CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-3GH6-5QQW-C955
Vulnerability from github – Published: 2023-01-13 00:30 – Updated: 2023-01-13 00:30A Use After Free vulnerability in the kernel of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). In a Non Stop Routing (NSR) scenario, an unexpected kernel restart might be observed if "bgp auto-discovery" is enabled and if there is a BGP neighbor flap of auto-discovery sessions for any reason. This is a race condition which is outside of an attackers direct control and it depends on system internal timing whether this issue occurs. This issue affects Juniper Networks Junos OS Evolved: 21.3 versions prior to 21.3R3-EVO; 21.4 versions prior to 21.4R2-EVO; 22.1 versions prior to 22.1R2-EVO; 22.2 versions prior to 22.2R1-S1-EVO, 22.2R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2023-22402"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-13T00:15:00Z",
"severity": "MODERATE"
},
"details": "A Use After Free vulnerability in the kernel of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). In a Non Stop Routing (NSR) scenario, an unexpected kernel restart might be observed if \"bgp auto-discovery\" is enabled and if there is a BGP neighbor flap of auto-discovery sessions for any reason. This is a race condition which is outside of an attackers direct control and it depends on system internal timing whether this issue occurs. This issue affects Juniper Networks Junos OS Evolved: 21.3 versions prior to 21.3R3-EVO; 21.4 versions prior to 21.4R2-EVO; 22.1 versions prior to 22.1R2-EVO; 22.2 versions prior to 22.2R1-S1-EVO, 22.2R2-EVO.",
"id": "GHSA-3gh6-5qqw-c955",
"modified": "2023-01-13T00:30:37Z",
"published": "2023-01-13T00:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22402"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA70198"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GHC-CW76-H292
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08Use after free in audio in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-6406"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-11T15:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in audio in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-3ghc-cw76-h292",
"modified": "2022-05-24T17:08:42Z",
"published": "2022-05-24T17:08:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6406"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0514"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1042254"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-08"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4638"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GM2-XQPG-6JW8
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-06 18:30Use after free in Serial in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11012"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:05Z",
"severity": "HIGH"
},
"details": "Use after free in Serial in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-3gm2-xqpg-6jw8",
"modified": "2026-06-06T18:30:22Z",
"published": "2026-06-05T00:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11012"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/497000161"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GM9-Q84V-WVVW
Vulnerability from github – Published: 2023-04-12 21:30 – Updated: 2023-04-12 21:30Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-26424"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T21:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-3gm9-q84v-wvvw",
"modified": "2023-04-12T21:30:18Z",
"published": "2023-04-12T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26424"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-24.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GMX-64G9-PC2Q
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Use-after-free vulnerability in the accessibility feature in Google Chrome before 12.0.742.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
{
"affected": [],
"aliases": [
"CVE-2011-1809"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-06-09T19:55:00Z",
"severity": "MODERATE"
},
"details": "Use-after-free vulnerability in the accessibility feature in Google Chrome before 12.0.742.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.",
"id": "GHSA-3gmx-64g9-pc2q",
"modified": "2022-05-13T01:26:21Z",
"published": "2022-05-13T01:26:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1809"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67892"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14692"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=75496"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2011/06/chrome-stable-release.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/72779"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/44829"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/48129"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3GP7-XP89-JXH5
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-05-24 17:25In reset of NuPlayerDriver.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-151643722
{
"affected": [],
"aliases": [
"CVE-2020-0242"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-11T20:15:00Z",
"severity": "HIGH"
},
"details": "In reset of NuPlayerDriver.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-151643722",
"id": "GHSA-3gp7-xp89-jxh5",
"modified": "2022-05-24T17:25:15Z",
"published": "2022-05-24T17:25:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0242"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-08-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3GQX-RV8X-9M5C
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-02-11 18:31In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix race in concurrent f2fs_stop_gc_thread
In my test case, concurrent calls to f2fs shutdown report the following stack trace:
Oops: general protection fault, probably for non-canonical address 0xc6cfff63bb5513fc: 0000 [#1] PREEMPT SMP PTI CPU: 0 UID: 0 PID: 678 Comm: f2fs_rep_shutdo Not tainted 6.12.0-rc5-next-20241029-g6fb2fa9805c5-dirty #85 Call Trace: ? show_regs+0x8b/0xa0 ? __die_body+0x26/0xa0 ? die_addr+0x54/0x90 ? exc_general_protection+0x24b/0x5c0 ? asm_exc_general_protection+0x26/0x30 ? kthread_stop+0x46/0x390 f2fs_stop_gc_thread+0x6c/0x110 f2fs_do_shutdown+0x309/0x3a0 f2fs_ioc_shutdown+0x150/0x1c0 __f2fs_ioctl+0xffd/0x2ac0 f2fs_ioctl+0x76/0xe0 vfs_ioctl+0x23/0x60 __x64_sys_ioctl+0xce/0xf0 x64_sys_call+0x2b1b/0x4540 do_syscall_64+0xa7/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e
The root cause is a race condition in f2fs_stop_gc_thread() called from different f2fs shutdown paths:
[CPU0] [CPU1] ---------------------- ----------------------- f2fs_stop_gc_thread f2fs_stop_gc_thread gc_th = sbi->gc_thread gc_th = sbi->gc_thread kfree(gc_th) sbi->gc_thread = NULL < gc_th != NULL > kthread_stop(gc_th->f2fs_gc_task) //UAF
The commit c7f114d864ac ("f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()") attempted to fix this issue by using a read semaphore to prevent races between shutdown and remount threads, but it fails to prevent all race conditions.
Fix it by converting to write lock of s_umount in f2fs_do_shutdown().
{
"affected": [],
"aliases": [
"CVE-2024-53218"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T14:15:29Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix race in concurrent f2fs_stop_gc_thread\n\nIn my test case, concurrent calls to f2fs shutdown report the following\nstack trace:\n\n Oops: general protection fault, probably for non-canonical address 0xc6cfff63bb5513fc: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 UID: 0 PID: 678 Comm: f2fs_rep_shutdo Not tainted 6.12.0-rc5-next-20241029-g6fb2fa9805c5-dirty #85\n Call Trace:\n \u003cTASK\u003e\n ? show_regs+0x8b/0xa0\n ? __die_body+0x26/0xa0\n ? die_addr+0x54/0x90\n ? exc_general_protection+0x24b/0x5c0\n ? asm_exc_general_protection+0x26/0x30\n ? kthread_stop+0x46/0x390\n f2fs_stop_gc_thread+0x6c/0x110\n f2fs_do_shutdown+0x309/0x3a0\n f2fs_ioc_shutdown+0x150/0x1c0\n __f2fs_ioctl+0xffd/0x2ac0\n f2fs_ioctl+0x76/0xe0\n vfs_ioctl+0x23/0x60\n __x64_sys_ioctl+0xce/0xf0\n x64_sys_call+0x2b1b/0x4540\n do_syscall_64+0xa7/0x240\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe root cause is a race condition in f2fs_stop_gc_thread() called from\ndifferent f2fs shutdown paths:\n\n [CPU0] [CPU1]\n ---------------------- -----------------------\n f2fs_stop_gc_thread f2fs_stop_gc_thread\n gc_th = sbi-\u003egc_thread\n gc_th = sbi-\u003egc_thread\n kfree(gc_th)\n sbi-\u003egc_thread = NULL\n \u003c gc_th != NULL \u003e\n kthread_stop(gc_th-\u003ef2fs_gc_task) //UAF\n\nThe commit c7f114d864ac (\"f2fs: fix to avoid use-after-free in\nf2fs_stop_gc_thread()\") attempted to fix this issue by using a read\nsemaphore to prevent races between shutdown and remount threads, but\nit fails to prevent all race conditions.\n\nFix it by converting to write lock of s_umount in f2fs_do_shutdown().",
"id": "GHSA-3gqx-rv8x-9m5c",
"modified": "2025-02-11T18:31:22Z",
"published": "2024-12-27T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53218"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60457ed6c67625c87861f96912b4179dc2293896"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/794fa8792d4eacac191f1cbcc2e81b7369e4662a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7b0033dbc48340a1c1c3f12448ba17d6587ca092"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c631207897a9b3d41167ceca58e07f8f94720e42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GR3-G4VV-XF2R
Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-05-24 17:14Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-6423"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-13T18:15:00Z",
"severity": "MODERATE"
},
"details": "Use after free in audio in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-3gr3-g4vv-xf2r",
"modified": "2022-05-24T17:14:05Z",
"published": "2022-05-24T17:14:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6423"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1043446"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XWIVVYIQU67QR2LHNGGZBS4FZOW2RQO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFVP775RPRDVY5FUCN7ABH5AE74TQFDD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMXPDHEEACPD3BCMTC26SCCYB2ZMUOAO"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4714"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00024.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00031.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GR5-MVFP-P295
Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-22 15:34Use after free in Blink in Google Chrome prior to 104.0.5112.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-2857"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-26T16:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Blink in Google Chrome prior to 104.0.5112.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-3gr5-mvfp-p295",
"modified": "2025-05-22T15:34:42Z",
"published": "2022-09-27T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2857"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1338135"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/40060030"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3GRJ-6WJ3-QGC3
Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2022-05-14 03:54Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability in the Primetime SDK functionality related to the profile metadata of the media stream. Successful exploitation could lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2017-3083"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-20T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability in the Primetime SDK functionality related to the profile metadata of the media stream. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-3grj-6wj3-qgc3",
"modified": "2022-05-14T03:54:32Z",
"published": "2022-05-14T03:54:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1439"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb17-17.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201707-15"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99023"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038655"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.