CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-65X4-MV56-GF8M
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.
Based on Martin KaFai Lau's suggestions, I have created a simple patch.
To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero.
Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger:
static void bpf_shim_tramp_link_release(struct bpf_link link) { / ... */ if (!shim_link->trampoline) return;
- msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); }
Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.
{
"affected": [],
"aliases": [
"CVE-2026-23319"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when \u0027bpf_link_put\u0027 reduces the\nrefcount of \u0027shim_link-\u003elink.link\u0027 to zero, the resource is considered\nreleased but may still be referenced via \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027cgroup_shim_find\u0027. The actual cleanup of \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027bpf_shim_tramp_link_release\u0027 is deferred. During this window, another\nprocess can cause a use-after-free via \u0027bpf_trampoline_link_cgroup_shim\u0027.\n\nBased on Martin KaFai Lau\u0027s suggestions, I have created a simple patch.\n\nTo fix this:\n Add an atomic non-zero check in \u0027bpf_trampoline_link_cgroup_shim\u0027.\n Only increment the refcount if it is not already zero.\n\nTesting:\n I verified the fix by adding a delay in\n \u0027bpf_shim_tramp_link_release\u0027 to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link-\u003etrampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(\u0026shim_link-\u003elink,\n\t\tshim_link-\u003etrampoline, NULL));\n\tbpf_trampoline_put(shim_link-\u003etrampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM\u0027s report.\nAfter the patch, the bug no longer occurs even after millions of\niterations.",
"id": "GHSA-65x4-mv56-gf8m",
"modified": "2026-07-14T15:31:41Z",
"published": "2026-03-25T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23319"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-65X6-QQ63-M88G
Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-09 18:31In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix a use after free in siw_alloc_mr
Our code analyzer reported a UAF.
In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).
My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {} section, to avoid the uaf.
{
"affected": [],
"aliases": [
"CVE-2021-47012"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-28T09:15:38Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix a use after free in siw_alloc_mr\n\nOur code analyzer reported a UAF.\n\nIn siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of\nsiw_mr_add_mem(), mem is assigned to mr-\u003emem and then mem is freed via\nkfree(mem) if xa_alloc_cyclic() failed. Here, mr-\u003emem still point to a\nfreed object. After, the execution continue up to the err_out branch of\nsiw_alloc_mr, and the freed mr-\u003emem is used in siw_mr_drop_mem(mr).\n\nMy patch moves \"mr-\u003emem = mem\" behind the if (xa_alloc_cyclic(..)\u003c0) {}\nsection, to avoid the uaf.",
"id": "GHSA-65x6-qq63-m88g",
"modified": "2024-12-09T18:31:18Z",
"published": "2024-02-28T09:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47012"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-65X7-C272-7G7R
Vulnerability from github – Published: 2024-03-05 16:26 – Updated: 2024-03-06 21:57Impact
A heap-use-after-free flaw was found in ImageSharp's InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure.
Patches
The problem has been patched. All users are advised to upgrade to v3.1.3 or v2.1.7.
Workarounds
None
References
None
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "SixLabors.ImageSharp"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "SixLabors.ImageSharp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27929"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-05T16:26:15Z",
"nvd_published_at": "2024-03-05T17:15:07Z",
"severity": "HIGH"
},
"details": "### Impact\nA heap-use-after-free flaw was found in ImageSharp\u0027s InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure.\n\n### Patches\nThe problem has been patched. All users are advised to upgrade to v3.1.3 or v2.1.7.\n\n### Workarounds\nNone\n\n### References\nNone\n",
"id": "GHSA-65x7-c272-7g7r",
"modified": "2024-03-06T21:57:21Z",
"published": "2024-03-05T16:26:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-65x7-c272-7g7r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27929"
},
{
"type": "WEB",
"url": "https://github.com/SixLabors/ImageSharp/pull/2688"
},
{
"type": "PACKAGE",
"url": "https://github.com/SixLabors/ImageSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use After Free in SixLabors.ImageSharp"
}
GHSA-65X9-X5M2-CP2G
Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2025-04-20 03:37In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.
{
"affected": [],
"aliases": [
"CVE-2017-8895"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-10T21:29:00Z",
"severity": "CRITICAL"
},
"details": "In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.",
"id": "GHSA-65x9-x5m2-cp2g",
"modified": "2025-04-20T03:37:26Z",
"published": "2022-05-13T01:07:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8895"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/42282"
},
{
"type": "WEB",
"url": "https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98386"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038561"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-662R-59MF-5FXR
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
{
"affected": [],
"aliases": [
"CVE-2020-15673"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-01T19:15:00Z",
"severity": "HIGH"
},
"details": "Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 81, Thunderbird \u003c 78.3, and Firefox ESR \u003c 78.3.",
"id": "GHSA-662r-59mf-5fxr",
"modified": "2022-05-24T17:29:55Z",
"published": "2022-05-24T17:29:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15673"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1648493%2C1660800"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00020.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202010-02"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4770"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-42"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-43"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-44"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-663R-JP8J-QR4Q
Vulnerability from github – Published: 2022-11-30 00:30 – Updated: 2022-12-02 00:30Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2022-4194"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-30T00:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-663r-jp8j-qr4q",
"modified": "2022-12-02T00:30:25Z",
"published": "2022-11-30T00:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4194"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1370562"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-10"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-664H-5FQ8-8969
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Use after free in lzma_decompress_buf function in stream.c in Irzip 0.631 allows attackers to cause Denial of Service (DoS) via a crafted compressed file.
{
"affected": [],
"aliases": [
"CVE-2021-27347"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-10T16:15:00Z",
"severity": "MODERATE"
},
"details": "Use after free in lzma_decompress_buf function in stream.c in Irzip 0.631 allows attackers to cause Denial of Service (DoS) via a crafted compressed file.",
"id": "GHSA-664h-5fq8-8969",
"modified": "2022-05-24T19:04:51Z",
"published": "2022-05-24T19:04:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27347"
},
{
"type": "WEB",
"url": "https://github.com/ckolivas/lrzip/issues/165"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00012.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6658-6G59-7RQJ
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2022-05-24 17:05In ih264d_init_decoder of ih264d_api.c, there is a possible out of bounds write due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-142602711
{
"affected": [],
"aliases": [
"CVE-2020-0002"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-08T19:15:00Z",
"severity": "HIGH"
},
"details": "In ih264d_init_decoder of ih264d_api.c, there is a possible out of bounds write due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-142602711",
"id": "GHSA-6658-6g59-7rqj",
"modified": "2022-05-24T17:05:53Z",
"published": "2022-05-24T17:05:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0002"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-01-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-01-04"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6676-52PP-H5FG
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
{
"affected": [],
"aliases": [
"CVE-2020-29569"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-15T17:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring-\u003exenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.",
"id": "GHSA-6676-52pp-h5fg",
"modified": "2022-05-24T17:36:34Z",
"published": "2022-05-24T17:36:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29569"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-30"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210205-0001"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4843"
},
{
"type": "WEB",
"url": "https://xenbits.xenproject.org/xsa/advisory-350.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6684-J5CX-Q9QW
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
fs/buffer: fix use-after-free when call bh_read() helper
There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x2c/0x390 print_report+0xb4/0x270 kasan_report+0xb8/0xf0 end_buffer_read_sync+0xe3/0x110 end_bio_bh_io_sync+0x56/0x80 blk_update_request+0x30a/0x720 scsi_end_request+0x51/0x2b0 scsi_io_completion+0xe3/0x480 ? scsi_device_unbusy+0x11e/0x160 blk_complete_reqs+0x7b/0x90 handle_softirqs+0xef/0x370 irq_exit_rcu+0xa5/0xd0 sysvec_apic_timer_interrupt+0x6e/0x90
Above issue happens when do ntfs3 filesystem mount, issue may happens as follows: mount IRQ ntfs_fill_super read_cache_page do_read_cache_folio filemap_read_folio mpage_read_folio do_mpage_readpage ntfs_get_block_vbo bh_read submit_bh wait_on_buffer(bh); blk_complete_reqs scsi_io_completion scsi_end_request blk_update_request end_bio_bh_io_sync end_buffer_read_sync __end_buffer_read_notouch unlock_buffer
wait_on_buffer(bh);--> return will return to caller
put_bh
--> trigger stack-out-of-bounds
In the mpage_read_folio() function, the stack variable 'map_bh' is passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and wait_on_buffer() returns to continue processing, the stack variable is likely to be reclaimed. Consequently, during the end_buffer_read_sync() process, calling put_bh() may result in stack overrun.
If the bh is not allocated on the stack, it belongs to a folio. Freeing a buffer head which belongs to a folio is done by drop_buffers() which will fail to free buffers which are still locked. So it is safe to call put_bh() before __end_buffer_read_notouch().
{
"affected": [],
"aliases": [
"CVE-2025-39691"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:45Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/buffer: fix use-after-free when call bh_read() helper\n\nThere\u0027s issue as follows:\nBUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110\nRead of size 8 at addr ffffc9000168f7f8 by task swapper/3/0\nCPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb4/0x270\n kasan_report+0xb8/0xf0\n end_buffer_read_sync+0xe3/0x110\n end_bio_bh_io_sync+0x56/0x80\n blk_update_request+0x30a/0x720\n scsi_end_request+0x51/0x2b0\n scsi_io_completion+0xe3/0x480\n ? scsi_device_unbusy+0x11e/0x160\n blk_complete_reqs+0x7b/0x90\n handle_softirqs+0xef/0x370\n irq_exit_rcu+0xa5/0xd0\n sysvec_apic_timer_interrupt+0x6e/0x90\n \u003c/IRQ\u003e\n\n Above issue happens when do ntfs3 filesystem mount, issue may happens\n as follows:\n mount IRQ\nntfs_fill_super\n read_cache_page\n do_read_cache_folio\n filemap_read_folio\n mpage_read_folio\n\t do_mpage_readpage\n\t ntfs_get_block_vbo\n\t bh_read\n\t submit_bh\n\t wait_on_buffer(bh);\n\t blk_complete_reqs\n\t\t\t\t scsi_io_completion\n\t\t\t\t scsi_end_request\n\t\t\t\t blk_update_request\n\t\t\t\t end_bio_bh_io_sync\n\t\t\t\t\t end_buffer_read_sync\n\t\t\t\t\t __end_buffer_read_notouch\n\t\t\t\t\t unlock_buffer\n\n wait_on_buffer(bh);--\u003e return will return to caller\n\n\t\t\t\t\t put_bh\n\t\t\t\t\t --\u003e trigger stack-out-of-bounds\nIn the mpage_read_folio() function, the stack variable \u0027map_bh\u0027 is\npassed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and\nwait_on_buffer() returns to continue processing, the stack variable\nis likely to be reclaimed. Consequently, during the end_buffer_read_sync()\nprocess, calling put_bh() may result in stack overrun.\n\nIf the bh is not allocated on the stack, it belongs to a folio. Freeing\na buffer head which belongs to a folio is done by drop_buffers() which\nwill fail to free buffers which are still locked. So it is safe to call\nput_bh() before __end_buffer_read_notouch().",
"id": "GHSA-6684-j5cx-q9qw",
"modified": "2026-07-14T15:31:27Z",
"published": "2025-09-05T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39691"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/03b40bf5d0389ca23ae6857ee25789f0e0b47ce8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/042cf48ecf67f72c8b3846c7fac678f472712ff3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3169edb8945c295cf89120fc6b2c35cfe3ad4c9e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/70a09115da586bf662c3bae9c0c4a1b99251fad9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90b5193edb323fefbee0e4e5bc39ed89dcc37719"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5aa6ba1127307ab5dc3773eaf40d73a3423841f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.