CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
967 vulnerabilities reference this CWE, most recent first.
GHSA-8HGJ-6PGQ-37Q3
Vulnerability from github – Published: 2022-05-17 02:54 – Updated: 2022-05-17 02:54Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 and later allows remote attackers to cause a denial of service (application crash) via a crafted tga file.
{
"affected": [],
"aliases": [
"CVE-2015-8894"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-15T19:59:00Z",
"severity": "MODERATE"
},
"details": "Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 and later allows remote attackers to cause a denial of service (application crash) via a crafted tga file.",
"id": "GHSA-8hgj-6pgq-37q3",
"modified": "2022-05-17T02:54:59Z",
"published": "2022-05-17T02:54:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8894"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/4f68e9661518463fca523c9726bb5d940a2aa6d8"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/02/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8HW4-63FM-6Q6X
Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-10 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/pm: fix double free in si_parse_power_table()
In function si_parse_power_table(), array adev->pm.dpm.ps and its member is allocated. If the allocation of each member fails, the array itself is freed and returned with an error code. However, the array is later freed again in si_dpm_fini() function which is called when the function returns an error.
This leads to potential double free of the array adev->pm.dpm.ps, as well as leak of its array members, since the members are not freed in the allocation function and the array is not nulled when freed. In addition adev->pm.dpm.num_ps, which keeps track of the allocated array member, is not updated until the member allocation is successfully finished, this could also lead to either use after free, or uninitialized variable access in si_dpm_fini().
Fix this by postponing the free of the array until si_dpm_fini() and increment adev->pm.dpm.num_ps everytime the array member is allocated.
{
"affected": [],
"aliases": [
"CVE-2022-49530"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix double free in si_parse_power_table()\n\nIn function si_parse_power_table(), array adev-\u003epm.dpm.ps and its member\nis allocated. If the allocation of each member fails, the array itself\nis freed and returned with an error code. However, the array is later\nfreed again in si_dpm_fini() function which is called when the function\nreturns an error.\n\nThis leads to potential double free of the array adev-\u003epm.dpm.ps, as\nwell as leak of its array members, since the members are not freed in\nthe allocation function and the array is not nulled when freed.\nIn addition adev-\u003epm.dpm.num_ps, which keeps track of the allocated\narray member, is not updated until the member allocation is\nsuccessfully finished, this could also lead to either use after free,\nor uninitialized variable access in si_dpm_fini().\n\nFix this by postponing the free of the array until si_dpm_fini() and\nincrement adev-\u003epm.dpm.num_ps everytime the array member is allocated.",
"id": "GHSA-8hw4-63fm-6q6x",
"modified": "2025-03-10T21:31:09Z",
"published": "2025-03-10T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49530"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2615464854505188f909d0c07c37a6623693b5c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/43eb9b667b95f2a31c63e8949b0d2161b9be59c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c5bdaa1325be7f04b79ea992ab216739192d342"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a5ce7051db044290b1a95045ff03c249005a3aa4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af832028af6f44c6c45645757079c4ed6884ade5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c0e811c4ccf3b42705976285e3a94cc82dea7300"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca1ce206894dd976275c78ee38dbc19873f22de9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd2eff8b9dcbe469c3b7bbbc7083ab5ed94de07b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8J29-HRG8-7MVC
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-23 21:30In the Linux kernel, the following vulnerability has been resolved:
Fix page corruption caused by racy check in __free_pages
When we upgraded our kernel, we started seeing some page corruption like the following consistently:
BUG: Bad page state in process ganesha.nfsd pfn:1304ca page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca flags: 0x17ffffc0000000() raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000 raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000 page dumped because: nonzero mapcount CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 Call Trace: dump_stack+0x74/0x96 bad_page.cold+0x63/0x94 check_new_page_bad+0x6d/0x80 rmqueue+0x46e/0x970 get_page_from_freelist+0xcb/0x3f0 ? _cond_resched+0x19/0x40 __alloc_pages_nodemask+0x164/0x300 alloc_pages_current+0x87/0xf0 skb_page_frag_refill+0x84/0x110 ...
Sometimes, it would also show up as corruption in the free list pointer and cause crashes.
After bisecting the issue, we found the issue started from commit e320d3012d25 ("mm/page_alloc.c: fix freeing non-compound pages"):
if (put_page_testzero(page))
free_the_page(page, order);
else if (!PageHead(page))
while (order-- > 0)
free_the_page(page + (1 << order), order);
So the problem is the check PageHead is racy because at this point we already dropped our reference to the page. So even if we came in with compound page, the page can already be freed and PageHead can return false and we will end up freeing all the tail pages causing double free.
{
"affected": [],
"aliases": [
"CVE-2023-52739"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix page corruption caused by racy check in __free_pages\n\nWhen we upgraded our kernel, we started seeing some page corruption like\nthe following consistently:\n\n BUG: Bad page state in process ganesha.nfsd pfn:1304ca\n page:0000000022261c55 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1304ca\n flags: 0x17ffffc0000000()\n raw: 0017ffffc0000000 ffff8a513ffd4c98 ffffeee24b35ec08 0000000000000000\n raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000\n page dumped because: nonzero mapcount\n CPU: 0 PID: 15567 Comm: ganesha.nfsd Kdump: loaded Tainted: P B O 5.10.158-1.nutanix.20221209.el7.x86_64 #1\n Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016\n Call Trace:\n dump_stack+0x74/0x96\n bad_page.cold+0x63/0x94\n check_new_page_bad+0x6d/0x80\n rmqueue+0x46e/0x970\n get_page_from_freelist+0xcb/0x3f0\n ? _cond_resched+0x19/0x40\n __alloc_pages_nodemask+0x164/0x300\n alloc_pages_current+0x87/0xf0\n skb_page_frag_refill+0x84/0x110\n ...\n\nSometimes, it would also show up as corruption in the free list pointer\nand cause crashes.\n\nAfter bisecting the issue, we found the issue started from commit\ne320d3012d25 (\"mm/page_alloc.c: fix freeing non-compound pages\"):\n\n\tif (put_page_testzero(page))\n\t\tfree_the_page(page, order);\n\telse if (!PageHead(page))\n\t\twhile (order-- \u003e 0)\n\t\t\tfree_the_page(page + (1 \u003c\u003c order), order);\n\nSo the problem is the check PageHead is racy because at this point we\nalready dropped our reference to the page. So even if we came in with\ncompound page, the page can already be freed and PageHead can return\nfalse and we will end up freeing all the tail pages causing double free.",
"id": "GHSA-8j29-hrg8-7mvc",
"modified": "2025-09-23T21:30:53Z",
"published": "2024-05-21T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52739"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a626e27f984dfbe96bd8e4fd08f20a2ede3ea23"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3af734f3eac6f70ef8e272a80da40544b9d0f2b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b4c045a98f53a8890a94bb5846a390c8e39e673"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/462a8e08e0e6287e5ce13187257edbf24213ed03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8J53-82PV-32WQ
Vulnerability from github – Published: 2025-03-28 21:30 – Updated: 2025-03-28 21:30A vulnerability has been found in HDF5 up to 1.14.6 and classified as problematic. This vulnerability affects the function H5MM_realloc of the file src/H5MM.c. The manipulation of the argument mem leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-2925"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-28T20:15:26Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in HDF5 up to 1.14.6 and classified as problematic. This vulnerability affects the function H5MM_realloc of the file src/H5MM.c. The manipulation of the argument mem leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-8j53-82pv-32wq",
"modified": "2025-03-28T21:30:46Z",
"published": "2025-03-28T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2925"
},
{
"type": "WEB",
"url": "https://github.com/HDFGroup/hdf5/issues/5383"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.301900"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.301900"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.521193"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8MJX-H23H-W2PG
Vulnerability from github – Published: 2021-09-01 18:30 – Updated: 2023-06-13 20:52Affected versions of stack_dst used a push_inner function that increased the internal length of the array and then called val.clone(). If the val.clone() call panics, the stack could drop an already dropped element or drop uninitialized memory. This issue was fixed in 2a4d538 by increasing the length of the array after elements are cloned.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "stack_dst"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-28034"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-30T21:56:32Z",
"nvd_published_at": "2021-03-05T09:15:00Z",
"severity": "CRITICAL"
},
"details": "Affected versions of stack_dst used a push_inner function that increased the internal length of the array and then called val.clone(). If the val.clone() call panics, the stack could drop an already dropped element or drop uninitialized memory. This issue was fixed in `2a4d538` by increasing the length of the array after elements are cloned.",
"id": "GHSA-8mjx-h23h-w2pg",
"modified": "2023-06-13T20:52:43Z",
"published": "2021-09-01T18:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28034"
},
{
"type": "WEB",
"url": "https://github.com/thepowersgang/stack_dst-rs/issues/5"
},
{
"type": "WEB",
"url": "https://github.com/thepowersgang/stack_dst-rs/commit/2a4d538"
},
{
"type": "WEB",
"url": "https://github.com/thepowersgang/stack_dst-rs/commit/2a4d53809e3000f40085f2b229b6b1a33759881d"
},
{
"type": "PACKAGE",
"url": "https://github.com/thepowersgang/stack_dst-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0033.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Double free in stack_dst"
}
GHSA-8MQG-3FC7-QR47
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-10 15:30In the Linux kernel, the following vulnerability has been resolved:
scsi: target: Fix multiple LUN_RESET handling
This fixes a bug where an initiator thinks a LUN_RESET has cleaned up running commands when it hasn't. The bug was added in commit 51ec502a3266 ("target: Delete tmr from list before processing").
The problem occurs when:
-
We have N I/O cmds running in the target layer spread over 2 sessions.
-
The initiator sends a LUN_RESET for each session.
-
session1's LUN_RESET loops over all the running commands from both sessions and moves them to its local drain_task_list.
-
session2's LUN_RESET does not see the LUN_RESET from session1 because the commit above has it remove itself. session2 also does not see any commands since the other reset moved them off the state lists.
-
sessions2's LUN_RESET will then complete with a successful response.
-
sessions2's inititor believes the running commands on its session are now cleaned up due to the successful response and cleans up the running commands from its side. It then restarts them.
-
The commands do eventually complete on the backend and the target starts to return aborted task statuses for them. The initiator will either throw a invalid ITT error or might accidentally lookup a new task if the ITT has been reallocated already.
Fix the bug by reverting the patch, and serialize the execution of LUN_RESETs and Preempt and Aborts.
Also prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list, because it turns out the original patch fixed a bug that was not mentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second LUN_RESET and wait on it. Then the second reset will run core_tmr_drain_tmr_list and see the first reset and wait on it resulting in a deadlock.
{
"affected": [],
"aliases": [
"CVE-2023-53586"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:54Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix multiple LUN_RESET handling\n\nThis fixes a bug where an initiator thinks a LUN_RESET has cleaned up\nrunning commands when it hasn\u0027t. The bug was added in commit 51ec502a3266\n(\"target: Delete tmr from list before processing\").\n\nThe problem occurs when:\n\n 1. We have N I/O cmds running in the target layer spread over 2 sessions.\n\n 2. The initiator sends a LUN_RESET for each session.\n\n 3. session1\u0027s LUN_RESET loops over all the running commands from both\n sessions and moves them to its local drain_task_list.\n\n 4. session2\u0027s LUN_RESET does not see the LUN_RESET from session1 because\n the commit above has it remove itself. session2 also does not see any\n commands since the other reset moved them off the state lists.\n\n 5. sessions2\u0027s LUN_RESET will then complete with a successful response.\n\n 6. sessions2\u0027s inititor believes the running commands on its session are\n now cleaned up due to the successful response and cleans up the running\n commands from its side. It then restarts them.\n\n 7. The commands do eventually complete on the backend and the target\n starts to return aborted task statuses for them. The initiator will\n either throw a invalid ITT error or might accidentally lookup a new\n task if the ITT has been reallocated already.\n\nFix the bug by reverting the patch, and serialize the execution of\nLUN_RESETs and Preempt and Aborts.\n\nAlso prevent us from waiting on LUN_RESETs in core_tmr_drain_tmr_list,\nbecause it turns out the original patch fixed a bug that was not\nmentioned. For LUN_RESET1 core_tmr_drain_tmr_list can see a second\nLUN_RESET and wait on it. Then the second reset will run\ncore_tmr_drain_tmr_list and see the first reset and wait on it resulting in\na deadlock.",
"id": "GHSA-8mqg-3fc7-qr47",
"modified": "2026-02-10T15:30:21Z",
"published": "2025-10-04T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53586"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2c43de56f9220dca3e28c774d1c5e2cab574223a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/673db054d7a2b5a470d7a25baf65956d005ad729"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9158c86fd3237acaea8f0181c7836d90fd6eea10"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1f59cd18a10969d08a082264b557876ca38766e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eacfe32c3650bfd0e54224d160c431013d7f6998"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ed18526289b5603bf2253dee50f1d7ec245cf397"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8P3P-RP99-MRHW
Vulnerability from github – Published: 2022-05-14 01:57 – Updated: 2025-04-20 03:41Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.
{
"affected": [],
"aliases": [
"CVE-2015-5203"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-02T19:29:00Z",
"severity": "MODERATE"
},
"details": "Double free vulnerability in the jasper_image_stop_load function in JasPer 1.900.17 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.",
"id": "GHSA-8p3p-rp99-mrhw",
"modified": "2025-04-20T03:41:59Z",
"published": "2022-05-14T01:57:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5203"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1208"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1254242"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00023.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QIZNTZDXOJR5BTRZKCS3GVHVZV2PWHH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AXWV22WGSQFDRPE7G6ECGP3QXS2V2A2M"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3QIZNTZDXOJR5BTRZKCS3GVHVZV2PWHH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AXWV22WGSQFDRPE7G6ECGP3QXS2V2A2M"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UNLVBZWDEXZCFWOBZ3YVEQINMRBRX5QV"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201707-07"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3693-1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2016-11/msg00010.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2016-11/msg00018.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2016-11/msg00064.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/08/16/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8P82-M269-WG8G
Vulnerability from github – Published: 2022-05-14 03:06 – Updated: 2022-05-14 03:06dwg_decode_eed in decode.c in GNU LibreDWG before 0.6 leads to a double free (in dwg_free_eed in free.c) because it does not properly manage the obj->eed value after a free occurs.
{
"affected": [],
"aliases": [
"CVE-2018-14524"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-23T08:29:00Z",
"severity": "MODERATE"
},
"details": "dwg_decode_eed in decode.c in GNU LibreDWG before 0.6 leads to a double free (in dwg_free_eed in free.c) because it does not properly manage the obj-\u003eeed value after a free occurs.",
"id": "GHSA-8p82-m269-wg8g",
"modified": "2022-05-14T03:06:12Z",
"published": "2022-05-14T03:06:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14524"
},
{
"type": "WEB",
"url": "https://github.com/LibreDWG/libredwg/issues/33"
},
{
"type": "WEB",
"url": "https://savannah.gnu.org/forum/forum.php?forum_id=9211"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8PQG-8P79-J5J8
Vulnerability from github – Published: 2022-05-10 00:00 – Updated: 2022-05-21 00:00A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.
{
"affected": [],
"aliases": [
"CVE-2022-28738"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-09T18:15:00Z",
"severity": "CRITICAL"
},
"details": "A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.",
"id": "GHSA-8pqg-8p79-j5j8",
"modified": "2022-05-21T00:00:45Z",
"published": "2022-05-10T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28738"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1220911"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2022-28738"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-27"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220624-0002"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8PX8-FJV5-9VGX
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31In the Linux kernel, the following vulnerability has been resolved:
s390: fix double free of GS and RI CBs on fork() failure
The pointers for guarded storage and runtime instrumentation control blocks are stored in the thread_struct of the associated task. These pointers are initially copied on fork() via arch_dup_task_struct() and then cleared via copy_thread() before fork() returns. If fork() happens to fail after the initial task dup and before copy_thread(), the newly allocated task and associated thread_struct memory are freed via free_task() -> arch_release_task_struct(). This results in a double free of the guarded storage and runtime info structs because the fields in the failed task still refer to memory associated with the source task.
This problem can manifest as a BUG_ON() in set_freepointer() (with CONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled) when running trinity syscall fuzz tests on s390x. To avoid this problem, clear the associated pointer fields in arch_dup_task_struct() immediately after the new task is copied. Note that the RI flag is still cleared in copy_thread() because it resides in thread stack memory and that is where stack info is copied.
{
"affected": [],
"aliases": [
"CVE-2022-49990"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:26Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390: fix double free of GS and RI CBs on fork() failure\n\nThe pointers for guarded storage and runtime instrumentation control\nblocks are stored in the thread_struct of the associated task. These\npointers are initially copied on fork() via arch_dup_task_struct()\nand then cleared via copy_thread() before fork() returns. If fork()\nhappens to fail after the initial task dup and before copy_thread(),\nthe newly allocated task and associated thread_struct memory are\nfreed via free_task() -\u003e arch_release_task_struct(). This results in\na double free of the guarded storage and runtime info structs\nbecause the fields in the failed task still refer to memory\nassociated with the source task.\n\nThis problem can manifest as a BUG_ON() in set_freepointer() (with\nCONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled)\nwhen running trinity syscall fuzz tests on s390x. To avoid this\nproblem, clear the associated pointer fields in\narch_dup_task_struct() immediately after the new task is copied.\nNote that the RI flag is still cleared in copy_thread() because it\nresides in thread stack memory and that is where stack info is\ncopied.",
"id": "GHSA-8px8-fjv5-9vgx",
"modified": "2025-11-14T18:31:23Z",
"published": "2025-06-18T12:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49990"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/13cccafe0edcd03bf1c841de8ab8a1c8e34f77d9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25a95303b9e513cd2978aacc385d06e6fec23d07"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/297ae7e87a87a001dd3dfeac1cb26a42fd929708"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8195e065abf3df84eb0ad2987e76a40f21d1791c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cacd522e6652fbc2dc0cc6ae11c4e30782fef14b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fbdc482d43eda40a70de4b0155843d5472f6de62"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.