CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-222X-4QHM-7H5F
Vulnerability from github – Published: 2023-02-28 15:30 – Updated: 2023-03-10 06:30There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
{
"affected": [],
"aliases": [
"CVE-2023-0461"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-28T15:15:00Z",
"severity": "HIGH"
},
"details": "There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c",
"id": "GHSA-222x-4qhm-7h5f",
"modified": "2023-03-10T06:30:21Z",
"published": "2023-02-28T15:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0461"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2c02d41d71f90a5168391b6a5f2954112ba2307c"
},
{
"type": "WEB",
"url": "https://kernel.dance/#2c02d41d71f90a5168391b6a5f2954112ba2307c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2237-W692-94PV
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:53libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.
{
"affected": [],
"aliases": [
"CVE-2019-15890"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-06T17:15:00Z",
"severity": "HIGH"
},
"details": "libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.",
"id": "GHSA-2237-w692-94pv",
"modified": "2024-04-04T01:53:28Z",
"published": "2022-05-24T16:55:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15890"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0775"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2020/Feb/0"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4191-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4191-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4616"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/09/06/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2252-87PV-34G4
Vulnerability from github – Published: 2024-04-04 09:30 – Updated: 2024-12-20 18:31In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Avoid potential use-after-free in hci_error_reset
While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset.
Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth ] hci_error_reset+0x4f/0xa4 [bluetooth ] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30
This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash.
{
"affected": [],
"aliases": [
"CVE-2024-26801"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T09:15:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere\u0027s the call trace observed on a ChromeOS device with Intel AX201:\n queue_work_on+0x3e/0x6c\n __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth \u003cHASH:3b4a6\u003e]\n ? init_wait_entry+0x31/0x31\n __hci_cmd_sync+0x16/0x20 [bluetooth \u003cHASH:3b4a 6\u003e]\n hci_error_reset+0x4f/0xa4 [bluetooth \u003cHASH:3b4a 6\u003e]\n process_one_work+0x1d8/0x33f\n worker_thread+0x21b/0x373\n kthread+0x13a/0x152\n ? pr_cont_work+0x54/0x54\n ? kthread_blkcg+0x31/0x31\n ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.",
"id": "GHSA-2252-87pv-34g4",
"modified": "2024-12-20T18:31:29Z",
"published": "2024-04-04T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26801"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-225G-RRJ9-X694
Vulnerability from github – Published: 2022-05-14 01:06 – Updated: 2022-05-14 01:06The decompileIF function (util/decompile.c) in libming through 0.4.8 is vulnerable to a use-after-free, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file.
{
"affected": [],
"aliases": [
"CVE-2018-6359"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-27T21:29:00Z",
"severity": "HIGH"
},
"details": "The decompileIF function (util/decompile.c) in libming through 0.4.8 is vulnerable to a use-after-free, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file.",
"id": "GHSA-225g-rrj9-x694",
"modified": "2022-05-14T01:06:48Z",
"published": "2022-05-14T01:06:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6359"
},
{
"type": "WEB",
"url": "https://github.com/libming/libming/issues/105"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00008.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201904-24"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102856"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-225P-3JP7-Q6P8
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:35A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.
{
"affected": [],
"aliases": [
"CVE-2023-1252"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-23T21:15:00Z",
"severity": "HIGH"
},
"details": "A use-after-free flaw was found in the Linux kernel\u2019s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\") not applied yet, the kernel could be affected.",
"id": "GHSA-225p-3jp7-q6p8",
"modified": "2024-04-04T05:35:08Z",
"published": "2023-07-06T19:24:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1252"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/20211115165433.449951285%40linuxfoundation.org"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/20211115165433.449951285@linuxfoundation.org"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230505-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-225V-3R3M-379W
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the attachIcon property of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6499.
{
"affected": [],
"aliases": [
"CVE-2018-17634"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-24T04:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the attachIcon property of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6499.",
"id": "GHSA-225v-3r3m-379w",
"modified": "2022-05-13T01:33:59Z",
"published": "2022-05-13T01:33:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17634"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1200"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2275-6765-H9PG
Vulnerability from github – Published: 2026-01-24 03:30 – Updated: 2026-01-26 18:31A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device.
The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object.
{
"affected": [],
"aliases": [
"CVE-2025-13952"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-24T03:16:00Z",
"severity": "CRITICAL"
},
"details": "A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device.\n\nThe shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object.",
"id": "GHSA-2275-6765-h9pg",
"modified": "2026-01-26T18:31:29Z",
"published": "2026-01-24T03:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13952"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2289-HHFC-P684
Vulnerability from github – Published: 2026-03-11 12:31 – Updated: 2026-03-11 18:30When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
{
"affected": [],
"aliases": [
"CVE-2026-3805"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T11:16:00Z",
"severity": "HIGH"
},
"details": "When doing a second SMB request to the same host again, curl would wrongly use\na data pointer pointing into already freed memory.",
"id": "GHSA-2289-hhfc-p684",
"modified": "2026-03-11T18:30:31Z",
"published": "2026-03-11T12:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3805"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3591944"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-3805.html"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-3805.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/11/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-228Q-26QQ-7H4M
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-24 00:00This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16821.
{
"affected": [],
"aliases": [
"CVE-2022-28680"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-18T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16821.",
"id": "GHSA-228q-26qq-7h4m",
"modified": "2022-07-24T00:00:35Z",
"published": "2022-07-19T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28680"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-771"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2292-859M-6PRP
Vulnerability from github – Published: 2024-03-03 00:30 – Updated: 2024-12-11 15:31In the Linux kernel, the following vulnerability has been resolved:
ieee802154: ca8210: Fix a potential UAF in ca8210_probe
If of_clk_add_provider() fails in ca8210_register_ext_clock(), it calls clk_unregister() to release priv->clk and returns an error. However, the caller ca8210_probe() then calls ca8210_remove(), where priv->clk is freed again in ca8210_unregister_ext_clock(). In this case, a use-after-free may happen in the second time we call clk_unregister().
Fix this by removing the first clk_unregister(). Also, priv->clk could be an error code on failure of clk_register_fixed_rate(). Use IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().
{
"affected": [],
"aliases": [
"CVE-2023-52510"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-02T22:15:47Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nieee802154: ca8210: Fix a potential UAF in ca8210_probe\n\nIf of_clk_add_provider() fails in ca8210_register_ext_clock(),\nit calls clk_unregister() to release priv-\u003eclk and returns an\nerror. However, the caller ca8210_probe() then calls ca8210_remove(),\nwhere priv-\u003eclk is freed again in ca8210_unregister_ext_clock(). In\nthis case, a use-after-free may happen in the second time we call\nclk_unregister().\n\nFix this by removing the first clk_unregister(). Also, priv-\u003eclk could\nbe an error code on failure of clk_register_fixed_rate(). Use\nIS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().",
"id": "GHSA-2292-859m-6prp",
"modified": "2024-12-11T15:31:14Z",
"published": "2024-03-03T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52510"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/217efe32a45249eb07dcd7197e8403de98345e66"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/28b68cba378e3e50a4082b65f262bc4f2c7c2add"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/55e06850c7894f00d41b767c5f5665459f83f58f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84c6aa0ae5c4dc121f9996bb8fed46c80909d80e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85c2857ef90041f567ce98722c1c342c4d31f4bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/becf5c147198f4345243c5df0c4f035415491640"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cdb46be93c1f7bbf2c4649e9fc5fb147cfb5245d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f990874b1c98fe8e57ee9385669f501822979258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.