CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
965 vulnerabilities reference this CWE, most recent first.
GHSA-JW2W-Q42R-444F
Vulnerability from github – Published: 2025-06-04 15:30 – Updated: 2025-06-04 21:31An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. A Double Free in the mobile processor leads to privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-23095"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-04T15:15:23Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. A Double Free in the mobile processor leads to privilege escalation.",
"id": "GHSA-jw2w-q42r-444f",
"modified": "2025-06-04T21:31:14Z",
"published": "2025-06-04T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23095"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23095"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JXXW-46W4-3VHV
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2023-03-29 18:30In ParseContentEncodingEntry of mkvparser.cc, there is a possible double free due to a missing reset of a freed pointer. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-127702368.
{
"affected": [],
"aliases": [
"CVE-2019-2126"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T20:15:00Z",
"severity": "HIGH"
},
"details": "In ParseContentEncodingEntry of mkvparser.cc, there is a possible double free due to a missing reset of a freed pointer. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-127702368.",
"id": "GHSA-jxxw-46w4-3vhv",
"modified": "2023-03-29T18:30:29Z",
"published": "2022-05-24T16:54:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2126"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQSTK442ATWJOR4TU3MR6C3N5A6NDFFN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2IIA3RSYABBUCFIHXIRVUT5CTJVWWZ6"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2019-08-01"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4199-1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00049.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2WJ-X8QH-WQCV
Vulnerability from github – Published: 2024-10-29 03:31 – Updated: 2024-10-30 18:30In the Linux kernel, the following vulnerability has been resolved:
pinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func()
'new_map' is allocated using devm_* which takes care of freeing the allocated data on device removal, call to
.dt_free_map = pinconf_generic_dt_free_map
double frees the map as pinconf_generic_dt_free_map() calls pinctrl_utils_free_map().
Fix this by using kcalloc() instead of auto-managed devm_kcalloc().
{
"affected": [],
"aliases": [
"CVE-2024-50071"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T01:15:04Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func()\n\n\u0027new_map\u0027 is allocated using devm_* which takes care of freeing the\nallocated data on device removal, call to\n\n\t.dt_free_map = pinconf_generic_dt_free_map\n\ndouble frees the map as pinconf_generic_dt_free_map() calls\npinctrl_utils_free_map().\n\nFix this by using kcalloc() instead of auto-managed devm_kcalloc().",
"id": "GHSA-m2wj-x8qh-wqcv",
"modified": "2024-10-30T18:30:48Z",
"published": "2024-10-29T03:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50071"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3fd976afe9743110f20a23f93b7ff9693f2be4bf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6441d9c3d71b59c8fd27d4e381c7471a32ac1a68"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M528-9CVR-FX99
Vulnerability from github – Published: 2022-05-14 01:51 – Updated: 2022-05-14 01:51Double memory free while closing TEE SE API Session management in Snapdragon Mobile in version SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820.
{
"affected": [],
"aliases": [
"CVE-2017-18297"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-23T13:29:00Z",
"severity": "HIGH"
},
"details": "Double memory free while closing TEE SE API Session management in Snapdragon Mobile in version SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820.",
"id": "GHSA-m528-9cvr-fx99",
"modified": "2022-05-14T01:51:55Z",
"published": "2022-05-14T01:51:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18297"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-08-01#qualcomm-closed-source-components"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041432"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M5RC-6P5X-73GP
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-07 12:31In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix double free in rxe_srq_from_init
In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'.
The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free.
The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core]
Fix this by moving 'srq->rq.queue = q' after copy_to_user.
{
"affected": [],
"aliases": [
"CVE-2026-45852"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:16:57Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix double free in rxe_srq_from_init\n\nIn rxe_srq_from_init(), the queue pointer \u0027q\u0027 is assigned to\n\u0027srq-\u003erq.queue\u0027 before copying the SRQ number to user space.\nIf copy_to_user() fails, the function calls rxe_queue_cleanup()\nto free the queue, but leaves the now-invalid pointer in\n\u0027srq-\u003erq.queue\u0027.\n\nThe caller of rxe_srq_from_init() (rxe_create_srq) eventually\ncalls rxe_srq_cleanup() upon receiving the error, which triggers\na second rxe_queue_cleanup() on the same memory, leading to a\ndouble free.\n\nThe call trace looks like this:\n kmem_cache_free+0x.../0x...\n rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]\n rxe_srq_cleanup+0x42/0x60 [rdma_rxe]\n rxe_elem_release+0x31/0x70 [rdma_rxe]\n rxe_create_srq+0x12b/0x1a0 [rdma_rxe]\n ib_create_srq_user+0x9a/0x150 [ib_core]\n\nFix this by moving \u0027srq-\u003erq.queue = q\u0027 after copy_to_user.",
"id": "GHSA-m5rc-6p5x-73gp",
"modified": "2026-07-07T12:31:30Z",
"published": "2026-05-27T15:33:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45852"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45852.json"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d493e0bfc748a520c349d6c8791b262aa5ad2e4e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce6f8e007682f378279d4cf83b240f12d52c723b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b98ab5494dbd48652561aa0b9c32f10500220745"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af5956243018918130d52c9f671efdb40bab3366"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9abff51163aa1bc275ec356f74fe976291860a7f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c07aef09a121a4cd622a71eb0753a9e135c84a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26a9cfe12f4ffdeaa136f252478986fa5f397ddc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26793db60925df1e88a29466813d586cbc190b8c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22b8c23a3b92d023614bb00896fe364b2c1a31d3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0beefd0e15d962f497aad750b2d5e9c3570b66d1"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482166"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-45852"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35896"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35863"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35844"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33899"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27713"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25217"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25121"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M69P-8V8R-JHCC
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. These vulnerabilities are due to insufficient validation of CAPWAP packets. An attacker could exploit the vulnerabilities by sending a malformed CAPWAP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2021-1565"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-23T03:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. These vulnerabilities are due to insufficient validation of CAPWAP packets. An attacker could exploit the vulnerabilities by sending a malformed CAPWAP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition.",
"id": "GHSA-m69p-8v8r-jhcc",
"modified": "2022-05-24T19:15:40Z",
"published": "2022-05-24T19:15:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1565"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-capwap-dos-gmNjdKOY"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M74R-FC5W-H4V6
Vulnerability from github – Published: 2022-11-09 12:00 – Updated: 2022-11-10 19:01In audio, there is a possible memory corruption due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07310571; Issue ID: ALPS07310571.
{
"affected": [],
"aliases": [
"CVE-2022-32614"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-08T21:15:00Z",
"severity": "MODERATE"
},
"details": "In audio, there is a possible memory corruption due to a logic error. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07310571; Issue ID: ALPS07310571.",
"id": "GHSA-m74r-fc5w-h4v6",
"modified": "2022-11-10T19:01:10Z",
"published": "2022-11-09T12:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32614"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/November-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M793-QP5H-R3XW
Vulnerability from github – Published: 2025-08-19 00:30 – Updated: 2025-08-19 00:30The Sante PACS Server allows a remote attacker to crash the main thread by sending a crafted HL7 message, causing a denial-of-service condition. The application would require a manual restart and no authentication is required.
{
"affected": [],
"aliases": [
"CVE-2025-53948"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-18T22:15:28Z",
"severity": "HIGH"
},
"details": "The Sante PACS Server allows a remote attacker to crash the main thread by sending a crafted HL7 message, causing a denial-of-service condition. The application would require a manual restart and no authentication is required.",
"id": "GHSA-m793-qp5h-r3xw",
"modified": "2025-08-19T00:30:33Z",
"published": "2025-08-19T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53948"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-224-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M7FM-4JFH-JRG6
Vulnerability from github – Published: 2021-08-25 14:43 – Updated: 2024-11-13 17:27Impact
The implementation for tf.raw_ops.BoostedTreesCreateEnsemble can result in a use after free error if an attacker supplies specially crafted arguments:
import tensorflow as tf
v= tf.Variable([0.0])
tf.raw_ops.BoostedTreesCreateEnsemble(
tree_ensemble_handle=v.handle,
stamp_token=[0],
tree_ensemble_serialized=['0'])
The implementation uses a reference counted resource and decrements the refcount if the initialization fails, as it should. However, when the code was written, the resource was represented as a naked pointer but later refactoring has changed it to be a smart pointer. Thus, when the pointer leaves the scope, a subsequent free-ing of the resource occurs, but this fails to take into account that the refcount has already reached 0, thus the resource has been already freed. During this double-free process, members of the resource object are accessed for cleanup but they are invalid as the entire resource has been freed.
Patches
We have patched the issue in GitHub commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab.
The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.5.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.5.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.5.0"
]
}
],
"aliases": [
"CVE-2021-37652"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-24T12:39:49Z",
"nvd_published_at": "2021-08-12T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe implementation for `tf.raw_ops.BoostedTreesCreateEnsemble` can result in a use after free error if an attacker supplies specially crafted arguments:\n\n```python\nimport tensorflow as tf\n\nv= tf.Variable([0.0])\ntf.raw_ops.BoostedTreesCreateEnsemble(\n tree_ensemble_handle=v.handle,\n stamp_token=[0],\n tree_ensemble_serialized=[\u00270\u0027]) \n```\n\nThe [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/boosted_trees/resource_ops.cc#L55) uses a reference counted resource and decrements the refcount if the initialization fails, as it should. However, when the code was written, the resource was represented as a naked pointer but later refactoring has changed it to be a smart pointer. Thus, when the pointer leaves the scope, a subsequent `free`-ing of the resource occurs, but this fails to take into account that the refcount has already reached 0, thus the resource has been already freed. During this double-free process, members of the resource object are accessed for cleanup but they are invalid as the entire resource has been freed.\n\n### Patches\nWe have patched the issue in GitHub commit [5ecec9c6fbdbc6be03295685190a45e7eee726ab](https://github.com/tensorflow/tensorflow/commit/5ecec9c6fbdbc6be03295685190a45e7eee726ab).\n\nThe fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by members of the Aivul Team from Qihoo 360.",
"id": "GHSA-m7fm-4jfh-jrg6",
"modified": "2024-11-13T17:27:03Z",
"published": "2021-08-25T14:43:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m7fm-4jfh-jrg6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37652"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/5ecec9c6fbdbc6be03295685190a45e7eee726ab"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-565.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-763.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-274.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Use after free in boosted trees creation"
}
GHSA-M84J-W2C4-3379
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 21:30In the Linux kernel, the following vulnerability has been resolved:
reset: gpio: fix double free in reset_add_gpio_aux_device() error path
When __auxiliary_device_add() fails, reset_add_gpio_aux_device() calls auxiliary_device_uninit(adev).
The device release callback reset_gpio_aux_device_release() frees adev, but the current error path then calls kfree(adev) again, causing a double free.
Keep kfree(adev) for the auxiliary_device_init() failure path, but avoid freeing adev after auxiliary_device_uninit().
{
"affected": [],
"aliases": [
"CVE-2026-31745"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:37Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nreset: gpio: fix double free in reset_add_gpio_aux_device() error path\n\nWhen __auxiliary_device_add() fails, reset_add_gpio_aux_device()\ncalls auxiliary_device_uninit(adev).\n\nThe device release callback reset_gpio_aux_device_release() frees\nadev, but the current error path then calls kfree(adev) again,\ncausing a double free.\n\nKeep kfree(adev) for the auxiliary_device_init() failure path, but\navoid freeing adev after auxiliary_device_uninit().",
"id": "GHSA-m84j-w2c4-3379",
"modified": "2026-05-07T21:30:24Z",
"published": "2026-05-01T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31745"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1de465753220deb41569cf2add87bbb0673731db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fbffb8c7c7bb4d38e9f65e0bee446685011de5d8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.