CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-392H-PCR9-7J4W
Vulnerability from github – Published: 2024-08-26 12:31 – Updated: 2024-09-05 21:31In the Linux kernel, the following vulnerability has been resolved:
tracing: Have format file honor EVENT_FILE_FL_FREED
When eventfs was introduced, special care had to be done to coordinate the freeing of the file meta data with the files that are exposed to user space. The file meta data would have a ref count that is set when the file is created and would be decremented and freed after the last user that opened the file closed it. When the file meta data was to be freed, it would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed, and any new references made (like new opens or reads) would fail as it is marked freed. This allowed other meta data to be freed after this flag was set (under the event_mutex).
All the files that were dynamically created in the events directory had a pointer to the file meta data and would call event_release() when the last reference to the user space file was closed. This would be the time that it is safe to free the file meta data.
A shortcut was made for the "format" file. It's i_private would point to the "call" entry directly and not point to the file's meta data. This is because all format files are the same for the same "call", so it was thought there was no reason to differentiate them. The other files maintain state (like the "enable", "trigger", etc). But this meant if the file were to disappear, the "format" file would be unaware of it.
This caused a race that could be trigger via the user_events test (that would create dynamic events and free them), and running a loop that would read the user_events format files:
In one console run:
# cd tools/testing/selftests/user_events # while true; do ./ftrace_test; done
And in another console run:
# cd /sys/kernel/tracing/ # while true; do cat events/user_events/__test_event/format; done 2>/dev/null
With KASAN memory checking, it would trigger a use-after-free bug report (which was a real bug). This was because the format file was not checking the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the event that the file meta data pointed to after the event was freed.
After inspection, there are other locations that were found to not check the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a new helper function: event_file_file() that will make sure that the event_mutex is held, and will return NULL if the trace_event_file has the EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file pointer use event_file_file() and check for NULL. Later uses can still use the event_file_data() helper function if the event_mutex is still held and was not released since the event_file_file() call.
{
"affected": [],
"aliases": [
"CVE-2024-43891"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-26T11:15:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Have format file honor EVENT_FILE_FL_FREED\n\nWhen eventfs was introduced, special care had to be done to coordinate the\nfreeing of the file meta data with the files that are exposed to user\nspace. The file meta data would have a ref count that is set when the file\nis created and would be decremented and freed after the last user that\nopened the file closed it. When the file meta data was to be freed, it\nwould set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,\nand any new references made (like new opens or reads) would fail as it is\nmarked freed. This allowed other meta data to be freed after this flag was\nset (under the event_mutex).\n\nAll the files that were dynamically created in the events directory had a\npointer to the file meta data and would call event_release() when the last\nreference to the user space file was closed. This would be the time that it\nis safe to free the file meta data.\n\nA shortcut was made for the \"format\" file. It\u0027s i_private would point to\nthe \"call\" entry directly and not point to the file\u0027s meta data. This is\nbecause all format files are the same for the same \"call\", so it was\nthought there was no reason to differentiate them. The other files\nmaintain state (like the \"enable\", \"trigger\", etc). But this meant if the\nfile were to disappear, the \"format\" file would be unaware of it.\n\nThis caused a race that could be trigger via the user_events test (that\nwould create dynamic events and free them), and running a loop that would\nread the user_events format files:\n\nIn one console run:\n\n # cd tools/testing/selftests/user_events\n # while true; do ./ftrace_test; done\n\nAnd in another console run:\n\n # cd /sys/kernel/tracing/\n # while true; do cat events/user_events/__test_event/format; done 2\u003e/dev/null\n\nWith KASAN memory checking, it would trigger a use-after-free bug report\n(which was a real bug). This was because the format file was not checking\nthe file\u0027s meta data flag \"EVENT_FILE_FL_FREED\", so it would access the\nevent that the file meta data pointed to after the event was freed.\n\nAfter inspection, there are other locations that were found to not check\nthe EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a\nnew helper function: event_file_file() that will make sure that the\nevent_mutex is held, and will return NULL if the trace_event_file has the\nEVENT_FILE_FL_FREED flag set. Have the first reference of the struct file\npointer use event_file_file() and check for NULL. Later uses can still use\nthe event_file_data() helper function if the event_mutex is still held and\nwas not released since the event_file_file() call.",
"id": "GHSA-392h-pcr9-7j4w",
"modified": "2024-09-05T21:31:33Z",
"published": "2024-08-26T12:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43891"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ed03758ddf0b19d69eed69386d65a92d0091e0c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/531dc6780d94245af037c25c2371c8caf652f0f9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b1560408692cd0ab0370cfbe9deb03ce97ab3f6d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-393C-HWWH-9GM2
Vulnerability from github – Published: 2022-05-14 01:52 – Updated: 2025-11-25 18:32A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.
{
"affected": [],
"aliases": [
"CVE-2018-12378"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-18T13:29:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability can occur when an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored. This results in a potentially exploitable crash. This vulnerability affects Firefox \u003c 62, Firefox ESR \u003c 60.2, and Thunderbird \u003c 60.2.1.",
"id": "GHSA-393c-hwwh-9gm2",
"modified": "2025-11-25T18:32:14Z",
"published": "2022-05-14T01:52:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12378"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2692"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2693"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3403"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3458"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1459383"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201810-01"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201811-13"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3761-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3793-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4287"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4327"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-21"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-25"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105280"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041610"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-393F-4662-497F
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2023-03-01 03:30An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
{
"affected": [],
"aliases": [
"CVE-2019-15211"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-19T22:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.",
"id": "GHSA-393f-4662-497f",
"modified": "2023-03-01T03:30:29Z",
"published": "2022-05-24T16:53:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15211"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c666355e60ddb4748ead3bdd983e3f7f2224aaf0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190905-0002"
},
{
"type": "WEB",
"url": "https://syzkaller.appspot.com/bug?id=775f90f43cfd6f8ac6c15251ce68e604453da226"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4115-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4118-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4145-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4147-1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/08/20/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-394Q-589M-PPR4
Vulnerability from github – Published: 2023-01-17 09:30 – Updated: 2023-01-25 00:30An issue was discovered in the Arm Mali GPU Kernel Driver. There is a use-after-free. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Midgard r13p0 through r32p0, Bifrost r1p0 through r40p0, and Valhall r19p0 through r40p0.
{
"affected": [],
"aliases": [
"CVE-2022-46891"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-17T08:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the Arm Mali GPU Kernel Driver. There is a use-after-free. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Midgard r13p0 through r32p0, Bifrost r1p0 through r40p0, and Valhall r19p0 through r40p0.",
"id": "GHSA-394q-589m-ppr4",
"modified": "2023-01-25T00:30:38Z",
"published": "2023-01-17T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46891"
},
{
"type": "WEB",
"url": "https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-396P-373F-R9VM
Vulnerability from github – Published: 2023-09-06 15:30 – Updated: 2025-02-13 18:31A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability.
We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8.
{
"affected": [],
"aliases": [
"CVE-2023-4244"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-06T14:15:11Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability in the Linux kernel\u0027s netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nDue to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability.\n\nWe recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8.",
"id": "GHSA-396p-373f-r9vm",
"modified": "2025-02-13T18:31:51Z",
"published": "2023-09-06T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4244"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e91b0ebd994635df2346353322ac51ce84ce6d8"
},
{
"type": "WEB",
"url": "https://kernel.dance/3e91b0ebd994635df2346353322ac51ce84ce6d8"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-397Q-F49X-2C9J
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-05 18:30In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Validate data run offset
This adds sanity checks for data run offset. We should make sure data run offset is legit before trying to unpack them, otherwise we may encounter use-after-free or some unexpected memory access behaviors.
[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570 [ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240 [ 82.941670] [ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15 [ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 82.943720] Call Trace: [ 82.944204] [ 82.944471] dump_stack_lvl+0x49/0x63 [ 82.944908] print_report.cold+0xf5/0x67b [ 82.945141] ? __wait_on_bit+0x106/0x120 [ 82.945750] ? run_unpack+0x2e3/0x570 [ 82.946626] kasan_report+0xa7/0x120 [ 82.947046] ? run_unpack+0x2e3/0x570 [ 82.947280] __asan_load1+0x51/0x60 [ 82.947483] run_unpack+0x2e3/0x570 [ 82.947709] ? memcpy+0x4e/0x70 [ 82.947927] ? run_pack+0x7a0/0x7a0 [ 82.948158] run_unpack_ex+0xad/0x3f0 [ 82.948399] ? mi_enum_attr+0x14a/0x200 [ 82.948717] ? run_unpack+0x570/0x570 [ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0 [ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0 [ 82.949611] ? mi_read+0x262/0x2c0 [ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180 [ 82.950249] ntfs_iget5+0x632/0x1870 [ 82.950621] ? ntfs_get_block_bmap+0x70/0x70 [ 82.951192] ? evict+0x223/0x280 [ 82.951525] ? iput.part.0+0x286/0x320 [ 82.951969] ntfs_fill_super+0x1321/0x1e20 [ 82.952436] ? put_ntfs+0x1d0/0x1d0 [ 82.952822] ? vsprintf+0x20/0x20 [ 82.953188] ? mutex_unlock+0x81/0xd0 [ 82.953379] ? set_blocksize+0x95/0x150 [ 82.954001] get_tree_bdev+0x232/0x370 [ 82.954438] ? put_ntfs+0x1d0/0x1d0 [ 82.954700] ntfs_fs_get_tree+0x15/0x20 [ 82.955049] vfs_get_tree+0x4c/0x130 [ 82.955292] path_mount+0x645/0xfd0 [ 82.955615] ? putname+0x80/0xa0 [ 82.955955] ? finish_automount+0x2e0/0x2e0 [ 82.956310] ? kmem_cache_free+0x110/0x390 [ 82.956723] ? putname+0x80/0xa0 [ 82.957023] do_mount+0xd6/0xf0 [ 82.957411] ? path_mount+0xfd0/0xfd0 [ 82.957638] ? __kasan_check_write+0x14/0x20 [ 82.957948] __x64_sys_mount+0xca/0x110 [ 82.958310] do_syscall_64+0x3b/0x90 [ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 82.959341] RIP: 0033:0x7fd0d1ce948a [ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a [ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0 [ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020 [ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0 [ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff
{
"affected": [],
"aliases": [
"CVE-2022-50507"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:47Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate data run offset\n\nThis adds sanity checks for data run offset. We should make sure data\nrun offset is legit before trying to unpack them, otherwise we may\nencounter use-after-free or some unexpected memory access behaviors.\n\n[ 82.940342] BUG: KASAN: use-after-free in run_unpack+0x2e3/0x570\n[ 82.941180] Read of size 1 at addr ffff888008a8487f by task mount/240\n[ 82.941670]\n[ 82.942069] CPU: 0 PID: 240 Comm: mount Not tainted 5.19.0+ #15\n[ 82.942482] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 82.943720] Call Trace:\n[ 82.944204] \u003cTASK\u003e\n[ 82.944471] dump_stack_lvl+0x49/0x63\n[ 82.944908] print_report.cold+0xf5/0x67b\n[ 82.945141] ? __wait_on_bit+0x106/0x120\n[ 82.945750] ? run_unpack+0x2e3/0x570\n[ 82.946626] kasan_report+0xa7/0x120\n[ 82.947046] ? run_unpack+0x2e3/0x570\n[ 82.947280] __asan_load1+0x51/0x60\n[ 82.947483] run_unpack+0x2e3/0x570\n[ 82.947709] ? memcpy+0x4e/0x70\n[ 82.947927] ? run_pack+0x7a0/0x7a0\n[ 82.948158] run_unpack_ex+0xad/0x3f0\n[ 82.948399] ? mi_enum_attr+0x14a/0x200\n[ 82.948717] ? run_unpack+0x570/0x570\n[ 82.949072] ? ni_enum_attr_ex+0x1b2/0x1c0\n[ 82.949332] ? ni_fname_type.part.0+0xd0/0xd0\n[ 82.949611] ? mi_read+0x262/0x2c0\n[ 82.949970] ? ntfs_cmp_names_cpu+0x125/0x180\n[ 82.950249] ntfs_iget5+0x632/0x1870\n[ 82.950621] ? ntfs_get_block_bmap+0x70/0x70\n[ 82.951192] ? evict+0x223/0x280\n[ 82.951525] ? iput.part.0+0x286/0x320\n[ 82.951969] ntfs_fill_super+0x1321/0x1e20\n[ 82.952436] ? put_ntfs+0x1d0/0x1d0\n[ 82.952822] ? vsprintf+0x20/0x20\n[ 82.953188] ? mutex_unlock+0x81/0xd0\n[ 82.953379] ? set_blocksize+0x95/0x150\n[ 82.954001] get_tree_bdev+0x232/0x370\n[ 82.954438] ? put_ntfs+0x1d0/0x1d0\n[ 82.954700] ntfs_fs_get_tree+0x15/0x20\n[ 82.955049] vfs_get_tree+0x4c/0x130\n[ 82.955292] path_mount+0x645/0xfd0\n[ 82.955615] ? putname+0x80/0xa0\n[ 82.955955] ? finish_automount+0x2e0/0x2e0\n[ 82.956310] ? kmem_cache_free+0x110/0x390\n[ 82.956723] ? putname+0x80/0xa0\n[ 82.957023] do_mount+0xd6/0xf0\n[ 82.957411] ? path_mount+0xfd0/0xfd0\n[ 82.957638] ? __kasan_check_write+0x14/0x20\n[ 82.957948] __x64_sys_mount+0xca/0x110\n[ 82.958310] do_syscall_64+0x3b/0x90\n[ 82.958719] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 82.959341] RIP: 0033:0x7fd0d1ce948a\n[ 82.960193] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008\n[ 82.961532] RSP: 002b:00007ffe59ff69a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5\n[ 82.962527] RAX: ffffffffffffffda RBX: 0000564dcc107060 RCX: 00007fd0d1ce948a\n[ 82.963266] RDX: 0000564dcc107260 RSI: 0000564dcc1072e0 RDI: 0000564dcc10fce0\n[ 82.963686] RBP: 0000000000000000 R08: 0000564dcc107280 R09: 0000000000000020\n[ 82.964272] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564dcc10fce0\n[ 82.964785] R13: 0000564dcc107260 R14: 0000000000000000 R15: 00000000ffffffff",
"id": "GHSA-397q-f49x-2c9j",
"modified": "2026-02-05T18:30:28Z",
"published": "2025-10-04T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50507"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6db620863f8528ed9a9aa5ad323b26554a17881d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9173b89c16a603d73c434b695fe2a7a13491300f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de5e0955248ff90a2ae91e7f5c108392b52152d0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0455361d3068066a91fe18282b751925d7b5ee7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-399M-4FJ8-H7WR
Vulnerability from github – Published: 2023-03-28 21:30 – Updated: 2023-03-28 21:30Adobe Dimension versions 3.4.7 (and earlier) is affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-25899"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-28T20:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Dimension versions 3.4.7 (and earlier) is affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-399m-4fj8-h7wr",
"modified": "2023-03-28T21:30:19Z",
"published": "2023-03-28T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25899"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/dimension/apsb23-20.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-39CM-FRWR-45JG
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30Use after free in Windows WalletService allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-32080"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:17:10Z",
"severity": "HIGH"
},
"details": "Use after free in Windows WalletService allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-39cm-frwr-45jg",
"modified": "2026-04-14T18:30:40Z",
"published": "2026-04-14T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32080"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32080"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-39JG-WQ6F-28MG
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-35981"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-20T19:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-39jg-wq6f-28mg",
"modified": "2022-05-24T19:11:45Z",
"published": "2022-05-24T19:11:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35981"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-51.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-39PG-X4CC-J86X
Vulnerability from github – Published: 2022-05-14 03:11 – Updated: 2022-05-14 03:11There is a use after free in radare2 2.6.0 in r_anal_bb_free() in libr/anal/bb.c via a crafted Java binary file.
{
"affected": [],
"aliases": [
"CVE-2018-12320"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-13T16:29:00Z",
"severity": "HIGH"
},
"details": "There is a use after free in radare2 2.6.0 in r_anal_bb_free() in libr/anal/bb.c via a crafted Java binary file.",
"id": "GHSA-39pg-x4cc-j86x",
"modified": "2022-05-14T03:11:16Z",
"published": "2022-05-14T03:11:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12320"
},
{
"type": "WEB",
"url": "https://github.com/radare/radare2/issues/10293"
},
{
"type": "WEB",
"url": "https://github.com/radare/radare2/commit/90b71c017a7fa9732fe45fd21b245ee051b1f548"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.