CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
967 vulnerabilities reference this CWE, most recent first.
GHSA-7XF4-2CCH-Q53V
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-01-10 18:31In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: fix a potential double-free in fs_any_create_groups
When kcalloc() for ft->g succeeds but kvzalloc() for in fails, fs_any_create_groups() will free ft->g. However, its caller fs_any_create_table() will free ft->g again through calling mlx5e_destroy_flow_table(), which will lead to a double-free. Fix this by setting ft->g to NULL in fs_any_create_groups().
{
"affected": [],
"aliases": [
"CVE-2023-52667"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T14:15:09Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix a potential double-free in fs_any_create_groups\n\nWhen kcalloc() for ft-\u003eg succeeds but kvzalloc() for in fails,\nfs_any_create_groups() will free ft-\u003eg. However, its caller\nfs_any_create_table() will free ft-\u003eg again through calling\nmlx5e_destroy_flow_table(), which will lead to a double-free.\nFix this by setting ft-\u003eg to NULL in fs_any_create_groups().",
"id": "GHSA-7xf4-2cch-q53v",
"modified": "2025-01-10T18:31:37Z",
"published": "2024-05-17T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52667"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2897c981ee63e1be5e530b1042484626a10b26d8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65a4ade8a6d205979292e88beeb6a626ddbd4779"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72a729868592752b5a294d27453da264106983b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aef855df7e1bbd5aa4484851561211500b22707e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2fa86b2aceb4bc9ada51cea90f61546d7512cbe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-825R-GH5G-48MG
Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2025-01-14 18:31In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: fix memory double free when handle zero packet
829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request);
Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again.
Log:
[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]
Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.
{
"affected": [],
"aliases": [
"CVE-2024-26748"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T17:15:51Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix memory double free when handle zero packet\n\n829 if (request-\u003ecomplete) {\n830 spin_unlock(\u0026priv_dev-\u003elock);\n831 usb_gadget_giveback_request(\u0026priv_ep-\u003eendpoint,\n832 request);\n833 spin_lock(\u0026priv_dev-\u003elock);\n834 }\n835\n836 if (request-\u003ebuf == priv_dev-\u003ezlp_buf)\n837 cdns3_gadget_ep_free_request(\u0026priv_ep-\u003eendpoint, request);\n\nDriver append an additional zero packet request when queue a packet, which\nlength mod max packet size is 0. When transfer complete, run to line 831,\nusb_gadget_giveback_request() will free this requestion. 836 condition is\ntrue, so cdns3_gadget_ep_free_request() free this request again.\n\nLog:\n\n[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.140696][ T150]\n[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):\n[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]\n\nAdd check at line 829, skip call usb_gadget_giveback_request() if it is\nadditional zero length packet request. Needn\u0027t call\nusb_gadget_giveback_request() because it is allocated in this driver.",
"id": "GHSA-825r-gh5g-48mg",
"modified": "2025-01-14T18:31:49Z",
"published": "2024-04-03T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26748"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a661a260b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8295-HCJH-5W9P
Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-04-15 18:31In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix potential bit_17 double-free
A userspace with multiple threads racing I915_GEM_SET_TILING to set the tiling to I915_TILING_NONE could trigger a double free of the bit_17 bitmask. (Or conversely leak memory on the transition to tiled.) Move allocation/free'ing of the bitmask within the section protected by the obj lock.
[tursulin: Correct fixes tag and added cc stable.] (cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e)
{
"affected": [],
"aliases": [
"CVE-2023-52930"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T17:15:42Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential bit_17 double-free\n\nA userspace with multiple threads racing I915_GEM_SET_TILING to set the\ntiling to I915_TILING_NONE could trigger a double free of the bit_17\nbitmask. (Or conversely leak memory on the transition to tiled.) Move\nallocation/free\u0027ing of the bitmask within the section protected by the\nobj lock.\n\n[tursulin: Correct fixes tag and added cc stable.]\n(cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e)",
"id": "GHSA-8295-hcjh-5w9p",
"modified": "2025-04-15T18:31:41Z",
"published": "2025-03-27T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52930"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0769f997a7b6d5cb8336db0b4ec3d2d311b8097c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7057a8f126f14f14b040faecfa220fd27c6c2f85"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b591abac78e25269b12e3d7170c99463f8c5cb02"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3ebc3e23bd9028a8a9a26cbc5985f99be445f65"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-82J6-3C7M-V8GC
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46A double free condition can occur when the device moves to suspend mode during secure playback in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
{
"affected": [],
"aliases": [
"CVE-2020-11246"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-07T08:15:00Z",
"severity": "HIGH"
},
"details": "A double free condition can occur when the device moves to suspend mode during secure playback in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile",
"id": "GHSA-82j6-3c7m-v8gc",
"modified": "2022-05-24T17:46:43Z",
"published": "2022-05-24T17:46:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11246"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/april-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-82V4-79HW-3G4G
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-11 03:30In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock
damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.
{
"affected": [],
"aliases": [
"CVE-2026-46183"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:33Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock\n\ndamon_sysfs_quot_goal-\u003epath can be read and written by users, via DAMON\nsysfs \u0027path\u0027 file. It can also be indirectly read, for the parameters\n{on,off}line committing to DAMON. The reads for parameters committing are\nprotected by damon_sysfs_lock to avoid the sysfs files being destroyed\nwhile any of the parameters are being read. But the user-driven direct\nreads and writes are not protected by any lock, while the write is\ndeallocating the path-pointing buffer. As a result, the readers could\nread the already freed buffer (user-after-free). Note that the user-reads\ndon\u0027t race when the same open file is used by the writer, due to kernfs\u0027s\nopen file locking. Nonetheless, doing the reads and writes with separate\nopen files would be common. Fix it by protecting both the user-direct\nreads and writes with damon_sysfs_lock.",
"id": "GHSA-82v4-79hw-3g4g",
"modified": "2026-06-11T03:30:23Z",
"published": "2026-05-28T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46183"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a34ca3e33da4b924c66bcca3729bf68ec5936910"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf3b71421ca00807328c6d9cd242f9de3b77a4bf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84FX-XJ3C-R25H
Vulnerability from github – Published: 2026-04-13 06:30 – Updated: 2026-04-13 06:30Double free vulnerability in the multi-mode input system. Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2026-34867"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T04:16:13Z",
"severity": "MODERATE"
},
"details": "Double free vulnerability in the multi-mode input system.\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-84fx-xj3c-r25h",
"modified": "2026-04-13T06:30:30Z",
"published": "2026-04-13T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34867"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/4"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84X6-2366-7JJM
Vulnerability from github – Published: 2024-06-21 12:31 – Updated: 2024-09-09 15:30In the Linux kernel, the following vulnerability has been resolved:
stm class: Fix a double free in stm_register_device()
The put_device(&stm->dev) call will trigger stm_device_release() which frees "stm" so the vfree(stm) on the next line is a double free.
{
"affected": [],
"aliases": [
"CVE-2024-38627"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-21T11:15:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nstm class: Fix a double free in stm_register_device()\n\nThe put_device(\u0026stm-\u003edev) call will trigger stm_device_release() which\nfrees \"stm\" so the vfree(stm) on the next line is a double free.",
"id": "GHSA-84x6-2366-7jjm",
"modified": "2024-09-09T15:30:37Z",
"published": "2024-06-21T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38627"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/370c480410f60b90ba3e96abe73ead21ec827b20"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3df463865ba42b8f88a590326f4c9ea17a1ce459"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4bfd48bb6e62512b9c392c5002c11e1e3b18d247"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6cc30ef8eb6d8f8d6df43152264bbf8835d99931"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/713fc00c571dde4af3db2dbd5d1b0eadc327817b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7419df1acffbcc90037f6b5a2823e81389659b36"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0450d3f38e7c6c0a7c0afd4182976ee15573695"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d782a2db8f7ac49c33b9ca3e835500a28667d1be"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-85M9-WGGC-372H
Vulnerability from github – Published: 2022-05-21 00:01 – Updated: 2022-05-27 00:00A vulnerability has been identified in JT2Go (All versions < V13.3.0.3), Teamcenter Visualization V13.3 (All versions < V13.3.0.3), Teamcenter Visualization V14.0 (All versions < V14.0.0.1). The CGM_NIST_Loader.dll library contains a double free vulnerability while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2022-29032"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T13:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in JT2Go (All versions \u003c V13.3.0.3), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.3), Teamcenter Visualization V14.0 (All versions \u003c V14.0.0.1). The CGM_NIST_Loader.dll library contains a double free vulnerability while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process.",
"id": "GHSA-85m9-wggc-372h",
"modified": "2022-05-27T00:00:24Z",
"published": "2022-05-21T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29032"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-553086.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8662-6HF9-CR47
Vulnerability from github – Published: 2022-08-20 00:00 – Updated: 2022-08-24 00:00Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.
{
"affected": [],
"aliases": [
"CVE-2022-23459"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-19T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.",
"id": "GHSA-8662-6hf9-cr47",
"modified": "2022-08-24T00:00:31Z",
"published": "2022-08-20T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23459"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2022-048_Jsonxx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-86J3-7436-WX4W
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15An issue was discovered in libredwg through v0.10.1.3751. dwg_free_MATERIAL_private() in dwg.spec has a double free.
{
"affected": [],
"aliases": [
"CVE-2021-39528"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-20T16:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in libredwg through v0.10.1.3751. dwg_free_MATERIAL_private() in dwg.spec has a double free.",
"id": "GHSA-86j3-7436-wx4w",
"modified": "2022-05-24T19:15:10Z",
"published": "2022-05-24T19:15:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39528"
},
{
"type": "WEB",
"url": "https://github.com/LibreDWG/libredwg/issues/256"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.