Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

967 vulnerabilities reference this CWE, most recent first.

GHSA-H22P-7CF7-3RGH

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02
VLAI
Details

In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-26T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.",
  "id": "GHSA-h22p-7cf7-3rgh",
  "modified": "2022-05-13T01:02:05Z",
  "published": "2022-05-13T01:02:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3855"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0538"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H25V-W22W-W3PJ

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

A bitmap double free in main.c in autotrace 0.31.1 allows attackers to cause an unspecified impact via a malformed bitmap image. This may occur after the use-after-free in CVE-2017-9182.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A bitmap double free in main.c in autotrace 0.31.1 allows attackers to cause an unspecified impact via a malformed bitmap image. This may occur after the use-after-free in CVE-2017-9182.",
  "id": "GHSA-h25v-w22w-w3pj",
  "modified": "2022-05-24T17:41:52Z",
  "published": "2022-05-24T17:41:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19005"
    },
    {
      "type": "WEB",
      "url": "https://github.com/autotrace/autotrace/pull/40"
    },
    {
      "type": "WEB",
      "url": "https://github.com/autotrace/autotrace/commits/master"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC6MUH2RLVEA634LHBNZ2KO7MQKI2RDZ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H3CV-2X4G-6WXR

Vulnerability from github – Published: 2025-12-11 21:31 – Updated: 2025-12-11 21:31
VLAI
Details

In aocc_read of aoc_channel_dev.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T20:15:56Z",
    "severity": "HIGH"
  },
  "details": "In aocc_read of aoc_channel_dev.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-h3cv-2x4g-6wxr",
  "modified": "2025-12-11T21:31:33Z",
  "published": "2025-12-11T21:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36919"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2025-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3FW-W5GR-3MXR

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-28 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: bcmasp: fix double free of WoL irq

We do not need to free wol_irq since it was instantiated with devm_request_irq(). So devres will free for us.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:16:49Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmasp: fix double free of WoL irq\n\nWe do not need to free wol_irq since it was instantiated with\ndevm_request_irq(). So devres will free for us.",
  "id": "GHSA-h3fw-w5gr-3mxr",
  "modified": "2026-04-28T15:30:47Z",
  "published": "2026-04-22T15:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31506"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/121a6ad9cd42ba3bfc57deae93e3326515c2afe1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a30509ce6a29bdf18e0802383c524a7b2357ec0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e5f5c07cc7d66522f8c9676c28605eba5d4a20e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cbfa5be2bf64511d49b854a0f9fd6d0b5118621f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3JJ-5GHG-R32J

Vulnerability from github – Published: 2022-05-24 17:04 – Updated: 2022-12-21 00:30
VLAI
Details

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-23T03:15:00Z",
    "severity": "HIGH"
  },
  "details": "In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.",
  "id": "GHSA-h3jj-5ghg-r32j",
  "modified": "2022-12-21T00:30:29Z",
  "published": "2022-05-24T17:04:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11049"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=78943"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2020/Feb/27"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200103-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4626"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2021-14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3MH-RQ8W-J65M

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-10 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: piix4: Fix adapter not be removed in piix4_remove()

In piix4_probe(), the piix4 adapter will be registered in:

piix4_probe() piix4_add_adapters_sb800() / piix4_add_adapter() i2c_add_adapter()

Based on the probed device type, piix4_add_adapters_sb800() or single piix4_add_adapter() will be called. For the former case, piix4_adapter_count is set as the number of adapters, while for antoher case it is not set and kept default zero.

When piix4 is removed, piix4_remove() removes the adapters added in piix4_probe(), basing on the piix4_adapter_count value. Because the count is zero for the single adapter case, the adapter won't be removed and makes the sources allocated for adapter leaked, such as the i2c client and device.

These sources can still be accessed by i2c or bus and cause problems. An easily reproduced case is that if a new adapter is registered, i2c will get the leaked adapter and try to call smbus_algorithm, which was already freed:

Triggered by: rmmod i2c_piix4 && modprobe max31730

BUG: unable to handle page fault for address: ffffffffc053d860 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3752 Comm: modprobe Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core RSP: 0018:ffff888107477710 EFLAGS: 00000246 ... i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core bus_for_each_dev (drivers/base/bus.c:301) i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... ---[ end trace 0000000000000000 ]---

Fix this problem by correctly set piix4_adapter_count as 1 for the single adapter so it can be normally removed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:15Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: piix4: Fix adapter not be removed in piix4_remove()\n\nIn piix4_probe(), the piix4 adapter will be registered in:\n\n   piix4_probe()\n     piix4_add_adapters_sb800() / piix4_add_adapter()\n       i2c_add_adapter()\n\nBased on the probed device type, piix4_add_adapters_sb800() or single\npiix4_add_adapter() will be called.\nFor the former case, piix4_adapter_count is set as the number of adapters,\nwhile for antoher case it is not set and kept default *zero*.\n\nWhen piix4 is removed, piix4_remove() removes the adapters added in\npiix4_probe(), basing on the piix4_adapter_count value.\nBecause the count is zero for the single adapter case, the adapter won\u0027t\nbe removed and makes the sources allocated for adapter leaked, such as\nthe i2c client and device.\n\nThese sources can still be accessed by i2c or bus and cause problems.\nAn easily reproduced case is that if a new adapter is registered, i2c\nwill get the leaked adapter and try to call smbus_algorithm, which was\nalready freed:\n\nTriggered by: rmmod i2c_piix4 \u0026\u0026 modprobe max31730\n\n BUG: unable to handle page fault for address: ffffffffc053d860\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 3752 Comm: modprobe Tainted: G\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core\n RSP: 0018:ffff888107477710 EFLAGS: 00000246\n ...\n \u003cTASK\u003e\n  i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core\n  __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core\n  bus_for_each_dev (drivers/base/bus.c:301)\n  i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core\n  i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core\n  do_one_initcall (init/main.c:1296)\n  do_init_module (kernel/module/main.c:2455)\n  ...\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nFix this problem by correctly set piix4_adapter_count as 1 for the\nsingle adapter so it can be normally removed.",
  "id": "GHSA-h3mh-rq8w-j65m",
  "modified": "2025-11-10T21:30:29Z",
  "published": "2025-05-01T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49900"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/569bea74c94d37785682b11bab76f557520477cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfd5e62f9a7ee214661cb6f143a3b40ccc63317f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d78ccdce662e88f41e87e90cf2bee63c1715d2a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe51636fffc8108c7c4da6aa393010e786530ad9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3P8-64Q3-F26C

Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2022-05-17 00:19
VLAI
Details

In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a double free can occur when kmalloc fails to allocate memory for pointers resp/req in the service-locator driver function service_locator_send_msg().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-16T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a double free can occur when kmalloc fails to allocate memory for pointers resp/req in the service-locator driver function service_locator_send_msg().",
  "id": "GHSA-h3p8-64q3-f26c",
  "modified": "2022-05-17T00:19:35Z",
  "published": "2022-05-17T00:19:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11032"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2017-11-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H593-GFRX-WWGQ

Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2022-05-24 17:15
VLAI
Details

In finalize of AssetManager.java, there is possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144028297

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-17T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "In finalize of AssetManager.java, there is possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144028297",
  "id": "GHSA-h593-gfrx-wwgq",
  "modified": "2022-05-24T17:15:42Z",
  "published": "2022-05-24T17:15:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0081"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2020-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H5QP-3724-266F

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-23 00:00
VLAI
Details

Memory corruption in multimedia driver due to double free while processing data from user in Snapdragon Auto

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption in multimedia driver due to double free while processing data from user in Snapdragon Auto",
  "id": "GHSA-h5qp-3724-266f",
  "modified": "2022-06-23T00:00:34Z",
  "published": "2022-06-15T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22103"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/june-2022-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H5VP-HHV6-88VM

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 04:00
VLAI
Details

Double free in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Double free in some Intel(R) Server Board BMC firmware before version 2.90 may allow a privileged user to enable information disclosure via local access.",
  "id": "GHSA-h5vp-hhv6-88vm",
  "modified": "2024-04-04T04:00:52Z",
  "published": "2023-05-10T15:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28411"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00839.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.