Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-24C8-3JP4-H926

Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2024-11-08 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Unregister redistributor for failed vCPU creation

Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM:

BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758

CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119 print_report+0x144/0x7a4 mm/kasan/report.c:377 kasan_report+0xcc/0x128 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409 __fput+0x198/0x71c fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x1cc/0x23c kernel/task_work.c:228 do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50 el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM.

It is important to consider the context of commit that introduced this bug by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That change correctly sought to avoid an srcu v. config_lock inversion by breaking up the vCPU teardown into two parts, one guarded by the config_lock.

Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe because failed vCPUs are torn down outside of the config_lock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T18:15:14Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unregister redistributor for failed vCPU creation\n\nAlex reports that syzkaller has managed to trigger a use-after-free when\ntearing down a VM:\n\n  BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769\n  Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758\n\n  CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317\n   show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324\n   __dump_stack lib/dump_stack.c:93 [inline]\n   dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119\n   print_report+0x144/0x7a4 mm/kasan/report.c:377\n   kasan_report+0xcc/0x128 mm/kasan/report.c:601\n   __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\n   kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769\n   kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409\n   __fput+0x198/0x71c fs/file_table.c:422\n   ____fput+0x20/0x30 fs/file_table.c:450\n   task_work_run+0x1cc/0x23c kernel/task_work.c:228\n   do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50\n   el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169\n   el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730\n   el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nUpon closer inspection, it appears that we do not properly tear down the\nMMIO registration for a vCPU that fails creation late in the game, e.g.\na vCPU w/ the same ID already exists in the VM.\n\nIt is important to consider the context of commit that introduced this bug\nby moving the unregistration out of __kvm_vgic_vcpu_destroy(). That\nchange correctly sought to avoid an srcu v. config_lock inversion by\nbreaking up the vCPU teardown into two parts, one guarded by the\nconfig_lock.\n\nFix the use-after-free while avoiding lock inversion by adding a\nspecial-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe\nbecause failed vCPUs are torn down outside of the config_lock.",
  "id": "GHSA-24c8-3jp4-h926",
  "modified": "2024-11-08T21:33:53Z",
  "published": "2024-11-05T18:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50114"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bcc2890b883ba1d16b8942937750565f6e9db0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae8f8b37610269009326f4318df161206c59843e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24C9-H3QQ-J27F

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-17 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for later reconnection. However, it did not clean up the byte-range locks on fp->lock_list.

Later, when the durable scavenger thread times out and calls __ksmbd_close_fd(NULL, fp), the lock cleanup loop did:

spin_lock(&fp->conn->llist_lock);

This caused a slab use-after-free because fp->conn was NULL and the original connection object had already been freed by ksmbd_tcp_disconnect().

The root cause is asymmetric cleanup: lock entries (smb_lock->clist) were left dangling on the freed conn->lock_list while fp->conn was nulled out.

To fix this issue properly, we need to handle the lifetime of smb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T14:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger\n\nWhen a durable file handle survives session disconnect (TCP close without\nSMB2_LOGOFF), session_fd_check() sets fp-\u003econn = NULL to preserve the\nhandle for later reconnection. However, it did not clean up the byte-range\nlocks on fp-\u003elock_list.\n\nLater, when the durable scavenger thread times out and calls\n__ksmbd_close_fd(NULL, fp), the lock cleanup loop did:\n\n    spin_lock(\u0026fp-\u003econn-\u003ellist_lock);\n\nThis caused a slab use-after-free because fp-\u003econn was NULL and the\noriginal connection object had already been freed by\nksmbd_tcp_disconnect().\n\nThe root cause is asymmetric cleanup: lock entries (smb_lock-\u003eclist) were\nleft dangling on the freed conn-\u003elock_list while fp-\u003econn was nulled out.\n\nTo fix this issue properly, we need to handle the lifetime of\nsmb_lock-\u003eclist across three paths:\n - Safely skip clist deletion when list is empty and fp-\u003econn is NULL.\n - Remove the lock from the old connection\u0027s lock_list in\n   session_fd_check()\n - Re-add the lock to the new connection\u0027s lock_list in\n   ksmbd_reopen_durable_fd().",
  "id": "GHSA-24c9-h3qq-j27f",
  "modified": "2026-05-17T18:30:27Z",
  "published": "2026-05-01T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31718"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0000a7780e0e446a28a273572f6ea8f7f582f694"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/235e32320a470fcd3998fb3774f2290a0eb302a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d6682726c2d3a46d31dae88b8166786b09b03ad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b34fc42cfe922e551f7a27d3ac3bb016e41d7dd9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e33c65f011980b4ad4abfd93585ec2079856368f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24H5-6VCF-HXW3

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

Use-after-free vulnerability in the nsNodeUtils::LastRelease function in the table-editing user interface in the editor component in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code by triggering improper garbage collection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-5618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-12-11T15:55:00Z",
    "severity": "CRITICAL"
  },
  "details": "Use-after-free vulnerability in the nsNodeUtils::LastRelease function in the table-editing user interface in the editor component in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allows remote attackers to execute arbitrary code by triggering improper garbage collection.",
  "id": "GHSA-24h5-6vcf-hxw3",
  "modified": "2022-05-13T01:23:51Z",
  "published": "2022-05-13T01:23:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5618"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=926361"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201504-01"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/123437.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124108.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124257.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-January/125470.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00085.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00086.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00087.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00119.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00120.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00121.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1812.html"
    },
    {
      "type": "WEB",
      "url": "http://www.mozilla.org/security/announce/2013/mfsa2013-109.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1029470"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1029476"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2052-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2053-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24H8-867P-WF7H

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59
VLAI
Details

Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-17T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .",
  "id": "GHSA-24h8-867p-wf7h",
  "modified": "2022-05-24T16:59:21Z",
  "published": "2022-05-24T16:59:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8180"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb19-49.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-24J6-CGWW-3PM6

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Format events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6355.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-29T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Format events. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6355.",
  "id": "GHSA-24j6-cgww-3pm6",
  "modified": "2022-05-13T01:34:01Z",
  "published": "2022-05-13T01:34:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17621"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-1102"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24V2-438W-JH8C

Vulnerability from github – Published: 2022-05-14 00:52 – Updated: 2022-05-14 00:52
VLAI
Details

Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008.20080 and earlier, 2019.008.20081 and earlier, 2017.011.30106 and earlier version, 2017.011.30105 and earlier version, 2015.006.30457 and earlier, and 2015.006.30456 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-18T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008.20080 and earlier, 2019.008.20081 and earlier, 2017.011.30106 and earlier version, 2017.011.30105 and earlier version, 2015.006.30457 and earlier, and 2015.006.30456 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.",
  "id": "GHSA-24v2-438w-jh8c",
  "modified": "2022-05-14T00:52:30Z",
  "published": "2022-05-14T00:52:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16039"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb18-41.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106164"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24V2-X6VH-5FPJ

Vulnerability from github – Published: 2022-09-10 00:00 – Updated: 2022-09-15 00:00
VLAI
Details

A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res_check' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-09T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A use-after-free(UAF) vulnerability was found in function \u0027vmw_cmd_res_check\u0027 in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in Linux kernel\u0027s vmwgfx driver with device file \u0027/dev/dri/renderD128 (or Dxxx)\u0027. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS).",
  "id": "GHSA-24v2-x6vh-5fpj",
  "modified": "2022-09-15T00:00:18Z",
  "published": "2022-09-10T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38457"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=2074"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24W5-R89J-8F2V

Vulnerability from github – Published: 2022-05-17 02:42 – Updated: 2022-05-17 02:42
VLAI
Details

In GNSS in all Android releases from CAF using the Linux kernel, a Use After Free vulnerability could potentially exist.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-9926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-06T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "In GNSS in all Android releases from CAF using the Linux kernel, a Use After Free vulnerability could potentially exist.",
  "id": "GHSA-24w5-r89j-8f2v",
  "modified": "2022-05-17T02:42:12Z",
  "published": "2022-05-17T02:42:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9926"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-05-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98228"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24X4-6QMH-88QG

Vulnerability from github – Published: 2022-02-09 23:57 – Updated: 2024-11-07 22:28
VLAI
Summary
Use after free in `DecodePng` kernel
Details

Impact

A malicious user can cause a use after free behavior when decoding PNG images:

if (/* ... error conditions ... */) {
  png::CommonFreeDecode(&decode);
  OP_REQUIRES(context, false,
              errors::InvalidArgument("PNG size too large for int: ",
                                      decode.width, " by ", decode.height));
}   

After png::CommonFreeDecode(&decode) gets called, the values of decode.width and decode.height are in an unspecified state.

Patches

We have patched the issue in GitHub commit e746adbfcfee15e9cfdb391ff746c765b99bdf9b.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23584"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-04T19:37:12Z",
    "nvd_published_at": "2022-02-04T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA malicious user can cause a use after free behavior when [decoding PNG images](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346):\n```cc\nif (/* ... error conditions ... */) {\n  png::CommonFreeDecode(\u0026decode);\n  OP_REQUIRES(context, false,\n              errors::InvalidArgument(\"PNG size too large for int: \",\n                                      decode.width, \" by \", decode.height));\n}   \n```\nAfter `png::CommonFreeDecode(\u0026decode)` gets called, the values of `decode.width` and `decode.height` are in an unspecified state.\n\n### Patches\nWe have patched the issue in GitHub commit [e746adbfcfee15e9cfdb391ff746c765b99bdf9b](https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
  "id": "GHSA-24x4-6qmh-88qg",
  "modified": "2024-11-07T22:28:38Z",
  "published": "2022-02-09T23:57:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-24x4-6qmh-88qg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23584"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/e746adbfcfee15e9cfdb391ff746c765b99bdf9b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-93.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-148.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use after free in `DecodePng` kernel"
}

GHSA-24XF-H5QF-W44W

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 18:31
VLAI
Details

Use after free in WebGL in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:11Z",
    "severity": "MODERATE"
  },
  "details": "Use after free in WebGL in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-24xf-h5qf-w44w",
  "modified": "2026-06-05T18:31:34Z",
  "published": "2026-06-05T00:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11073"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/499365904"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.