Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-273H-MFPF-CVQ6

Vulnerability from github – Published: 2024-06-07 18:30 – Updated: 2024-06-07 18:30
VLAI
Details

An issue was discovered in Samsung Mobile Processor and Wearable Processor Exynos 850, Exynos 1080, Exynos 2100, Exynos 1280, Exynos 1380, Exynos 1330, Exynos W920, Exynos W930. The mobile processor lacks proper memory deallocation checking, which can result in a UAF (Use-After-Free) vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-762"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-07T16:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Samsung Mobile Processor and Wearable Processor Exynos 850, Exynos 1080, Exynos 2100, Exynos 1280, Exynos 1380, Exynos 1330, Exynos W920, Exynos W930. The mobile processor lacks proper memory deallocation checking, which can result in a UAF (Use-After-Free) vulnerability.",
  "id": "GHSA-273h-mfpf-cvq6",
  "modified": "2024-06-07T18:30:37Z",
  "published": "2024-06-07T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32503"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-273J-J8FX-2WQF

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

The Device Model in ACRN through 2.5 has a devicemodel/core/mem.c use-after-free for a freed rb_entry.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-02T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Device Model in ACRN through 2.5 has a devicemodel/core/mem.c use-after-free for a freed rb_entry.",
  "id": "GHSA-273j-j8fx-2wqf",
  "modified": "2022-05-24T19:06:54Z",
  "published": "2022-05-24T19:06:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/projectacrn/acrn-hypervisor/pull/6058/commits/f880086ffe5423e67d968c8f8f665954786582ce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2742-R3C2-2QGJ

Vulnerability from github – Published: 2024-11-09 12:30 – Updated: 2024-11-13 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown

In support of investigating an initialization failure report [1], cxl_test was updated to register mock memory-devices after the mock root-port/bus device had been registered. That led to cxl_test crashing with a use-after-free bug with the following signature:

cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1
cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1
cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0

1) cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1 [..] cxld_unregister: cxl decoder14.0: cxl_region_decode_reset: cxl_region region3: mock_decoder_reset: cxl_port port3: decoder3.0 reset 2) mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1 cxl_endpoint_decoder_release: cxl decoder14.0: [..] cxld_unregister: cxl decoder7.0: 3) cxl_region_decode_reset: cxl_region region3: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI [..] RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core] [..] Call Trace: cxl_region_decode_reset+0x69/0x190 [cxl_core] cxl_region_detach+0xe8/0x210 [cxl_core] cxl_decoder_kill_region+0x27/0x40 [cxl_core] cxld_unregister+0x5d/0x60 [cxl_core]

At 1) a region has been established with 2 endpoint decoders (7.0 and 14.0). Those endpoints share a common switch-decoder in the topology (3.0). At teardown, 2), decoder14.0 is the first to be removed and hits the "out of order reset case" in the switch decoder. The effect though is that region3 cleanup is aborted leaving it in-tact and referencing decoder14.0. At 3) the second attempt to teardown region3 trips over the stale decoder14.0 object which has long since been deleted.

The fix here is to recognize that the CXL specification places no mandate on in-order shutdown of switch-decoders, the driver enforces in-order allocation, and hardware enforces in-order commit. So, rather than fail and leave objects dangling, always remove them.

In support of making cxl_region_decode_reset() always succeed, cxl_region_invalidate_memregion() failures are turned into warnings. Crashing the kernel is ok there since system integrity is at risk if caches cannot be managed around physical address mutation events like CXL region destruction.

A new device_for_each_child_reverse_from() is added to cleanup port->commit_end after all dependent decoders have been disabled. In other words if decoders are allocated 0->1->2 and disabled 1->2->0 then port->commit_end only decrements from 2 after 2 has been disabled, and it decrements all the way to zero since 1 was disabled previously.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T11:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix use-after-free, permit out-of-order decoder shutdown\n\nIn support of investigating an initialization failure report [1],\ncxl_test was updated to register mock memory-devices after the mock\nroot-port/bus device had been registered. That led to cxl_test crashing\nwith a use-after-free bug with the following signature:\n\n    cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem0:decoder7.0 @ 0 next: cxl_switch_uport.0 nr_eps: 1 nr_targets: 1\n    cxl_port_attach_region: cxl region3: cxl_host_bridge.0:port3 decoder3.0 add: mem4:decoder14.0 @ 1 next: cxl_switch_uport.0 nr_eps: 2 nr_targets: 1\n    cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[0] = cxl_switch_dport.0 for mem0:decoder7.0 @ 0\n1)  cxl_port_setup_targets: cxl region3: cxl_switch_uport.0:port6 target[1] = cxl_switch_dport.4 for mem4:decoder14.0 @ 1\n    [..]\n    cxld_unregister: cxl decoder14.0:\n    cxl_region_decode_reset: cxl_region region3:\n    mock_decoder_reset: cxl_port port3: decoder3.0 reset\n2)  mock_decoder_reset: cxl_port port3: decoder3.0: out of order reset, expected decoder3.1\n    cxl_endpoint_decoder_release: cxl decoder14.0:\n    [..]\n    cxld_unregister: cxl decoder7.0:\n3)  cxl_region_decode_reset: cxl_region region3:\n    Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bc3: 0000 [#1] PREEMPT SMP PTI\n    [..]\n    RIP: 0010:to_cxl_port+0x8/0x60 [cxl_core]\n    [..]\n    Call Trace:\n     \u003cTASK\u003e\n     cxl_region_decode_reset+0x69/0x190 [cxl_core]\n     cxl_region_detach+0xe8/0x210 [cxl_core]\n     cxl_decoder_kill_region+0x27/0x40 [cxl_core]\n     cxld_unregister+0x5d/0x60 [cxl_core]\n\nAt 1) a region has been established with 2 endpoint decoders (7.0 and\n14.0). Those endpoints share a common switch-decoder in the topology\n(3.0). At teardown, 2), decoder14.0 is the first to be removed and hits\nthe \"out of order reset case\" in the switch decoder. The effect though\nis that region3 cleanup is aborted leaving it in-tact and\nreferencing decoder14.0. At 3) the second attempt to teardown region3\ntrips over the stale decoder14.0 object which has long since been\ndeleted.\n\nThe fix here is to recognize that the CXL specification places no\nmandate on in-order shutdown of switch-decoders, the driver enforces\nin-order allocation, and hardware enforces in-order commit. So, rather\nthan fail and leave objects dangling, always remove them.\n\nIn support of making cxl_region_decode_reset() always succeed,\ncxl_region_invalidate_memregion() failures are turned into warnings.\nCrashing the kernel is ok there since system integrity is at risk if\ncaches cannot be managed around physical address mutation events like\nCXL region destruction.\n\nA new device_for_each_child_reverse_from() is added to cleanup\nport-\u003ecommit_end after all dependent decoders have been disabled. In\nother words if decoders are allocated 0-\u003e1-\u003e2 and disabled 1-\u003e2-\u003e0 then\nport-\u003ecommit_end only decrements from 2 after 2 has been disabled, and\nit decrements all the way to zero since 1 was disabled previously.",
  "id": "GHSA-2742-r3c2-2qgj",
  "modified": "2024-11-13T21:30:32Z",
  "published": "2024-11-09T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50226"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/101c268bd2f37e965a5468353e62d154db38838e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78c8454fdce0eeee962be004eb6d99860c80dad1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e1b52c15c81106456437f8e49575040e489e355"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-274M-Q55H-JM5R

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:01
VLAI
Details

A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-27T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use-after-free vulnerability can occur while manipulating video elements if the body is freed while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox \u003c 69, Thunderbird \u003c 68.1, Thunderbird \u003c 60.9, Firefox ESR \u003c 60.9, and Firefox ESR \u003c 68.1.",
  "id": "GHSA-274m-q55h-jm5r",
  "modified": "2024-04-04T02:01:44Z",
  "published": "2022-05-24T16:57:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11746"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1564449"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201911-07"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4150-1"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2019-25"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2019-26"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2019-27"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2019-29"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2019-30"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-276R-JXX7-V78H

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

Use after free in Browser UI in Google Chrome prior to 101.0.4951.64 allowed a remote attacker who had convinced a user to engage in specific UI interaction to potentially exploit heap corruption via specific user interactions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Browser UI in Google Chrome prior to 101.0.4951.64 allowed a remote attacker who had convinced a user to engage in specific UI interaction to potentially exploit heap corruption via specific user interactions.",
  "id": "GHSA-276r-jxx7-v78h",
  "modified": "2022-07-29T00:00:30Z",
  "published": "2022-07-27T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1634"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_10.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1314908"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2789-CV5Q-PWGX

Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2022-06-16 00:00
VLAI
Details

A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-09T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.",
  "id": "GHSA-2789-cv5q-pwgx",
  "modified": "2022-06-16T00:00:22Z",
  "published": "2022-06-10T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1998"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/notify/fanotify/fanotify_user.c?h=v5.17\u0026id=ee12595147ac1fbfb5bcb23837e26dd58d94b15d"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/oss-sec/2022/q1/99"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220707-0009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-278Q-X23R-MW73

Vulnerability from github – Published: 2022-05-14 02:10 – Updated: 2022-05-14 02:10
VLAI
Details

Use-after-free vulnerability in Google Chrome before 23.0.1271.97 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to visibility events.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-5139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-12-12T11:38:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in Google Chrome before 23.0.1271.97 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to visibility events.",
  "id": "GHSA-278q-x23r-mw73",
  "modified": "2022-05-14T02:10:57Z",
  "published": "2022-05-14T02:10:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5139"
    },
    {
      "type": "WEB",
      "url": "https://code.google.com/p/chromium/issues/detail?id=158204"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16064"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2012/12/stable-channel-update.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00073.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-27CC-FVV7-2RH9

Vulnerability from github – Published: 2025-01-08 18:30 – Updated: 2025-01-10 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: put bpf_link's program when link is safe to be deallocated

In general, BPF link's underlying BPF program should be considered to be reachable through attach hook -> link -> prog chain, and, pessimistically, we have to assume that as long as link's memory is not safe to free, attach hook's code might hold a pointer to BPF program and use it.

As such, it's not (generally) correct to put link's program early before waiting for RCU GPs to go through. More eager bpf_prog_put() that we currently do is mostly correct due to BPF program's release code doing similar RCU GP waiting, but as will be shown in the following patches, BPF program can be non-sleepable (and, thus, reliant on only "classic" RCU GP), while BPF link's attach hook can have sleepable semantics and needs to be protected by RCU Tasks Trace, and for such cases BPF link has to go through RCU Tasks Trace + "classic" RCU GPs before being deallocated. And so, if we put BPF program early, we might free BPF program before we free BPF link, leading to use-after-free situation.

So, this patch defers bpf_prog_put() until we are ready to perform bpf_link's deallocation. At worst, this delays BPF program freeing by one extra RCU GP, but that seems completely acceptable. Alternatively, we'd need more elaborate ways to determine BPF hook, BPF link, and BPF program lifetimes, and how they relate to each other, which seems like an unnecessary complication.

Note, for most BPF links we still will perform eager bpf_prog_put() and link dealloc, so for those BPF links there are no observable changes whatsoever. Only BPF links that use deferred dealloc might notice slightly delayed freeing of BPF programs.

Also, to reduce code and logic duplication, extract program put + link dealloc logic into bpf_link_dealloc() helper.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T18:15:19Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: put bpf_link\u0027s program when link is safe to be deallocated\n\nIn general, BPF link\u0027s underlying BPF program should be considered to be\nreachable through attach hook -\u003e link -\u003e prog chain, and, pessimistically,\nwe have to assume that as long as link\u0027s memory is not safe to free,\nattach hook\u0027s code might hold a pointer to BPF program and use it.\n\nAs such, it\u0027s not (generally) correct to put link\u0027s program early before\nwaiting for RCU GPs to go through. More eager bpf_prog_put() that we\ncurrently do is mostly correct due to BPF program\u0027s release code doing\nsimilar RCU GP waiting, but as will be shown in the following patches,\nBPF program can be non-sleepable (and, thus, reliant on only \"classic\"\nRCU GP), while BPF link\u0027s attach hook can have sleepable semantics and\nneeds to be protected by RCU Tasks Trace, and for such cases BPF link\nhas to go through RCU Tasks Trace + \"classic\" RCU GPs before being\ndeallocated. And so, if we put BPF program early, we might free BPF\nprogram before we free BPF link, leading to use-after-free situation.\n\nSo, this patch defers bpf_prog_put() until we are ready to perform\nbpf_link\u0027s deallocation. At worst, this delays BPF program freeing by\none extra RCU GP, but that seems completely acceptable. Alternatively,\nwe\u0027d need more elaborate ways to determine BPF hook, BPF link, and BPF\nprogram lifetimes, and how they relate to each other, which seems like\nan unnecessary complication.\n\nNote, for most BPF links we still will perform eager bpf_prog_put() and\nlink dealloc, so for those BPF links there are no observable changes\nwhatsoever. Only BPF links that use deferred dealloc might notice\nslightly delayed freeing of BPF programs.\n\nAlso, to reduce code and logic duplication, extract program put + link\ndealloc logic into bpf_link_dealloc() helper.",
  "id": "GHSA-27cc-fvv7-2rh9",
  "modified": "2025-01-10T21:31:27Z",
  "published": "2025-01-08T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56786"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2fcb921c2799c49ac5e365cf4110f94a64ae4885"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fe23c57abadfd46a7a66e81f3536e4757252a0b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f44ec8733a8469143fde1984b5e6931b2e2f6f3f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-27H4-GXF8-4GG7

Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2023-01-24 15:30
VLAI
Details

Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability in the ActionScript2 TextField object related to the variable property. Successful exploitation could lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-3002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-14T16:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability in the ActionScript2 TextField object related to the variable property. Successful exploitation could lead to arbitrary code execution.",
  "id": "GHSA-27h4-gxf8-4gg7",
  "modified": "2023-01-24T15:30:22Z",
  "published": "2022-05-14T03:54:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3002"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/flash-player/apsb17-07.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201703-02"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0526.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96861"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037994"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-27H4-QJQ2-62V3

Vulnerability from github – Published: 2022-05-14 03:08 – Updated: 2025-11-25 18:32
VLAI
Details

A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.6 and Firefox < 58.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-11T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR \u003c 52.6 and Firefox \u003c 58.",
  "id": "GHSA-27h4-qjq2-62v3",
  "modified": "2025-11-25T18:32:11Z",
  "published": "2022-05-14T03:08:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5091"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0122"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1423086"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3544-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4096"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4102"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2018-02"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2018-03"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102783"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040270"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.