Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: teql: Fix double-free in teql_master_xmit

Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following:

[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 238.029910][ T318] Call Trace: [ 238.029913][ T318] [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) [ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) [ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) [ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) [ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) ... [ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) [ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) [ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) [ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) [ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) [ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) [ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) [ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) ... [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: [ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) [ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) [ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) [ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) [ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) [ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) [ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) [ 238.081469][ T318] [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: [ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) [ 238.085900][ T318] __kasan_slab_free (mm/ ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-03T16:16:31Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: Fix double-free in teql_master_xmit\n\nWhenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should\nbe called using the seq_lock to avoid racing with the datapath. Failure\nto do so may cause crashes like the following:\n\n[  238.028993][  T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)\n[  238.029328][  T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318\n[  238.029749][  T318]\n[  238.029900][  T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)\n[  238.029906][  T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[  238.029910][  T318] Call Trace:\n[  238.029913][  T318]  \u003cTASK\u003e\n[  238.029916][  T318]  dump_stack_lvl (lib/dump_stack.c:122)\n[  238.029928][  T318]  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[  238.029940][  T318]  ? skb_release_data (net/core/skbuff.c:1139)\n[  238.029944][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[  238.029957][  T318]  ? skb_release_data (net/core/skbuff.c:1139)\n[  238.029969][  T318]  kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)\n[  238.029979][  T318]  ? skb_release_data (net/core/skbuff.c:1139)\n[  238.029989][  T318]  check_slab_allocation (mm/kasan/common.c:231)\n[  238.029995][  T318]  kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))\n[  238.030004][  T318]  skb_release_data (net/core/skbuff.c:1139)\n...\n[  238.030025][  T318]  sk_skb_reason_drop (net/core/skbuff.c:1256)\n[  238.030032][  T318]  pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)\n[  238.030039][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[  238.030054][  T318]  qdisc_reset (net/sched/sch_generic.c:1034)\n[  238.030062][  T318]  teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)\n[  238.030071][  T318]  __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)\n[  238.030077][  T318]  qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)\n[  238.030089][  T318]  ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)\n[  238.030095][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[  238.030102][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[  238.030106][  T318]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[  238.030114][  T318]  tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)\n...\n[  238.072958][  T318] Allocated by task 303 on cpu 5 at 238.026275s:\n[  238.073392][  T318]  kasan_save_stack (mm/kasan/common.c:58)\n[  238.073884][  T318]  kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[  238.074230][  T318]  __kasan_slab_alloc (mm/kasan/common.c:369)\n[  238.074578][  T318]  kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)\n[  238.076091][  T318]  kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))\n[  238.076450][  T318]  __alloc_skb (net/core/skbuff.c:713)\n[  238.076834][  T318]  alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)\n[  238.077178][  T318]  sock_alloc_send_pskb (net/core/sock.c:2997)\n[  238.077520][  T318]  packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)\n[  238.081469][  T318]\n[  238.081870][  T318] Freed by task 299 on cpu 1 at 238.028496s:\n[  238.082761][  T318]  kasan_save_stack (mm/kasan/common.c:58)\n[  238.083481][  T318]  kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[  238.085348][  T318]  kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))\n[  238.085900][  T318]  __kasan_slab_free (mm/\n---truncated---",
  "id": "GHSA-68f3-cx9x-c5jf",
  "modified": "2026-07-14T15:31:45Z",
  "published": "2026-04-03T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23449"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21c89a0a8de7eadad8d385645a95b3233f23130e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a233447b941db451ea5f5a0942cffd0f7f7eaae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e8ebc4c18ea8213d28e6cb867d18fcc67daca21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66360460cab63c248ca5b1070a01c0c29133b960"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/afbc79a7770b230a9f24bd39271209d6b3682c5f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9c66d3e7d8557b3308e55c613aa07254fe97611"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68FR-G7G6-87XW

Vulnerability from github – Published: 2022-05-14 02:05 – Updated: 2025-04-20 03:32
VLAI
Details

Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-15T19:59:00Z",
    "severity": "HIGH"
  },
  "details": "Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command.",
  "id": "GHSA-68fr-g7g6-87xw",
  "modified": "2025-04-20T03:32:56Z",
  "published": "2022-05-14T02:05:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8693"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mdadams/jasper/commit/44a524e367597af58d6265ae2014468b334d0309"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1208"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2016/10/16/jasper-double-free-in-mem_close-jas_stream-c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1385507"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3785"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/08/23/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/10/16/14"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93587"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68P4-PJPF-XWCQ

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2023-06-13 20:09
VLAI
Summary
insert_slice_clone can double drop if Clone panics.
Details

Affected versions of this crate used ptr::copy when inserting into the middle of a Vec. When ownership was temporarily duplicated during this copy, it calls the clone method of a user provided element.

This issue can result in an element being double-freed if the clone call panics.

Commit 20cb73d fixed this issue by adding a set_len(0) call before operating on the vector to avoid dropping the elements during a panic.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "qwutils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-26954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T00:14:33Z",
    "nvd_published_at": "2021-02-09T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of this crate used ptr::copy when inserting into the middle of a Vec. When ownership was temporarily duplicated during this copy, it calls the clone method of a user provided element.\n\nThis issue can result in an element being double-freed if the clone call panics.\n\nCommit `20cb73d` fixed this issue by adding a set_len(0) call before operating on the vector to avoid dropping the elements during a panic.",
  "id": "GHSA-68p4-pjpf-xwcq",
  "modified": "2023-06-13T20:09:07Z",
  "published": "2022-05-24T17:41:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26954"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qwertz19281/rust_utils/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qwertz19281/rust_utils/commit/20cb73d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/qwertz19281/rust_utils"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0018.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "insert_slice_clone can double drop if Clone panics."
}

GHSA-68WR-C23J-2H2Q

Vulnerability from github – Published: 2022-05-14 01:42 – Updated: 2022-05-14 01:42
VLAI
Details

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, if there is an unlikely memory alloc failure for the secure pool in boot, it can result in wrong pointer access causing kernel panic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, if there is an unlikely memory alloc failure for the secure pool in boot, it can result in wrong pointer access causing kernel panic.",
  "id": "GHSA-68wr-c23j-2h2q",
  "modified": "2022-05-14T01:42:03Z",
  "published": "2022-05-14T01:42:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11987"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2018/12/03/december-2018-code-aurora-security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69M6-42X6-85HC

Vulnerability from github – Published: 2022-05-25 00:00 – Updated: 2022-06-02 00:00
VLAI
Details

A double free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a denial of service or possibly have other unspecified impact via a crafted text document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-24T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A double free in cleanup_index in index.c in Halibut 1.2 allows an attacker to cause a denial of service or possibly have other unspecified impact via a crafted text document.",
  "id": "GHSA-69m6-42x6-85hc",
  "modified": "2022-06-02T00:00:40Z",
  "published": "2022-05-25T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42613"
    },
    {
      "type": "WEB",
      "url": "https://carteryagemann.com/halibut-case-study.html#poc-halibut-winhelp-df"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CC7UZ7NRXDA7YSCSGWE2CBQM7OZS3K2R"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.