Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-6F4X-V88V-3F2G

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-55128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:18:19Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-6f4x-v88v-3f2g",
  "modified": "2026-07-14T18:32:35Z",
  "published": "2026-07-14T18:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55128"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55128"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F5Q-X637-6PRF

Vulnerability from github – Published: 2025-03-04 18:33 – Updated: 2025-03-04 18:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: libfc: Fix use after free in fc_exch_abts_resp()

fc_exch_release(ep) will decrease the ep's reference count. When the reference count reaches zero, it is freed. But ep is still used in the following code, which will lead to a use after free.

Return after the fc_exch_release() call to avoid use after free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:48Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix use after free in fc_exch_abts_resp()\n\nfc_exch_release(ep) will decrease the ep\u0027s reference count. When the\nreference count reaches zero, it is freed. But ep is still used in the\nfollowing code, which will lead to a use after free.\n\nReturn after the fc_exch_release() call to avoid use after free.",
  "id": "GHSA-6f5q-x637-6prf",
  "modified": "2025-03-04T18:33:25Z",
  "published": "2025-03-04T18:33:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49114"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d7effe5fff9d28e45e18ac3a564067c7ddfe898"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/271add11994ba1a334859069367e04d2be2ebdd4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/412dd8299b02e4410fe77b8396953c1a8dde183a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/499d198494e77b6533251b9b909baf5c101129cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a131d4ea8b581ac9b01d3a72754db4848be3232"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5cf2ce8967b0d98c8cfa4dc42ef4fcf080f5c836"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6044ad64f41c87382cfeeca281573d1886d80cbe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87909291762d08fdb60d19069d7a89b5b308d0ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f581df412bc45c95176e3c808ee2839c05b2ab0c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F7C-929M-9RMC

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details

In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dissector could crash. This was addressed in epan/dissectors/packet-q931.c by avoiding a use-after-free after a malformed packet prevented certain cleanup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-22T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dissector could crash. This was addressed in epan/dissectors/packet-q931.c by avoiding a use-after-free after a malformed packet prevented certain cleanup.",
  "id": "GHSA-6f7c-929m-9rmc",
  "modified": "2022-05-13T01:27:52Z",
  "published": "2022-05-13T01:27:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11358"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14689"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=ccb1ac3c8cec47fbbbf2e80ced80644005c65252"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4217"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2018-31.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104308"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F7G-G6QV-MMRW

Vulnerability from github – Published: 2023-02-22 21:30 – Updated: 2023-02-28 03:30
VLAI
Details

Use after free in Video in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Video in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-6f7g-g6qv-mmrw",
  "modified": "2023-02-28T03:30:17Z",
  "published": "2023-02-22T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0931"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2023/02/stable-channel-desktop-update_22.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1407701"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202309-17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6F99-PPJG-WGJ7

Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21
VLAI
Details

GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-18T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.",
  "id": "GHSA-6f99-ppjg-wgj7",
  "modified": "2022-05-24T19:21:02Z",
  "published": "2022-05-24T19:21:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37322"
    },
    {
      "type": "WEB",
      "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6FFW-V5JW-V335

Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

Use after free in Offline in Google Chrome on Android prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via specific UI interactions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-12T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Offline in Google Chrome on Android prior to 104.0.5112.79 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via specific UI interactions.",
  "id": "GHSA-6ffw-v5jw-v335",
  "modified": "2022-08-16T00:00:24Z",
  "published": "2022-08-13T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2623"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1337798"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FGJ-HJRW-WRV5

Vulnerability from github – Published: 2023-09-14 18:32 – Updated: 2023-11-14 12:30
VLAI
Details

A vulnerability has been identified in JT2Go (All versions < V14.3.0.1), Teamcenter Visualization V13.3 (All versions < V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.6), Teamcenter Visualization V14.3 (All versions < V14.3.0.1). The affected application contains a use-after-free vulnerability that could be triggered while parsing specially crafted WRL files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-20842)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T10:15:28Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in JT2Go (All versions \u003c V14.3.0.1), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.12), Teamcenter Visualization V14.0 (All versions), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.11), Teamcenter Visualization V14.2 (All versions \u003c V14.2.0.6), Teamcenter Visualization V14.3 (All versions \u003c V14.3.0.1). The affected application contains a use-after-free vulnerability that could be triggered while parsing specially crafted WRL files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-20842)",
  "id": "GHSA-6fgj-hjrw-wrv5",
  "modified": "2023-11-14T12:30:26Z",
  "published": "2023-09-14T18:32:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38075"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-278349.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-478780.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FH9-96WW-PVWQ

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-06-19 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: clear page->private in free_pages_prepare()

Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-order pages and split via split_page(), tail pages retain stale page->private values.

This causes a use-after-free in the swap subsystem. The swap code uses page->private to track swap count continuations, assuming freshly allocated pages have page->private == 0. When stale values are present, swap_count_continued() incorrectly assumes the continuation list is valid and iterates over uninitialized page->lru containing LIST_POISON values, causing a crash:

KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860

Fix this by clearing page->private in free_pages_prepare(), ensuring all freed pages have clean state regardless of previous use.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T14:16:37Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: clear page-\u003eprivate in free_pages_prepare()\n\nSeveral subsystems (slub, shmem, ttm, etc.) use page-\u003eprivate but don\u0027t\nclear it before freeing pages.  When these pages are later allocated as\nhigh-order pages and split via split_page(), tail pages retain stale\npage-\u003eprivate values.\n\nThis causes a use-after-free in the swap subsystem.  The swap code uses\npage-\u003eprivate to track swap count continuations, assuming freshly\nallocated pages have page-\u003eprivate == 0.  When stale values are present,\nswap_count_continued() incorrectly assumes the continuation list is valid\nand iterates over uninitialized page-\u003elru containing LIST_POISON values,\ncausing a crash:\n\n  KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]\n  RIP: 0010:__do_sys_swapoff+0x1151/0x1860\n\nFix this by clearing page-\u003eprivate in free_pages_prepare(), ensuring all\nfreed pages have clean state regardless of previous use.",
  "id": "GHSA-6fh9-96ww-pvwq",
  "modified": "2026-06-19T15:33:09Z",
  "published": "2026-05-08T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43303"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3edb8ebbf79b9016040e8f3421d723ae3d542b32"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e7790ab165713b79b1617ce659742ceb3a859d05"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9719e32a67b4b00b3c9b133e8b5ffa72a26b67b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FHV-H367-4JC4

Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-06-30 03:36
VLAI
Details

Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T14:16:50Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.",
  "id": "GHSA-6fhv-h367-4jc4",
  "modified": "2026-06-30T03:36:44Z",
  "published": "2026-05-19T15:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8947"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-51"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-50"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-48"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-47"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-46"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8947.json"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479873"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2038439"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-8947"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27715"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26630"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26629"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26606"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26551"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26539"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26536"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26521"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26493"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26492"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26491"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26270"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26269"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26268"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26174"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:22643"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:22325"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:21382"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:21381"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:21380"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:21378"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6FHV-P8F6-8RJF

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-12-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: fix NULL access of tx->in_use in ice_ll_ts_intr

Recent versions of the E810 firmware have support for an extra interrupt to handle report of the "low latency" Tx timestamps coming from the specialized low latency firmware interface. Instead of polling the registers, software can wait until the low latency interrupt is fired.

This logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as it uses the same "ready" bitmap to track which Tx timestamps complete.

Unfortunately, the ice_ll_ts_intr() function does not check if the tracker is initialized before its first access. This results in NULL dereference or use-after-free bugs similar to the issues fixed in the ice_ptp_ts_irq() function.

Fix this by only checking the in_use bitmap (and other fields) if the tracker is marked as initialized. The reset flow will clear the init field under lock before it tears the tracker down, thus preventing any use-after-free or NULL access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T16:15:44Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL access of tx-\u003ein_use in ice_ll_ts_intr\n\nRecent versions of the E810 firmware have support for an extra interrupt to\nhandle report of the \"low latency\" Tx timestamps coming from the\nspecialized low latency firmware interface. Instead of polling the\nregisters, software can wait until the low latency interrupt is fired.\n\nThis logic makes use of the Tx timestamp tracking structure, ice_ptp_tx, as\nit uses the same \"ready\" bitmap to track which Tx timestamps complete.\n\nUnfortunately, the ice_ll_ts_intr() function does not check if the\ntracker is initialized before its first access. This results in NULL\ndereference or use-after-free bugs similar to the issues fixed in the\nice_ptp_ts_irq() function.\n\nFix this by only checking the in_use bitmap (and other fields) if the\ntracker is marked as initialized. The reset flow will clear the init field\nunder lock before it tears the tracker down, thus preventing any\nuse-after-free or NULL access.",
  "id": "GHSA-6fhv-p8f6-8rjf",
  "modified": "2025-12-12T21:31:32Z",
  "published": "2025-09-22T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39854"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2cde98a02da958357fe240a6ba269b69d913b6ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/923c267bdbb64f65bc1149d184efcf8b047d7d64"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f6486338fde3f04ed0ec59fe67a69a208c32734f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.