CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-232V-XQXF-3RRG
Vulnerability from github – Published: 2022-12-20 18:30 – Updated: 2022-12-20 18:30In compose of Vibrator.cpp, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-228523213
{
"affected": [],
"aliases": [
"CVE-2022-20524"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "HIGH"
},
"details": "In compose of Vibrator.cpp, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-228523213",
"id": "GHSA-232v-xqxf-3rrg",
"modified": "2022-12-20T18:30:20Z",
"published": "2022-12-20T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20524"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-233X-R9GJ-MFG9
Vulnerability from github – Published: 2026-05-21 15:34 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.
Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.
Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
{
"affected": [],
"aliases": [
"CVE-2026-43497"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T13:16:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free\n\ndlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages\nto userspace but sets no vm_ops on the VMA. This means the kernel cannot\ntrack active mmaps. When dlfb_realloc_framebuffer() replaces the backing\nbuffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.\nOn USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages\nwhile userspace PTEs still reference them, resulting in a use-after-free:\nthe process retains read/write access to freed kernel pages.\n\nAdd vm_operations_struct with open/close callbacks that maintain an\natomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),\ncheck mmap_count and return -EBUSY if the buffer is currently mapped,\npreventing buffer replacement while userspace holds stale PTEs.\n\nTested with PoC using dummy_hcd + raw_gadget USB device emulation.",
"id": "GHSA-233x-r9gj-mfg9",
"modified": "2026-06-01T18:31:32Z",
"published": "2026-05-21T15:34:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43497"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5931f5651ee32bd41b3323256b31fcc8e71336ed"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60f711cfd580f86fea8284146ac133804e728f9a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3d9865dacd7435b8465848428210d0f0c673311"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2352-43VG-7VCC
Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:30In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: ipc: Fix potential use-after-free in work function
When a reset notify IPC message is received, the ISR schedules a work function and passes the ISHTP device to it via a global pointer ishtp_dev. If ish_probe() fails, the devm-managed device resources including ishtp_dev are freed, but the work is not cancelled, causing a use-after-free when the work function tries to access ishtp_dev. Use devm_work_autocancel() instead, so that the work is automatically cancelled if probe fails.
{
"affected": [],
"aliases": [
"CVE-2023-53039"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T16:15:23Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: ipc: Fix potential use-after-free in work function\n\nWhen a reset notify IPC message is received, the ISR schedules a work\nfunction and passes the ISHTP device to it via a global pointer\nishtp_dev. If ish_probe() fails, the devm-managed device resources\nincluding ishtp_dev are freed, but the work is not cancelled, causing a\nuse-after-free when the work function tries to access ishtp_dev. Use\ndevm_work_autocancel() instead, so that the work is automatically\ncancelled if probe fails.",
"id": "GHSA-2352-43vg-7vcc",
"modified": "2025-11-12T21:30:59Z",
"published": "2025-05-02T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53039"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a594cb490ca6232671fc09e2dc1a0fc7ccbb0b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8ae2f2b0a28416ed2f6d8478ac8b9f7862f36785"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c1d378b8c224fd50247625255f09fc01dcc5836"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3ce3afd9f791dd1b7daedfcf8c396b60af5dec0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2356-622P-VMC7
Vulnerability from github – Published: 2026-04-29 00:30 – Updated: 2026-04-29 21:31Use after free in ANGLE in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-7359"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T23:16:23Z",
"severity": "HIGH"
},
"details": "Use after free in ANGLE in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-2356-622p-vmc7",
"modified": "2026-04-29T21:31:25Z",
"published": "2026-04-29T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7359"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/496284494"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-237R-5VV2-CJJ5
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 00:57Use-after-free vulnerability will occur if reset of the routing table encounters an invalid rule id while processing command to reset in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, QCS405, QCS605, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24
{
"affected": [],
"aliases": [
"CVE-2018-13919"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-14T17:29:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability will occur if reset of the routing table encounters an invalid rule id while processing command to reset in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9650, MSM8909W, QCS405, QCS605, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM630, SDM660, SDX20, SDX24",
"id": "GHSA-237r-5vv2-cjj5",
"modified": "2024-04-04T00:57:41Z",
"published": "2022-05-24T16:48:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13919"
},
{
"type": "WEB",
"url": "https://www.codeaurora.org/security-bulletin/2019/05/06/may-2019-code-aurora-security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-237R-RX7W-5J6C
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-30 12:30In the Linux kernel, the following vulnerability has been resolved:
accel/amdxdna: Stop job scheduling across aie2_release_resource()
Running jobs on a hardware context while it is in the process of releasing resources can lead to use-after-free and crashes.
Fix this by stopping job scheduling before calling aie2_release_resource() and restarting it after the release completes. Additionally, aie2_sched_job_run() now checks whether the hardware context is still active.
{
"affected": [],
"aliases": [
"CVE-2026-45980"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:15Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Stop job scheduling across aie2_release_resource()\n\nRunning jobs on a hardware context while it is in the process of\nreleasing resources can lead to use-after-free and crashes.\n\nFix this by stopping job scheduling before calling\naie2_release_resource() and restarting it after the release completes.\nAdditionally, aie2_sched_job_run() now checks whether the hardware\ncontext is still active.",
"id": "GHSA-237r-rx7w-5j6c",
"modified": "2026-05-30T12:30:23Z",
"published": "2026-05-27T15:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45980"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/688c3ff079b10e4600f040944430d3d4ff448a15"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b79d31dce49b50c79620389b3639280802a86960"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1370241fe8045702bc9d0812b996791f0500f1b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-238G-8QM5-HGVF
Vulnerability from github – Published: 2022-12-21 00:30 – Updated: 2022-12-21 00:30In TBD of aud_hal_tunnel.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-222162870References: N/A
{
"affected": [],
"aliases": [
"CVE-2022-20561"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "HIGH"
},
"details": "In TBD of aud_hal_tunnel.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-222162870References: N/A",
"id": "GHSA-238g-8qm5-hgvf",
"modified": "2022-12-21T00:30:29Z",
"published": "2022-12-21T00:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20561"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-239P-6RFV-62VF
Vulnerability from github – Published: 2024-05-08 00:31 – Updated: 2024-05-08 00:31Foxit PDF Reader AcroForm Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-14975.
{
"affected": [],
"aliases": [
"CVE-2021-34972"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T23:15:12Z",
"severity": "LOW"
},
"details": "Foxit PDF Reader AcroForm Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the processing of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-14975.",
"id": "GHSA-239p-6rfv-62vf",
"modified": "2024-05-08T00:31:14Z",
"published": "2024-05-08T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34972"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1203"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23CR-WMPF-6WP5
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the focus controller.
{
"affected": [],
"aliases": [
"CVE-2011-2857"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-09-19T12:02:00Z",
"severity": "MODERATE"
},
"details": "Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the focus controller.",
"id": "GHSA-23cr-wmpf-6wp5",
"modified": "2022-05-13T01:26:52Z",
"published": "2022-05-13T01:26:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2857"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69884"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14593"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=93420"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/75559"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48274"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48288"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48377"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1026774"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-23FJ-6RWP-5RQ6
Vulnerability from github – Published: 2025-06-10 21:31 – Updated: 2025-06-11 18:35Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-43576"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T19:15:32Z",
"severity": "HIGH"
},
"details": "Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-23fj-6rwp-5rq6",
"modified": "2025-06-11T18:35:42Z",
"published": "2025-06-10T21:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43576"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb25-57.html"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2170"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.