CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
967 vulnerabilities reference this CWE, most recent first.
GHSA-6MQ7-W565-8RF7
Vulnerability from github – Published: 2023-06-19 18:30 – Updated: 2024-04-04 04:58A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-3312"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-19T18:15:09Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in cpufreq subsystem in the Linux Kernel. This flaw, during device unbind will lead to double release problem leading to denial of service.",
"id": "GHSA-6mq7-w565-8rf7",
"modified": "2024-04-04T04:58:02Z",
"published": "2023-06-19T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3312"
},
{
"type": "WEB",
"url": "https://patchwork.kernel.org/project/linux-pm/patch/20230323174026.950622-1-krzysztof.kozlowski%40linaro.org"
},
{
"type": "WEB",
"url": "https://patchwork.kernel.org/project/linux-pm/patch/20230323174026.950622-1-krzysztof.kozlowski@linaro.org"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230731-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6P6F-GC59-4W3F
Vulnerability from github – Published: 2024-08-07 18:30 – Updated: 2024-08-08 15:31In the Linux kernel, the following vulnerability has been resolved:
mm: fix crashes from deferred split racing folio migration
Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PG_locked had been set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration.
6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large folio migration") was right to fix the memcg-dependent locking broken in 85ce2c517ade ("memcontrol: only transfer the memcg data for migration"), but missed a subtlety of deferred_split_scan(): it moves folios to its own local list to work on them without split_queue_lock, during which time folio->_deferred_list is not empty, but even the "right" lock does nothing to secure the folio and the list it is on.
Fortunately, deferred_split_scan() is careful to use folio_try_get(): so folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable() while the old folio's reference count is temporarily frozen to 0 - adding such a freeze in the !mapping case too (originally, folio lock and unmapping and no swap cache left an anon folio unreachable, so no freezing was needed there: but the deferred split queue offers a way to reach it).
{
"affected": [],
"aliases": [
"CVE-2024-42234"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-07T16:15:46Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix crashes from deferred split racing folio migration\n\nEven on 6.10-rc6, I\u0027ve been seeing elusive \"Bad page state\"s (often on\nflags when freeing, yet the flags shown are not bad: PG_locked had been\nset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from\ndeferred_split_scan()\u0027s folio_put(), and a variety of other BUG and WARN\nsymptoms implying double free by deferred split and large folio migration.\n\n6.7 commit 9bcef5973e31 (\"mm: memcg: fix split queue list crash when large\nfolio migration\") was right to fix the memcg-dependent locking broken in\n85ce2c517ade (\"memcontrol: only transfer the memcg data for migration\"),\nbut missed a subtlety of deferred_split_scan(): it moves folios to its own\nlocal list to work on them without split_queue_lock, during which time\nfolio-\u003e_deferred_list is not empty, but even the \"right\" lock does nothing\nto secure the folio and the list it is on.\n\nFortunately, deferred_split_scan() is careful to use folio_try_get(): so\nfolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()\nwhile the old folio\u0027s reference count is temporarily frozen to 0 - adding\nsuch a freeze in the !mapping case too (originally, folio lock and\nunmapping and no swap cache left an anon folio unreachable, so no freezing\nwas needed there: but the deferred split queue offers a way to reach it).",
"id": "GHSA-6p6f-gc59-4w3f",
"modified": "2024-08-08T15:31:28Z",
"published": "2024-08-07T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42234"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/be9581ea8c058d81154251cb0695987098996cad"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc7facce686b64201dbf0b9614cc1d0bfad70010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6QMP-QCVF-X3PR
Vulnerability from github – Published: 2022-05-14 03:50 – Updated: 2022-05-14 03:50In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an authenticated client can cause a double free, leading to denial of service or potentially code execution.
{
"affected": [],
"aliases": [
"CVE-2017-7393"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-01T02:59:00Z",
"severity": "HIGH"
},
"details": "In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an authenticated client can cause a double free, leading to denial of service or potentially code execution.",
"id": "GHSA-6qmp-qcvf-x3pr",
"modified": "2022-05-14T03:50:14Z",
"published": "2022-05-14T03:50:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7393"
},
{
"type": "WEB",
"url": "https://github.com/TigerVNC/tigervnc/pull/438"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2000"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201801-13"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6QXM-GR5M-J478
Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-03-18 21:32In the Linux kernel, the following vulnerability has been resolved:
netrom: fix double-free in nr_route_frame()
In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug.
Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb.
{
"affected": [],
"aliases": [
"CVE-2026-23098"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T17:16:20Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: fix double-free in nr_route_frame()\n\nIn nr_route_frame(), old_skb is immediately freed without checking if\nnr_neigh-\u003eax25 pointer is NULL. Therefore, if nr_neigh-\u003eax25 is NULL,\nthe caller function will free old_skb again, causing a double-free bug.\n\nTherefore, to prevent this, we need to modify it to check whether\nnr_neigh-\u003eax25 is NULL before freeing old_skb.",
"id": "GHSA-6qxm-gr5m-j478",
"modified": "2026-03-18T21:32:57Z",
"published": "2026-02-04T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23098"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25aab6bfc31017a7e52035b99aef5c2b6bde8ffb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e0110ea90313b7c0558a0b77038274a6821caf8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c48fdf2d1349bb54815b56fb012b9d577707708"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f5fa78d9980fe75a69835521627ab7943cb3d67"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba1096c315283ee3292765f6aea4cca15816c4f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bd8955337e3764f912f49b360e176d8aaecf7016"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6RHX-7F5J-52MJ
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-09-19 21:31In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix the error handler of rfkill config
When the core rfkill config throws error, it should free the allocated resources. Currently it is not freeing the core pdev create resources. Avoid this issue by calling the core pdev destroy in the error handler of core rfkill config.
Found this issue in the code review and it is compile tested only.
{
"affected": [],
"aliases": [
"CVE-2023-52688"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T15:15:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix the error handler of rfkill config\n\nWhen the core rfkill config throws error, it should free the\nallocated resources. Currently it is not freeing the core pdev\ncreate resources. Avoid this issue by calling the core pdev\ndestroy in the error handler of core rfkill config.\n\nFound this issue in the code review and it is compile tested only.",
"id": "GHSA-6rhx-7f5j-52mj",
"modified": "2025-09-19T21:31:15Z",
"published": "2024-05-17T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52688"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/898d8b3e1414cd900492ee6a0b582f8095ba4a1a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4e593a7a22fa3c7d0550ef51c90b5c21f790aa8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6RHX-HQXM-8P36
Vulnerability from github – Published: 2021-08-25 20:46 – Updated: 2021-08-19 21:19An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-25009"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:19:45Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.",
"id": "GHSA-6rhx-hqxm-8p36",
"modified": "2021-08-19T21:19:45Z",
"published": "2021-08-25T20:46:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25009"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0034.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Double free in http"
}
GHSA-6RRC-7VQP-364C
Vulnerability from github – Published: 2022-01-27 00:01 – Updated: 2025-10-22 00:32A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755
{
"affected": [],
"aliases": [
"CVE-2021-22600"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-26T14:15:00Z",
"severity": "HIGH"
},
"details": "A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755",
"id": "GHSA-6rrc-7vqp-364c",
"modified": "2025-10-22T00:32:28Z",
"published": "2022-01-27T00:01:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22600"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ec6af094ea28f0f2dda1a6a33b14cd57e36a9755"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230110-0002"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22600"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5096"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6XQC-J72Q-X4C8
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
procfs: fix possible double mmput() in do_procmap_query()
When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY we return with -ENAMETOOLONG error. After recent changes this condition happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(), so original goto out is now wrong and will double-mmput() mm_struct. Fix by jumping further to clean up only vm_file and name_buf.
{
"affected": [],
"aliases": [
"CVE-2026-43178"
],
"database_specific": {
"cwe_ids": [
"CWE-1341",
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:36Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nprocfs: fix possible double mmput() in do_procmap_query()\n\nWhen user provides incorrectly sized buffer for build ID for PROCMAP_QUERY\nwe return with -ENAMETOOLONG error. After recent changes this condition\nhappens later, after we unlocked mmap_lock/per-VMA lock and did mmput(),\nso original goto out is now wrong and will double-mmput() mm_struct. Fix\nby jumping further to clean up only vm_file and name_buf.",
"id": "GHSA-6xqc-j72q-x4c8",
"modified": "2026-06-30T03:36:32Z",
"published": "2026-05-06T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43178"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-43178"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467227"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/61dc9f776705d6db6847c101b98fa4f0e9eb6fa3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8adaff87db143583e08eec4f4e7788f1ef8af94d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90f5e87c9b75833b9ef3a4415b92c0247f28ab2f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f9fe092084cd04deea18747f58a2304026e76aaa"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43178.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7376-X4RM-3V8X
Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2026-07-14 15:31A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
{
"affected": [],
"aliases": [
"CVE-2025-5914"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-09T20:15:26Z",
"severity": "LOW"
},
"details": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.",
"id": "GHSA-7376-x4rm-3v8x",
"modified": "2026-07-14T15:31:23Z",
"published": "2025-06-09T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5914"
},
{
"type": "WEB",
"url": "https://github.com/libarchive/libarchive/pull/2598"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16524"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:18217"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:18218"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:18219"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19041"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19046"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21885"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21913"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0326"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0934"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1541"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-5914"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-585531.html"
},
{
"type": "WEB",
"url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14130"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14135"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14137"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14141"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14142"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14525"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14528"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14594"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14644"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14808"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14810"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14828"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15024"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15397"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15709"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15827"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15828"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-74JP-62V9-RVJF
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix double free related to rereg_user_mr
If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again.
Fix this by setting iwmr->region to NULL after ib_umem_release.
Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region")
{
"affected": [],
"aliases": [
"CVE-2026-43120"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T10:16:25Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix double free related to rereg_user_mr\n\nIf IB_MR_REREG_TRANS is set during rereg_user_mr, the\numem will be released and a new one will be allocated\nin irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans\nfails after the new umem is allocated, it releases the umem,\nbut does not set iwmr-\u003eregion to NULL. The problem is that\nthis failure is propagated to the user, who will then call\nibv_dereg_mr (as they should). Then, the dereg_mr path will\nsee a non-NULL umem and attempt to call ib_umem_release again.\n\nFix this by setting iwmr-\u003eregion to NULL after ib_umem_release.\n\nFixed: 5ac388db27c4 (\"RDMA/irdma: Add support to re-register a memory region\")",
"id": "GHSA-74jp-62v9-rvjf",
"modified": "2026-05-08T15:31:16Z",
"published": "2026-05-06T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43120"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c5d70bcb9d2275a1c8515a924016fcfeb4ab441"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f22c32141acdcda266b26cab2b830baf870f3e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/62298a48f8b8788ad8b8464e6ffdf1ddebd2217e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/66964118f1f50ed85001c8fc9f7ab5bbdd021ee0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.