Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

965 vulnerabilities reference this CWE, most recent first.

GHSA-RQCM-FF8H-8MFX

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2023-02-24 00:30
VLAI
Details

An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-04T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.",
  "id": "GHSA-rqcm-ff8h-8mfx",
  "modified": "2023-02-24T00:30:17Z",
  "published": "2022-05-24T16:55:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18595"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.11"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4397f04575c44e1440ec2e49b6302785c95fd2f8"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQVP-J9P2-FCWX

Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2024-07-03 18:42
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

swiotlb: Fix double-allocation of slots due to broken alignment handling

Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool.

When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer:

# Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)

This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page.

Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page.

This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1055",
      "CWE-119",
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T14:15:15Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: Fix double-allocation of slots due to broken alignment handling\n\nCommit bbb73a103fbb (\"swiotlb: fix a braino in the alignment check fix\"),\nwhich was a fix for commit 0eee5ae10256 (\"swiotlb: fix slot alignment\nchecks\"), causes a functional regression with vsock in a virtual machine\nusing bouncing via a restricted DMA SWIOTLB pool.\n\nWhen virtio allocates the virtqueues for the vsock device using\ndma_alloc_coherent(), the SWIOTLB search can return page-unaligned\nallocations if \u0027area-\u003eindex\u0027 was left unaligned by a previous allocation\nfrom the buffer:\n\n # Final address in brackets is the SWIOTLB address returned to the caller\n | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800)\n | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800)\n | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)\n\nThis ends badly (typically buffer corruption and/or a hang) because\nswiotlb_alloc() is expecting a page-aligned allocation and so blindly\nreturns a pointer to the \u0027struct page\u0027 corresponding to the allocation,\ntherefore double-allocating the first half (2KiB slot) of the 4KiB page.\n\nFix the problem by treating the allocation alignment separately to any\nadditional alignment requirements from the device, using the maximum\nof the two as the stride to search the buffer slots and taking care\nto ensure a minimum of page-alignment for buffers larger than a page.\n\nThis also resolves swiotlb allocation failures occuring due to the\ninclusion of ~PAGE_MASK in \u0027iotlb_align_mask\u0027 for large allocations and\nresulting in alignment requirements exceeding swiotlb_max_mapping_size().",
  "id": "GHSA-rqvp-j9p2-fcwx",
  "modified": "2024-07-03T18:42:25Z",
  "published": "2024-05-17T15:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35814"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04867a7a33324c9c562ee7949dbcaab7aaad1fb4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e7acd6e25ba77dde48c3b721c54c89cd6a10534"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/777391743771040e12cc40d3d0d178f70c616491"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c88668aa6c1da240ea3eb4d128b7906e740d3cb8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RR2F-JHMQ-594W

Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2025-04-20 03:44
VLAI
Details

Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11462"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-13T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.",
  "id": "GHSA-rr2f-jhmq-594w",
  "modified": "2025-04-20T03:44:56Z",
  "published": "2022-05-13T01:28:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11462"
    },
    {
      "type": "WEB",
      "url": "https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1488873"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED"
    },
    {
      "type": "WEB",
      "url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RR89-XJWM-MP65

Vulnerability from github – Published: 2022-05-14 01:51 – Updated: 2022-05-14 01:51
VLAI
Details

An issue was discovered in gThumb through 3.6.2. There is a double-free vulnerability in the add_themes_from_dir method in dlg-contact-sheet.c because of two successive calls of g_free, each of which frees the same buffer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-29T12:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in gThumb through 3.6.2. There is a double-free vulnerability in the add_themes_from_dir method in dlg-contact-sheet.c because of two successive calls of g_free, each of which frees the same buffer.",
  "id": "GHSA-rr89-xjwm-mp65",
  "modified": "2022-05-14T01:51:58Z",
  "published": "2022-05-14T01:51:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18718"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/gthumb/issues/18"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRF3-XMPM-R2CG

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-12-31 21:30
VLAI
Details

Azure Sphere Unsigned Code Execution Vulnerability This CVE ID is unique from CVE-2020-16982, CVE-2020-16984, CVE-2020-16987, CVE-2020-16991, CVE-2020-16994.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16970"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-11T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Azure Sphere Unsigned Code Execution Vulnerability This CVE ID is unique from CVE-2020-16982, CVE-2020-16984, CVE-2020-16987, CVE-2020-16991, CVE-2020-16994.",
  "id": "GHSA-rrf3-xmpm-r2cg",
  "modified": "2023-12-31T21:30:24Z",
  "published": "2022-05-24T17:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16970"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16970"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1118"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRWX-6MF8-VC3J

Vulnerability from github – Published: 2023-02-16 00:30 – Updated: 2023-02-23 06:30
VLAI
Details

Double Free vulnerability in virtualsquare picoTCP v1.7.0 and picoTCP-NG v2.1 in modules/pico_fragments.c in function pico_fragments_reassemble, allows attackers to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-15T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Double Free vulnerability in virtualsquare picoTCP v1.7.0 and picoTCP-NG v2.1 in modules/pico_fragments.c in function pico_fragments_reassemble, allows attackers to execute arbitrary code.",
  "id": "GHSA-rrwx-6mf8-vc3j",
  "modified": "2023-02-23T06:30:18Z",
  "published": "2023-02-16T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33304"
    },
    {
      "type": "WEB",
      "url": "https://github.com/virtualsquare/picotcp/issues/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV4R-HQPH-P3CP

Vulnerability from github – Published: 2023-02-17 18:30 – Updated: 2023-02-28 18:30
VLAI
Details

A vulnerability in the OLE2 file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device.The vulnerability is due to incorrect use of the realloc function that may result in a double-free. An attacker could exploit this vulnerability by submitting a crafted OLE2 file to be scanned by ClamAV on the affected device. An exploit could allow the attacker to cause the ClamAV scanning process to crash, resulting in a denial of service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-17T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the OLE2 file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device.The vulnerability is due to incorrect use of the realloc function that may result in a double-free. An attacker could exploit this vulnerability by submitting a crafted OLE2 file to be scanned by ClamAV on the affected device. An exploit could allow the attacker to cause the ClamAV scanning process to crash, resulting in a denial of service condition.",
  "id": "GHSA-rv4r-hqph-p3cp",
  "modified": "2023-02-28T18:30:19Z",
  "published": "2023-02-17T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20803"
    },
    {
      "type": "WEB",
      "url": "https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV4V-XV8G-P87C

Vulnerability from github – Published: 2023-06-06 09:30 – Updated: 2024-04-04 04:34
VLAI
Details

Memory corruption in Linux Networking due to double free while handling a hyp-assign.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-06T08:15:11Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption in Linux Networking due to double free while handling a hyp-assign.",
  "id": "GHSA-rv4v-xv8g-p87c",
  "modified": "2024-04-04T04:34:14Z",
  "published": "2023-06-06T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40522"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV72-F625-5H95

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-19 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info_sub_group() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)

Then control returns to create_space_info_sub_group(), where:

btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)

Thus, sub_group is freed twice.

Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:32Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info_sub_group() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info_sub_group()\n-\u003e btrfs_sysfs_add_space_info_type()\n-\u003e kobject_init_and_add()\n-\u003e failure\n-\u003e kobject_put(\u0026sub_group-\u003ekobj)\n-\u003e space_info_release()\n-\u003e kfree(sub_group)\n\nThen control returns to create_space_info_sub_group(), where:\n\nbtrfs_sysfs_add_space_info_type() returns error\n-\u003e kfree(sub_group)\n\nThus, sub_group is freed twice.\n\nKeep parent-\u003esub_group[index] = NULL for the failure path, but after\nbtrfs_sysfs_add_space_info_type() has called kobject_put(), let the\nkobject release callback handle the cleanup.",
  "id": "GHSA-rv72-f625-5h95",
  "modified": "2026-06-19T15:33:13Z",
  "published": "2026-05-28T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46164"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14b22be1dd844383eb03af9b1ee3b6b25d32aeaf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/259af6857a1b4f1e9ef8b780353f9d11c26a22bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a7449edf96143f192606ec8647e3167e1ecbd728"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2d59527cba6d59f0d77a75c1101ab4e69758bea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV86-79H6-XJWM

Vulnerability from github – Published: 2026-01-06 03:31 – Updated: 2026-01-06 21:30
VLAI
Details

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4699.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-06T02:15:42Z",
    "severity": "HIGH"
  },
  "details": "In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4699.",
  "id": "GHSA-rv86-79h6-xjwm",
  "modified": "2026-01-06T21:30:32Z",
  "published": "2026-01-06T03:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20781"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/January-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.