CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-768V-PQ77-R3JH
Vulnerability from github – Published: 2023-08-08 12:30 – Updated: 2024-04-04 06:38A vulnerability has been identified in JT2Go (All versions < V14.2.0.5), Solid Edge SE2022 (All versions < V222.0 Update 13), Solid Edge SE2023 (All versions < V223.0 Update 4), Teamcenter Visualization V13.2 (All versions < V13.2.0.15), Teamcenter Visualization V13.3 (All versions < V13.3.0.11), Teamcenter Visualization V14.1 (All versions < V14.1.0.11), Teamcenter Visualization V14.2 (All versions < V14.2.0.5). The affected application contains a use-after-free vulnerability that could be triggered while parsing specially crafted ASM file. An attacker could leverage this vulnerability to execute code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2023-28830"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T10:15:14Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in JT2Go (All versions \u003c V14.2.0.5), Solid Edge SE2022 (All versions \u003c V222.0 Update 13), Solid Edge SE2023 (All versions \u003c V223.0 Update 4), Teamcenter Visualization V13.2 (All versions \u003c V13.2.0.15), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.11), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.11), Teamcenter Visualization V14.2 (All versions \u003c V14.2.0.5). The affected application contains a use-after-free vulnerability that could be triggered while parsing specially crafted ASM file. An attacker could leverage this vulnerability to execute code in the context of the current process.",
"id": "GHSA-768v-pq77-r3jh",
"modified": "2024-04-04T06:38:41Z",
"published": "2023-08-08T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28830"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-131450.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7696-7RQF-77FC
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 15:35Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-13855"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:16:59Z",
"severity": "HIGH"
},
"details": "Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-7696-7rqf-77fc",
"modified": "2026-07-01T15:35:01Z",
"published": "2026-07-01T00:34:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13855"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/524395469"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-769C-MXG2-6MP2
Vulnerability from github – Published: 2023-07-06 15:30 – Updated: 2024-04-04 05:26Use After Free (UAF) vulnerability in the Vdecoderservice service. Successful exploitation of this vulnerability may cause the image decoding feature to perform abnormally.
{
"affected": [],
"aliases": [
"CVE-2022-48512"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T13:15:10Z",
"severity": "CRITICAL"
},
"details": "Use After Free (UAF) vulnerability in the Vdecoderservice service. Successful exploitation of this vulnerability may cause the image decoding feature to perform abnormally.",
"id": "GHSA-769c-mxg2-6mp2",
"modified": "2024-04-04T05:26:09Z",
"published": "2023-07-06T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48512"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2023/7"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202307-0000001587168858"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76F4-3487-46JF
Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-19 21:31In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk
Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling.
Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed.
{
"affected": [],
"aliases": [
"CVE-2025-38289"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T08:15:27Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk\n\nSmatch detected a potential use-after-free of an ndlp oject in\ndev_loss_tmo_callbk during driver unload or fatal error handling.\n\nFix by reordering code to avoid potential use-after-free if initial\nnodelist reference has been previously removed.",
"id": "GHSA-76f4-3487-46jf",
"modified": "2025-11-19T21:31:15Z",
"published": "2025-07-10T09:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38289"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4f09940b5581e44069eb31a66cf7f05c3c35ed04"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b5162bb6aa1ec04dff4509b025883524b6d7e7ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea405fb4144985d5c60f49c2abd9ba47ea44fdb4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76F5-923V-9JC3
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 18:30In the Linux kernel, the following vulnerability has been resolved:
media: netup_unidvb: fix use-after-free at del_timer()
When Universal DVB card is detaching, netup_unidvb_dma_fini() uses del_timer() to stop dma->timeout timer. But when timer handler netup_unidvb_dma_timeout() is running, del_timer() could not stop it. As a result, the use-after-free bug could happen. The process is shown below:
(cleanup routine) | (timer routine)
| mod_timer(&dev->tx_sim_timer, ..)
netup_unidvb_finidev() | (wait a time) netup_unidvb_dma_fini() | netup_unidvb_dma_timeout() del_timer(&dma->timeout); | | ndev->pci_dev->dev //USE
Fix by changing del_timer() to del_timer_sync().
{
"affected": [],
"aliases": [
"CVE-2023-53219"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:48Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: netup_unidvb: fix use-after-free at del_timer()\n\nWhen Universal DVB card is detaching, netup_unidvb_dma_fini()\nuses del_timer() to stop dma-\u003etimeout timer. But when timer\nhandler netup_unidvb_dma_timeout() is running, del_timer()\ncould not stop it. As a result, the use-after-free bug could\nhappen. The process is shown below:\n\n (cleanup routine) | (timer routine)\n | mod_timer(\u0026dev-\u003etx_sim_timer, ..)\nnetup_unidvb_finidev() | (wait a time)\n netup_unidvb_dma_fini() | netup_unidvb_dma_timeout()\n del_timer(\u0026dma-\u003etimeout); |\n | ndev-\u003epci_dev-\u003edev //USE\n\nFix by changing del_timer() to del_timer_sync().",
"id": "GHSA-76f5-923v-9jc3",
"modified": "2025-12-03T18:30:20Z",
"published": "2025-09-15T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53219"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/051af3f0b7d1cd8ab7f3e2523ad8ae1af44caba3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07821524f67bf920342bc84ae8b3dea2a315a89e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f5bb36bf9b39a2a96e730bf4455095b50713f63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1550bcf2983ae1220cc8ab899a39a423fa7cb523"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90229e9ee957d4514425e4a4d82c50ab5d57ac4d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c8f9c05e1ebcc9c7bc211cc8b74d8fb86a8756fc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd5c77814f290b353917df329f36de1472d47154"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f9982db735a8495eee14267cf193c806b957e942"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76GM-3X2J-87HP
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Remote Desktop Client Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43599"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:27Z",
"severity": "HIGH"
},
"details": "Remote Desktop Client Remote Code Execution Vulnerability",
"id": "GHSA-76gm-3x2j-87hp",
"modified": "2024-10-08T18:33:17Z",
"published": "2024-10-08T18:33:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43599"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43599"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76GM-Q7XQ-V743
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/fluid_sffile.c that can result in arbitrary code execution or a denial of service (DoS) if a malicious soundfont2 file is loaded into a fluidsynth library.
{
"affected": [],
"aliases": [
"CVE-2021-28421"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-13T14:15:00Z",
"severity": null
},
"details": "FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/fluid_sffile.c that can result in arbitrary code execution or a denial of service (DoS) if a malicious soundfont2 file is loaded into a fluidsynth library.",
"id": "GHSA-76gm-q7xq-v743",
"modified": "2022-05-24T17:47:23Z",
"published": "2022-05-24T17:47:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28421"
},
{
"type": "WEB",
"url": "https://github.com/FluidSynth/fluidsynth/issues/808"
},
{
"type": "WEB",
"url": "https://github.com/FluidSynth/fluidsynth/pull/810"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00027.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-76HW-GX4C-XC29
Vulnerability from github – Published: 2025-05-09 09:33 – Updated: 2025-11-12 21:31In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue
When the task management thread processes reply queues while the reset thread resets them, the task management thread accesses an invalid queue ID (0xFFFF), set by the reset thread, which points to unallocated memory, causing a crash.
Add flag 'io_admin_reset_sync' to synchronize access between the reset, I/O, and admin threads. Before a reset, the reset handler sets this flag to block I/O and admin processing threads. If any thread bypasses the initial check, the reset thread waits up to 10 seconds for processing to finish. If the wait exceeds 10 seconds, the controller is marked as unrecoverable.
{
"affected": [],
"aliases": [
"CVE-2025-37861"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-09T07:16:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue\n\nWhen the task management thread processes reply queues while the reset\nthread resets them, the task management thread accesses an invalid queue ID\n(0xFFFF), set by the reset thread, which points to unallocated memory,\ncausing a crash.\n\nAdd flag \u0027io_admin_reset_sync\u0027 to synchronize access between the reset,\nI/O, and admin threads. Before a reset, the reset handler sets this flag to\nblock I/O and admin processing threads. If any thread bypasses the initial\ncheck, the reset thread waits up to 10 seconds for processing to finish. If\nthe wait exceeds 10 seconds, the controller is marked as unrecoverable.",
"id": "GHSA-76hw-gx4c-xc29",
"modified": "2025-11-12T21:31:02Z",
"published": "2025-05-09T09:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37861"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65ba18c84dbd03afe9b38c06c151239d97a09834"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/75b67dca4195e11ccf966a704787b2aa2754a457"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d310d66e2b0f5f9f709764641647e8a3a4924fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f195fc060c738d303a21fae146dbf85e1595fb4c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76MX-8CHC-6M73
Vulnerability from github – Published: 2022-12-13 18:30 – Updated: 2022-12-15 15:32In setDataSource of initMediaExtractor.cpp, there is a possibility of arbitrary code execution due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-245242273
{
"affected": [],
"aliases": [
"CVE-2022-20496"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-13T16:15:00Z",
"severity": "MODERATE"
},
"details": "In setDataSource of initMediaExtractor.cpp, there is a possibility of arbitrary code execution due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-245242273",
"id": "GHSA-76mx-8chc-6m73",
"modified": "2022-12-15T15:32:13Z",
"published": "2022-12-13T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20496"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-76P3-3V32-9XXH
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-06 15:30In the Linux kernel, the following vulnerability has been resolved:
fs/mbcache: cancel shrink work before destroying the cache
mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first.
If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free.
This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.
Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down.
{
"affected": [],
"aliases": [
"CVE-2026-53129"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/mbcache: cancel shrink work before destroying the cache\n\nmb_cache_destroy() calls shrinker_free() and then frees all cache\nentries and the cache itself, but it does not cancel the pending\nc_shrink_work work item first.\n\nIf mb_cache_entry_create() schedules c_shrink_work via schedule_work()\nand the work item is still pending or running when mb_cache_destroy()\nruns, mb_cache_shrink_worker() will access the cache after its memory\nhas been freed, causing a use-after-free.\n\nThis is only reachable by a privileged user (root or CAP_SYS_ADMIN)\nwho can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.\n\nCancel the work item with cancel_work_sync() before calling\nshrinker_free(), ensuring the worker has finished and will not be\nrescheduled before the cache is torn down.",
"id": "GHSA-76p3-3v32-9xxh",
"modified": "2026-07-06T15:30:41Z",
"published": "2026-06-24T18:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53129"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e4eff315d799f5842b95872199b0f0fb8ef5f51"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a88d39a74a208e197c03bffaa2df34de732af19f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b25fd3523bef88fb7ffd4c5b63bbe9c08f73bb4c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d227786ab1119669df4dc333a61510c52047cce4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.