CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-2WC3-H48P-9GPQ
Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2024-12-23 21:30In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error
When ncm function is working and then stop usb0 interface for link down, eth_stop() is called. At this piont, accidentally if usb transport error should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.
After that, ncm_disable() is called to disable for ncm unbind but gether_disconnect() is never called since 'in_ep' is not enabled.
As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL.
And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object.
Therefore, once usb0 interface is up and eth_start_xmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory.
[function unlink via configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> error happens in usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() since ncm->port.in_ep->enabled is false. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm
[function link via configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f
This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established.
{
"affected": [],
"aliases": [
"CVE-2024-26996"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T06:15:17Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), \u0027in_ep\u0027 and/or \u0027out_ep\u0027 may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since \u0027in_ep\u0027 is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut \u0027dev-\u003eport_usb\u0027 associated to \u0027ncm-\u003eport\u0027 is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev-\u003eport_usb=ffffff9b179c3200\n --\u003e error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --\u003e no gether_disconnect() since ncm-\u003eport.in_ep-\u003eenabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 \u003c-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev-\u003eport_usb=ffffff9b179c3200 \u003c-- previous released ncm\n usb0: eth_start dev-\u003eport_usb=ffffff9b179c3200 \u003c--\n eth_start_xmit()\n --\u003e dev-\u003ewrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if \u0027ncm-\u003enetdev\u0027 is not NULL at\nncm_disable() to call gether_disconnect() to deassociate \u0027dev-\u003eport_usb\u0027.\nIt\u0027s more reasonable to check \u0027ncm-\u003enetdev\u0027 to call gether_connect/disconnect\nrather than check \u0027ncm-\u003eport.in_ep-\u003eenabled\u0027 since it might not be enabled\nbut the gether connection might be established.",
"id": "GHSA-2wc3-h48p-9gpq",
"modified": "2024-12-23T21:30:50Z",
"published": "2024-05-01T06:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26996"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WCG-7WR3-Q72Q
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 21:31Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-9958"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:54Z",
"severity": "HIGH"
},
"details": "Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)",
"id": "GHSA-2wcg-7wr3-q72q",
"modified": "2026-05-29T21:31:19Z",
"published": "2026-05-29T00:38:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9958"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/504555886"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WHC-3W32-64H4
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38Use after free in WebCodecs in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-16023"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-08T19:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in WebCodecs in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-2whc-3w32-64h4",
"modified": "2022-05-24T17:38:16Z",
"published": "2022-05-24T17:38:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16023"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1146761"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2WJJ-G2W4-V4V9
Vulnerability from github – Published: 2022-02-13 00:00 – Updated: 2022-03-17 00:05Use after free in File Manager API in Google Chrome on Chrome OS prior to 97.0.4692.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-0107"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-12T00:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in File Manager API in Google Chrome on Chrome OS prior to 97.0.4692.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-2wjj-g2w4-v4v9",
"modified": "2022-03-17T00:05:40Z",
"published": "2022-02-13T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0107"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1248438"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WMV-XP85-M57J
Vulnerability from github – Published: 2023-02-12 06:30 – Updated: 2023-02-21 21:30In bt driver, there is a thread competition leads to early release of resources to be accessed. This could lead to local denial of service in kernel.
{
"affected": [],
"aliases": [
"CVE-2022-47371"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-12T04:15:00Z",
"severity": "MODERATE"
},
"details": "In bt driver, there is a thread competition leads to early release of resources to be accessed. This could lead to local denial of service in kernel.",
"id": "GHSA-2wmv-xp85-m57j",
"modified": "2023-02-21T21:30:20Z",
"published": "2023-02-12T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47371"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1621031430231134210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WP4-95HR-RX8X
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2023-08-02 00:30Microsoft Office Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31175, CVE-2021-31177, CVE-2021-31179.
{
"affected": [],
"aliases": [
"CVE-2021-31176"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-11T19:15:00Z",
"severity": "HIGH"
},
"details": "Microsoft Office Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31175, CVE-2021-31177, CVE-2021-31179.",
"id": "GHSA-2wp4-95hr-rx8x",
"modified": "2023-08-02T00:30:31Z",
"published": "2022-05-24T19:02:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31176"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31176"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-575"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WP4-VWQ7-X2X6
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40A use after free issue has been identified in the way ISPSoft(v3.12 and prior) processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2020-27280"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue has been identified in the way ISPSoft(v3.12 and prior) processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution.",
"id": "GHSA-2wp4-vwq7-x2x6",
"modified": "2022-05-24T17:40:11Z",
"published": "2022-05-24T17:40:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27280"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-021-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2WQ7-X39P-77FM
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to media buffers.
{
"affected": [],
"aliases": [
"CVE-2011-3882"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-10-25T19:55:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to media buffers.",
"id": "GHSA-2wq7-x39p-77fm",
"modified": "2022-05-13T01:26:48Z",
"published": "2022-05-13T01:26:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3882"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70960"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13266"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=96292"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2WQP-VX6W-RVFX
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-06 18:30In the Linux kernel, the following vulnerability has been resolved:
nvmem: core: fix use-after-free bugs in error paths
Fix several instances of error paths in which we call __nvmem_device_put() - which may end up freeing the underlying memory and other resources - and then keep on using the nvmem structure. Always put the reference to the nvmem device as the last step before returning the error code.
{
"affected": [],
"aliases": [
"CVE-2026-53156"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:32Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: core: fix use-after-free bugs in error paths\n\nFix several instances of error paths in which we call\n__nvmem_device_put() - which may end up freeing the underlying memory\nand other resources - and then keep on using the nvmem structure. Always\nput the reference to the nvmem device as the last step before returning\nthe error code.",
"id": "GHSA-2wqp-vx6w-rvfx",
"modified": "2026-07-06T18:30:36Z",
"published": "2026-06-25T09:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53156"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/40e2a459c0dd1333b2343831480a0ad80dc07614"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b6b6fc491899d583eaa75344e094796ae9b530b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb85ef5a227b3662b88f4d849a1aad43bfe7f5ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0d38bf47a72da2f02c9fa6f752cd66d977cd7f7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WQV-J5PW-Q5FX
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-56644"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:30Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-2wqv-j5pw-q5fx",
"modified": "2026-07-14T18:32:38Z",
"published": "2026-07-14T18:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56644"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56644"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.