CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-668M-Q5H4-JFJC
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-04-23 21:31In the Linux kernel, the following vulnerability has been resolved:
ipmi: Fix use-after-free and list corruption on sender error
The analysis from Breno:
When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without cleaning up properly:
- intf->curr_msg is not cleared, so no new message is pulled
- newmsg still points to the message, causing sender() to be called again with the same message
- If sender() fails again, deliver_err_response() is called with the same recv_msg that was already queued for delivery
This causes list_add corruption ("list_add double add") because the recv_msg is added to the user_msgs list twice. Subsequently, the corrupted list leads to use-after-free when the memory is freed and reused, and eventually a NULL pointer dereference when accessing recv_msg->done.
The buggy sequence:
sender() fails -> deliver_err_response(recv_msg) // recv_msg queued for delivery -> goto restart // curr_msg not cleared! sender() fails again (same message!) -> deliver_err_response(recv_msg) // tries to queue same recv_msg -> LIST CORRUPTION
Fix this by freeing the message and setting it to NULL on a send error. Also, always free the newmsg on a send error, otherwise it will leak.
{
"affected": [],
"aliases": [
"CVE-2026-23322"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:29Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Fix use-after-free and list corruption on sender error\n\nThe analysis from Breno:\n\nWhen the SMI sender returns an error, smi_work() delivers an error\nresponse but then jumps back to restart without cleaning up properly:\n\n1. intf-\u003ecurr_msg is not cleared, so no new message is pulled\n2. newmsg still points to the message, causing sender() to be called\n again with the same message\n3. If sender() fails again, deliver_err_response() is called with\n the same recv_msg that was already queued for delivery\n\nThis causes list_add corruption (\"list_add double add\") because the\nrecv_msg is added to the user_msgs list twice. Subsequently, the\ncorrupted list leads to use-after-free when the memory is freed and\nreused, and eventually a NULL pointer dereference when accessing\nrecv_msg-\u003edone.\n\nThe buggy sequence:\n\n sender() fails\n -\u003e deliver_err_response(recv_msg) // recv_msg queued for delivery\n -\u003e goto restart // curr_msg not cleared!\n sender() fails again (same message!)\n -\u003e deliver_err_response(recv_msg) // tries to queue same recv_msg\n -\u003e LIST CORRUPTION\n\nFix this by freeing the message and setting it to NULL on a send error.\nAlso, always free the newmsg on a send error, otherwise it will leak.",
"id": "GHSA-668m-q5h4-jfjc",
"modified": "2026-04-23T21:31:17Z",
"published": "2026-03-25T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23322"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/594c11d0e1d445f580898a2b8c850f2e3f099368"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65ff5d1e4410df05edfbeb7bf2d62f7681ce1d53"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c08ec55617cb9674a060a3392ea08391ab2a4f74"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66GF-59R4-7C5W
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows SMB Server Network Transport Driver (srvnet.sys) allows an unauthorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-57089"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:33Z",
"severity": "HIGH"
},
"details": "Use after free in Windows SMB Server Network Transport Driver (srvnet.sys) allows an unauthorized attacker to execute code over a network.",
"id": "GHSA-66gf-59r4-7c5w",
"modified": "2026-07-14T18:32:39Z",
"published": "2026-07-14T18:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57089"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57089"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66JG-PPMJ-786H
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 21:32Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-11293"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T00:17:06Z",
"severity": "CRITICAL"
},
"details": "Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-66jg-ppmj-786h",
"modified": "2026-06-05T21:32:03Z",
"published": "2026-06-05T00:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11293"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/502362260"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66JP-PV2H-9X27
Vulnerability from github – Published: 2025-06-02 12:30 – Updated: 2025-06-02 15:31Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r44p0 through r49p3, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r44p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r44p0 through r49p3, from r50p0 through r54p0.
{
"affected": [],
"aliases": [
"CVE-2025-0819"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-02T11:15:21Z",
"severity": "HIGH"
},
"details": "Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r44p0 through r49p3, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r44p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r44p0 through r49p3, from r50p0 through r54p0.",
"id": "GHSA-66jp-pv2h-9x27",
"modified": "2025-06-02T15:31:21Z",
"published": "2025-06-02T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0819"
},
{
"type": "WEB",
"url": "https://developer.arm.com/documentation/110466/latest"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66MV-PJG8-2VC2
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48Use after free in extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.
{
"affected": [],
"aliases": [
"CVE-2021-21202"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-26T17:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.",
"id": "GHSA-66mv-pjg8-2vc2",
"modified": "2022-05-24T17:48:54Z",
"published": "2022-05-24T17:48:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21202"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1188889"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202104-08"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4906"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-66P7-VQR8-2M3V
Vulnerability from github – Published: 2026-06-09 00:33 – Updated: 2026-06-09 03:31Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-11670"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T00:16:50Z",
"severity": "HIGH"
},
"details": "Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)",
"id": "GHSA-66p7-vqr8-2m3v",
"modified": "2026-06-09T03:31:39Z",
"published": "2026-06-09T00:33:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11670"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/515469283"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66Q3-24GV-6744
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-24 18:32In the Linux kernel, the following vulnerability has been resolved:
crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
Unregister the hwrng to prevent new ->read() calls and flush the Atmel I2C workqueue before teardown to prevent a potential UAF if a queued callback runs while the device is being removed.
Drop the early return to ensure sysfs entries are removed and ->hwrng.priv is freed, preventing a memory leak.
{
"affected": [],
"aliases": [
"CVE-2026-46075"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-sha204a - Fix potential UAF and memory leak in remove path\n\nUnregister the hwrng to prevent new -\u003eread() calls and flush the Atmel\nI2C workqueue before teardown to prevent a potential UAF if a queued\ncallback runs while the device is being removed.\n\nDrop the early return to ensure sysfs entries are removed and\n-\u003ehwrng.priv is freed, preventing a memory leak.",
"id": "GHSA-66q3-24gv-6744",
"modified": "2026-06-24T18:32:30Z",
"published": "2026-05-27T15:33:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46075"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1193c12126d39bf986a5a9214827b73707b193ab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/31901371ccd16b42d2f167b1018ba9ae8bd5a6c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6dbeb0f788582e1ab5dfc3f41994eac0ec88c2b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/775c00d87c385b758da9504cf053acea00e2ed40"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bab1adf3b87e4bfac92c4f5963c63db434d561c1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5a45d14234bf26e28a89e3a5dcc08336595cf11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66QH-R598-W33Q
Vulnerability from github – Published: 2024-01-08 12:30 – Updated: 2024-01-12 15:30Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Driver: from r37p0 through r40p0.
{
"affected": [],
"aliases": [
"CVE-2023-5091"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-08T10:15:11Z",
"severity": "MODERATE"
},
"details": "Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allows a\u00a0local non-privileged user to make improper GPU processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Driver: from r37p0 through r40p0.\n\n",
"id": "GHSA-66qh-r598-w33q",
"modified": "2024-01-12T15:30:25Z",
"published": "2024-01-08T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5091"
},
{
"type": "WEB",
"url": "https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-66R4-MRH6-VW83
Vulnerability from github – Published: 2022-05-17 03:04 – Updated: 2022-05-17 03:04The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.
{
"affected": [],
"aliases": [
"CVE-2015-8961"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-11-16T05:59:00Z",
"severity": "HIGH"
},
"details": "The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.",
"id": "GHSA-66r4-mrh6-vw83",
"modified": "2022-05-17T03:04:55Z",
"published": "2022-05-17T03:04:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8961"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/6934da9238da947628be83635e365df41064b09b"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2016-11-01.html"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6934da9238da947628be83635e365df41064b09b"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.3"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94135"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-66WW-HH28-59JG
Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-09 18:31In the Linux kernel, the following vulnerability has been resolved:
ath10k: Fix a use after free in ath10k_htc_send_bundle
In ath10k_htc_send_bundle, the bundle_skb could be freed by dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later by bundle_skb->len.
As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to skb_len after the bundle_skb was freed.
{
"affected": [],
"aliases": [
"CVE-2021-47017"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-28T09:15:38Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: Fix a use after free in ath10k_htc_send_bundle\n\nIn ath10k_htc_send_bundle, the bundle_skb could be freed by\ndev_kfree_skb_any(bundle_skb). But the bundle_skb is used later\nby bundle_skb-\u003elen.\n\nAs skb_len = bundle_skb-\u003elen, my patch replaces bundle_skb-\u003elen to\nskb_len after the bundle_skb was freed.",
"id": "GHSA-66ww-hh28-59jg",
"modified": "2024-12-09T18:31:18Z",
"published": "2024-02-28T09:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47017"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b1ac40c6012140828caa79e592a438a18ebf71b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e413c0831ff4700d1739db3fa3ae9f859744676"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8392df5d7e0b6a7d21440da1fc259f9938f4dec3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8bb054fb336f4250002fff4e0b075221c05c3c65"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.