CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-6P7P-7664-CQRJ
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-12-17 18:33Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200. A maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related to the targeted workstation.
{
"affected": [],
"aliases": [
"CVE-2019-13511"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier contain an INFORMATION EXPOSURE CWE-200. A maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related to the targeted workstation.",
"id": "GHSA-6p7p-7664-cqrj",
"modified": "2024-12-17T18:33:39Z",
"published": "2022-05-24T16:53:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13511"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-213-05"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-810"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-811"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-812"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-813"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-814"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6P7X-C5RV-9W7V
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf).
If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe().
The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
{
"affected": [],
"aliases": [
"CVE-2026-31474"
],
"database_specific": {
"cwe_ids": [
"CWE-364",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:44Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix tx.buf use-after-free in isotp_sendmsg()\n\nisotp_sendmsg() uses only cmpxchg() on so-\u003etx.state to serialize access\nto so-\u003etx.buf. isotp_release() waits for ISOTP_IDLE via\nwait_event_interruptible() and then calls kfree(so-\u003etx.buf).\n\nIf a signal interrupts the wait_event_interruptible() inside close()\nwhile tx.state is ISOTP_SENDING, the loop exits early and release\nproceeds to force ISOTP_SHUTDOWN and continues to kfree(so-\u003etx.buf)\nwhile sendmsg may still be reading so-\u003etx.buf for the final CAN frame\nin isotp_fill_dataframe().\n\nThe so-\u003etx.buf can be allocated once when the standard tx.buf length needs\nto be extended. Move the kfree() of this potentially extended tx.buf to\nsk_destruct time when either isotp_sendmsg() and isotp_release() are done.",
"id": "GHSA-6p7x-c5rv-9w7v",
"modified": "2026-06-30T03:36:22Z",
"published": "2026-04-22T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31474"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27288"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-31474"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460646"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e62e7051eca75a7f2e3d52d62ec10d7d7aa358c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/424e95d62110cdbc8fd12b40918f37e408e35a92"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9649d051e54413049c009638ec1dc23962c884a4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb3d6efa78460e6d50bf68806d0db66265709f64"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eec8a1b18a79600bd4419079dc0026c1db72a830"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31474.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6P82-V9W6-85GX
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.
{
"affected": [],
"aliases": [
"CVE-2018-19364"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-13T19:29:00Z",
"severity": "MODERATE"
},
"details": "hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.",
"id": "GHSA-6p82-v9w6-85gx",
"modified": "2022-05-13T01:26:37Z",
"published": "2022-05-13T01:26:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19364"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00023.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CGCFIFSIWUREEQQOZDZFBYKWZHXCWBZN"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg01139.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg02795.html"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/76"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3826-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4454"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00042.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2018/11/20/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6P8X-V4M8-8PVG
Vulnerability from github – Published: 2022-05-14 01:06 – Updated: 2022-05-14 01:06In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.
{
"affected": [],
"aliases": [
"CVE-2017-17670"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-15T09:29:00Z",
"severity": "HIGH"
},
"details": "In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.",
"id": "GHSA-6p8x-v4m8-8pvg",
"modified": "2022-05-14T01:06:24Z",
"published": "2022-05-14T01:06:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17670"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4203"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/12/15/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102214"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040938"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PF8-H7C8-42FV
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-28 18:30In the Linux kernel, the following vulnerability has been resolved:
cxl/port: Fix use after free of parent_port in cxl_detach_ep()
cxl_detach_ep() is called during bottom-up removal when all CXL memory devices beneath a switch port have been removed. For each port in the hierarchy it locks both the port and its parent, removes the endpoint, and if the port is now empty, marks it dead and unregisters the port by calling delete_switch_port(). There are two places during this work where the parent_port may be used after freeing:
First, a concurrent detach may have already processed a port by the time a second worker finds it via bus_find_device(). Without pinning parent_port, it may already be freed when we discover port->dead and attempt to unlock the parent_port. In a production kernel that's a silent memory corruption, with lock debug, it looks like this:
[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current()) []WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310 []Call Trace: []mutex_unlock+0xd/0x20 []cxl_detach_ep+0x180/0x400 [cxl_core] []devm_action_release+0x10/0x20 []devres_release_all+0xa8/0xe0 []device_unbind_cleanup+0xd/0xa0 []really_probe+0x1a6/0x3e0
Second, delete_switch_port() releases three devm actions registered against parent_port. The last of those is unregister_port() and it calls device_unregister() on the child port, which can cascade. If parent_port is now also empty the device core may unregister and free it too. So by the time delete_switch_port() returns, parent_port may be free, and the subsequent device_unlock(&parent_port->dev) operates on freed memory. The kernel log looks same as above, with a different offset in cxl_detach_ep().
Both of these issues stem from the absence of a lifetime guarantee between a child port and its parent port.
Establish a lifetime rule for ports: child ports hold a reference to their parent device until release. Take the reference when the port is allocated and drop it when released. This ensures the parent is valid for the full lifetime of the child and eliminates the use after free window in cxl_detach_ep().
This is easily reproduced with a reload of cxl_acpi in QEMU with CXL devices present.
{
"affected": [],
"aliases": [
"CVE-2026-31530"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:53Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix use after free of parent_port in cxl_detach_ep()\n\ncxl_detach_ep() is called during bottom-up removal when all CXL memory\ndevices beneath a switch port have been removed. For each port in the\nhierarchy it locks both the port and its parent, removes the endpoint,\nand if the port is now empty, marks it dead and unregisters the port\nby calling delete_switch_port(). There are two places during this work\nwhere the parent_port may be used after freeing:\n\nFirst, a concurrent detach may have already processed a port by the\ntime a second worker finds it via bus_find_device(). Without pinning\nparent_port, it may already be freed when we discover port-\u003edead and\nattempt to unlock the parent_port. In a production kernel that\u0027s a\nsilent memory corruption, with lock debug, it looks like this:\n\n[]DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())\n[]WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310\n[]Call Trace:\n[]mutex_unlock+0xd/0x20\n[]cxl_detach_ep+0x180/0x400 [cxl_core]\n[]devm_action_release+0x10/0x20\n[]devres_release_all+0xa8/0xe0\n[]device_unbind_cleanup+0xd/0xa0\n[]really_probe+0x1a6/0x3e0\n\nSecond, delete_switch_port() releases three devm actions registered\nagainst parent_port. The last of those is unregister_port() and it\ncalls device_unregister() on the child port, which can cascade. If\nparent_port is now also empty the device core may unregister and free\nit too. So by the time delete_switch_port() returns, parent_port may\nbe free, and the subsequent device_unlock(\u0026parent_port-\u003edev) operates\non freed memory. The kernel log looks same as above, with a different\noffset in cxl_detach_ep().\n\nBoth of these issues stem from the absence of a lifetime guarantee\nbetween a child port and its parent port.\n\nEstablish a lifetime rule for ports: child ports hold a reference to\ntheir parent device until release. Take the reference when the port\nis allocated and drop it when released. This ensures the parent is\nvalid for the full lifetime of the child and eliminates the use after\nfree window in cxl_detach_ep().\n\nThis is easily reproduced with a reload of cxl_acpi in QEMU with CXL\ndevices present.",
"id": "GHSA-6pf8-h7c8-42fv",
"modified": "2026-04-28T18:30:30Z",
"published": "2026-04-22T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31530"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19d2f0b97a131198efc2c4ca3eb7f980bba8c2b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2c32141462045cf93d54a5146a0ba572b83533dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d216a4bd138eb57cc4ae7c43b2f709e3482af7e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7dc6f381a1e5f068333f1faa9265d6af1df4235"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PM7-78W9-HJ44
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18Use-after-free vulnerability in the js::gc::MapAllocToTraceKind function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2012-3963"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-08-29T10:56:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in the js::gc::MapAllocToTraceKind function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code via unspecified vectors.",
"id": "GHSA-6pm7-78w9-hj44",
"modified": "2022-05-13T01:18:01Z",
"published": "2022-05-13T01:18:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3963"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=762280"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16437"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00028.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00011.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00014.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1210.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1211.html"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2012/mfsa2012-58.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/55340"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1548-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1548-2"
},
{
"type": "WEB",
"url": "http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6PMG-H497-CQ5Q
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
{
"affected": [],
"aliases": [
"CVE-2017-16943"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-25T17:29:00Z",
"severity": "CRITICAL"
},
"details": "The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.",
"id": "GHSA-6pmg-h497-cq5q",
"modified": "2022-05-13T01:10:22Z",
"published": "2022-05-13T01:10:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16943"
},
{
"type": "WEB",
"url": "https://bugs.exim.org/show_bug.cgi?id=2199"
},
{
"type": "WEB",
"url": "https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bde"
},
{
"type": "WEB",
"url": "https://git.exim.org/exim.git/commitdiff/4e6ae6235c68de243b1c2419027472d7659aa2b4"
},
{
"type": "WEB",
"url": "https://github.com/LetUsFsck/PoC-Exploit-Mirror/tree/master/CVE-2017-16944"
},
{
"type": "WEB",
"url": "https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4053"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/11/25/1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/11/25/2"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/11/25/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/04/7"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039872"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PQ8-4F7J-WCW6
Vulnerability from github – Published: 2023-04-21 00:30 – Updated: 2023-04-21 00:30This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker 70.3-35220. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of the SMB directory query command. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19845.
{
"affected": [],
"aliases": [
"CVE-2023-27352"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-20T22:15:07Z",
"severity": "HIGH"
},
"details": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker 70.3-35220. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of the SMB directory query command. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19845.",
"id": "GHSA-6pq8-4f7j-wcw6",
"modified": "2023-04-21T00:30:21Z",
"published": "2023-04-21T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27352"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-447"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PV3-4577-4J8M
Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2026-20952"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T18:16:22Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.",
"id": "GHSA-6pv3-4577-4j8m",
"modified": "2026-01-13T18:31:11Z",
"published": "2026-01-13T18:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20952"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PWW-M6H5-JFM6
Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: Fix UAF on iso_sock_timeout
conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock so this checks if the conn->sk is still valid by checking if it part of iso_sk_list.
{
"affected": [],
"aliases": [
"CVE-2024-50124"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-05T18:15:15Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix UAF on iso_sock_timeout\n\nconn-\u003esk maybe have been unlinked/freed while waiting for iso_conn_lock\nso this checks if the conn-\u003esk is still valid by checking if it part of\niso_sk_list.",
"id": "GHSA-6pww-m6h5-jfm6",
"modified": "2025-11-04T00:31:55Z",
"published": "2024-11-05T18:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50124"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14bcb721d241e62fdd18f6f434a2ed2ab6e71a9b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/246b435ad668596aa0e2bbb9d491b6413861211a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/876ac72d535fa94f4ac57bba651987c6f990f646"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d75aad1d3143ca68cda52ff80ac392e1bbd84325"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.