Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-7797-6FVM-V8XW

Vulnerability from github – Published: 2023-05-16 21:30 – Updated: 2025-05-05 18:32
VLAI
Details

Use after free in DevTools in Google Chrome prior to 113.0.5672.126 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-16T19:15:09Z",
    "severity": "HIGH"
  },
  "details": "Use after free in DevTools in Google Chrome prior to 113.0.5672.126 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-7797-6fvm-v8xw",
  "modified": "2025-05-05T18:32:39Z",
  "published": "2023-05-16T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2723"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_16.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1435166"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/73XUIHJ6UT75VFPDPLJOXJON7MVIKVZI"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXFL4TDAH72PRCPD5UPZMJMKIMVOPLTI"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202309-17"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202311-11"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5404"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-779G-8Q6V-4G8G

Vulnerability from github – Published: 2023-01-10 21:30 – Updated: 2023-01-13 15:30
VLAI
Details

Use after free in Overview Mode in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Overview Mode in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-779g-8q6v-4g8g",
  "modified": "2023-01-13T15:30:26Z",
  "published": "2023-01-10T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0128"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1353208"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-10"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202311-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77CG-92PR-V53H

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:55Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-77cg-92pr-v53h",
  "modified": "2025-10-14T18:30:33Z",
  "published": "2025-10-14T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58733"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58733"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77CR-6GR8-7RR9

Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-10-02 15:17
VLAI
Summary
Use After Free in HashiCorp Nomad
Details

HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/nomad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/nomad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.11.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/nomad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.12.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-27195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-12T21:58:02Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6",
  "id": "GHSA-77cr-6gr8-7rr9",
  "modified": "2023-10-02T15:17:55Z",
  "published": "2022-02-15T01:57:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/nomad/issues/9129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/nomad/pull/9139"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/nomad/blob/master/CHANGELOG.md#0126-october-21-2020"
    },
    {
      "type": "PACKAGE",
      "url": "https://pkg.go.dev/github.com/hashicorp/nomad/client/allocrunner/taskrunner/template"
    },
    {
      "type": "WEB",
      "url": "https://www.nomadproject.io/downloads"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use After Free in HashiCorp Nomad"
}

GHSA-77H3-779X-V4X3

Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-02-26 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency

Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T16:16:03Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency\n\nUnder high concurrency, A tree-connection object (tcon) is freed on\na disconnect path while another path still holds a reference and later\nexecutes *_put()/write on it.",
  "id": "GHSA-77h3-779x-v4x3",
  "modified": "2026-02-26T21:31:26Z",
  "published": "2026-01-13T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68817"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/446beed646b2e426dd53d27358365f8678e1dd01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77HV-RQC3-4GM6

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2025-11-04 00:31
VLAI
Details

An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:03Z",
    "severity": "HIGH"
  },
  "details": "An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. This vulnerability affects Firefox \u003c 132, Firefox ESR \u003c 128.4, Firefox ESR \u003c 115.17, Thunderbird \u003c 128.4, and Thunderbird \u003c 132.",
  "id": "GHSA-77hv-rqc3-4gm6",
  "modified": "2025-11-04T00:31:53Z",
  "published": "2024-10-29T15:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10459"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1919087"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-55"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-56"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-57"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-58"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-59"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77HV-X6Q3-C6J4

Vulnerability from github – Published: 2026-06-09 21:32 – Updated: 2026-06-09 21:32
VLAI
Details

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T21:17:21Z",
    "severity": "HIGH"
  },
  "details": "Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-77hv-x6q3-c6j4",
  "modified": "2026-06-09T21:32:38Z",
  "published": "2026-06-09T21:32:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47919"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb26-63.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77JH-978M-WQHM

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-06-30 03:36
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

writeback: Fix use after free in inode_switch_wbs_work_fn()

inode_switch_wbs_work_fn() has a loop like:

wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); / Nothing to do? / if (!list) break; ... process the items ... }

Now adding of items to the list looks like:

wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work);

Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues.

We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T14:16:20Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: Fix use after free in inode_switch_wbs_work_fn()\n\ninode_switch_wbs_work_fn() has a loop like:\n\n  wb_get(new_wb);\n  while (1) {\n    list = llist_del_all(\u0026new_wb-\u003eswitch_wbs_ctxs);\n    /* Nothing to do? */\n    if (!list)\n      break;\n    ... process the items ...\n  }\n\nNow adding of items to the list looks like:\n\nwb_queue_isw()\n  if (llist_add(\u0026isw-\u003elist, \u0026wb-\u003eswitch_wbs_ctxs))\n    queue_work(isw_wq, \u0026wb-\u003eswitch_work);\n\nBecause inode_switch_wbs_work_fn() loops when processing isw items, it\ncan happen that wb-\u003eswitch_work is pending while wb-\u003eswitch_wbs_ctxs is\nempty. This is a problem because in that case wb can get freed (no isw\nitems -\u003e no wb reference) while the work is still pending causing\nuse-after-free issues.\n\nWe cannot just fix this by cancelling work when freeing wb because that\ncould still trigger problematic 0 -\u003e 1 transitions on wb refcount due to\nwb_get() in inode_switch_wbs_work_fn(). It could be all handled with\nmore careful code but that seems unnecessarily complex so let\u0027s avoid\nthat until it is proven that the looping actually brings practical\nbenefit. Just remove the loop from inode_switch_wbs_work_fn() instead.\nThat way when wb_queue_isw() queues work, we are guaranteed we have\nadded the first item to wb-\u003eswitch_wbs_ctxs and nobody is going to\nremove it (and drop the wb reference it holds) until the queued work\nruns.",
  "id": "GHSA-77jh-978m-wqhm",
  "modified": "2026-06-30T03:36:28Z",
  "published": "2026-05-01T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31703"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31703"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464385"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/156cc63691c1f20905510b1007896e090355e6c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31703.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77JP-Q6GP-R976

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the fillColor property of a radio button. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7070.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-24T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the fillColor property of a radio button. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7070.",
  "id": "GHSA-77jp-q6gp-r976",
  "modified": "2022-05-13T01:33:51Z",
  "published": "2022-05-13T01:33:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17689"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1205"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77P5-68V4-943H

Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2025-11-04 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()

We got the following issue in a fuzz test of randomly issuing the restore command:

================================================================== BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60 Read of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963

CPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564 Call Trace: kasan_report+0x93/0xc0 cachefiles_ondemand_daemon_read+0xb41/0xb60 vfs_read+0x169/0xb50 ksys_read+0xf5/0x1e0

Allocated by task 116: kmem_cache_alloc+0x140/0x3a0 cachefiles_lookup_cookie+0x140/0xcd0 fscache_cookie_state_machine+0x43c/0x1230 [...]

Freed by task 792: kmem_cache_free+0xfe/0x390 cachefiles_put_object+0x241/0x480 fscache_cookie_state_machine+0x5c8/0x1230 [...] ==================================================================

Following is the process that triggers the issue:

 mount  |   daemon_thread1    |    daemon_thread2

cachefiles_withdraw_cookie cachefiles_ondemand_clean_object(object) cachefiles_ondemand_send_req REQ_A = kzalloc(sizeof(*req) + data_len) wait_for_completion(&REQ_A->done)

        cachefiles_daemon_read
         cachefiles_ondemand_daemon_read
          REQ_A = cachefiles_ondemand_select_req
          msg->object_id = req->object->ondemand->ondemand_id
                              ------ restore ------
                              cachefiles_ondemand_restore
                              xas_for_each(&xas, req, ULONG_MAX)
                               xas_set_mark(&xas, CACHEFILES_REQ_NEW)

                              cachefiles_daemon_read
                               cachefiles_ondemand_daemon_read
                                REQ_A = cachefiles_ondemand_select_req
          copy_to_user(_buffer, msg, n)
           xa_erase(&cache->reqs, id)
           complete(&REQ_A->done)
          ------ close(fd) ------
          cachefiles_ondemand_fd_release
           cachefiles_put_object

cachefiles_put_object kmem_cache_free(cachefiles_object_jar, object) REQ_A->object->ondemand->ondemand_id // object UAF !!!

When we see the request within xa_lock, req->object must not have been freed yet, so grab the reference count of object before xa_unlock to avoid the above issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-12T13:15:13Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read()\n\nWe got the following issue in a fuzz test of randomly issuing the restore\ncommand:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0xb41/0xb60\nRead of size 8 at addr ffff888122e84088 by task ondemand-04-dae/963\n\nCPU: 13 PID: 963 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #564\nCall Trace:\n kasan_report+0x93/0xc0\n cachefiles_ondemand_daemon_read+0xb41/0xb60\n vfs_read+0x169/0xb50\n ksys_read+0xf5/0x1e0\n\nAllocated by task 116:\n kmem_cache_alloc+0x140/0x3a0\n cachefiles_lookup_cookie+0x140/0xcd0\n fscache_cookie_state_machine+0x43c/0x1230\n [...]\n\nFreed by task 792:\n kmem_cache_free+0xfe/0x390\n cachefiles_put_object+0x241/0x480\n fscache_cookie_state_machine+0x5c8/0x1230\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n     mount  |   daemon_thread1    |    daemon_thread2\n------------------------------------------------------------\ncachefiles_withdraw_cookie\n cachefiles_ondemand_clean_object(object)\n  cachefiles_ondemand_send_req\n   REQ_A = kzalloc(sizeof(*req) + data_len)\n   wait_for_completion(\u0026REQ_A-\u003edone)\n\n            cachefiles_daemon_read\n             cachefiles_ondemand_daemon_read\n              REQ_A = cachefiles_ondemand_select_req\n              msg-\u003eobject_id = req-\u003eobject-\u003eondemand-\u003eondemand_id\n                                  ------ restore ------\n                                  cachefiles_ondemand_restore\n                                  xas_for_each(\u0026xas, req, ULONG_MAX)\n                                   xas_set_mark(\u0026xas, CACHEFILES_REQ_NEW)\n\n                                  cachefiles_daemon_read\n                                   cachefiles_ondemand_daemon_read\n                                    REQ_A = cachefiles_ondemand_select_req\n              copy_to_user(_buffer, msg, n)\n               xa_erase(\u0026cache-\u003ereqs, id)\n               complete(\u0026REQ_A-\u003edone)\n              ------ close(fd) ------\n              cachefiles_ondemand_fd_release\n               cachefiles_put_object\n cachefiles_put_object\n  kmem_cache_free(cachefiles_object_jar, object)\n                                    REQ_A-\u003eobject-\u003eondemand-\u003eondemand_id\n                                     // object UAF !!!\n\nWhen we see the request within xa_lock, req-\u003eobject must not have been\nfreed yet, so grab the reference count of object before xa_unlock to\navoid the above issue.",
  "id": "GHSA-77p5-68v4-943h",
  "modified": "2025-11-04T00:30:52Z",
  "published": "2024-07-12T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39510"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3958679c49152391209b32be3357193300a51abd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93064676a2820420a2d37d7c8289f277fe20793d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb55625f8eb9d2de8be4da0c4580d48cbb32058e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da4a827416066191aafeeccee50a8836a826ba10"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.