CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-7JG9-9WP9-WH98
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-16 00:01In mdp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS05836642; Issue ID: ALPS05836642.
{
"affected": [],
"aliases": [
"CVE-2022-20052"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "MODERATE"
},
"details": "In mdp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS05836642; Issue ID: ALPS05836642.",
"id": "GHSA-7jg9-9wp9-wh98",
"modified": "2022-04-16T00:01:08Z",
"published": "2022-04-12T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20052"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7JGH-PJ67-JVFJ
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the getDisplayItem method of a TimeField. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6506.
{
"affected": [],
"aliases": [
"CVE-2018-17656"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-24T04:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the getDisplayItem method of a TimeField. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6506.",
"id": "GHSA-7jgh-pj67-jvfj",
"modified": "2022-05-13T01:33:55Z",
"published": "2022-05-13T01:33:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17656"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7JH9-V3VW-V9PX
Vulnerability from github – Published: 2024-10-21 12:30 – Updated: 2024-10-22 18:32In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway
Syzbot reports a UAF in hugetlb_fault(). This happens because vmf_anon_prepare() could drop the per-VMA lock and allow the current VMA to be freed before hugetlb_vma_unlock_read() is called.
We can fix this by using a modified version of vmf_anon_prepare() that doesn't release the VMA lock on failure, and then release it ourselves after hugetlb_vma_unlock_read().
{
"affected": [],
"aliases": [
"CVE-2024-47676"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T12:15:04Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb.c: fix UAF of vma in hugetlb fault pathway\n\nSyzbot reports a UAF in hugetlb_fault(). This happens because\nvmf_anon_prepare() could drop the per-VMA lock and allow the current VMA\nto be freed before hugetlb_vma_unlock_read() is called.\n\nWe can fix this by using a modified version of vmf_anon_prepare() that\ndoesn\u0027t release the VMA lock on failure, and then release it ourselves\nafter hugetlb_vma_unlock_read().",
"id": "GHSA-7jh9-v3vw-v9px",
"modified": "2024-10-22T18:32:09Z",
"published": "2024-10-21T12:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47676"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98b74bb4d7e96b4da5ef3126511febe55b76b807"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d59ebc99dee0a2687a26df94b901eb8216dbf876"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e897d184a8dd4a4e1f39c8c495598e4d9472776c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7JP3-X6J5-68RR
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13Use-after-free vulnerability in the ReadPWPImage function in coders/pwp.c in ImageMagick 6.9.5-5 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2016-10051"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-23T17:59:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in the ReadPWPImage function in coders/pwp.c in ImageMagick 6.9.5-5 allows remote attackers to cause a denial of service (application crash) or have other unspecified impact via a crafted file.",
"id": "GHSA-7jp3-x6j5-68rr",
"modified": "2022-05-13T01:13:30Z",
"published": "2022-05-13T01:13:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10051"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/548701354191a3dda5cffc6d415374b35b01d0b9"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/ecc03a2518c2b7dd375fde3a040fdae0bdf6a521"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1410456"
},
{
"type": "WEB",
"url": "https://www.imagemagick.org/discourse-server/viewtopic.php?f=3\u0026t=30245"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00028.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00031.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/26/9"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95187"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7JP6-72RV-7M74
Vulnerability from github – Published: 2025-06-04 15:30 – Updated: 2025-06-04 21:31An issue was discovered in Samsung Mobile Processor Exynos 1380. A Use-After-Free in the mobile processor leads to privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-23101"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-04T15:15:23Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Samsung Mobile Processor Exynos 1380. A Use-After-Free in the mobile processor leads to privilege escalation.",
"id": "GHSA-7jp6-72rv-7m74",
"modified": "2025-06-04T21:31:14Z",
"published": "2025-06-04T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23101"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23101"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7JP8-WHJ2-J439
Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-22 15:34Use after free in Browser Tag in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-3046"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-26T16:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Browser Tag in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-7jp8-whj2-j439",
"modified": "2025-05-22T15:34:42Z",
"published": "2022-09-27T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3046"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1346245"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/40060350"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7JQ8-3VQQ-QC62
Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
spi: fix use-after-free on controller registration failure
Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid use-after-free (of driver resources) and unclocked register accesses.
{
"affected": [],
"aliases": [
"CVE-2026-31389"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T16:16:36Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses.",
"id": "GHSA-7jq8-3vqq-qc62",
"modified": "2026-07-14T15:31:48Z",
"published": "2026-04-03T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31389"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7JQG-3J54-CPCR
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30557"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-02T19:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-7jqg-3j54-cpcr",
"modified": "2022-05-24T19:06:49Z",
"published": "2022-05-24T19:06:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30557"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1202102"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7JV2-7JQ5-C8VC
Vulnerability from github – Published: 2026-06-12 00:31 – Updated: 2026-06-12 03:31Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-12029"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T22:16:55Z",
"severity": "HIGH"
},
"details": "Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-7jv2-7jq5-c8vc",
"modified": "2026-06-12T03:31:28Z",
"published": "2026-06-12T00:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12029"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/518002958"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7JWJ-6G7W-4C9Q
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-10 21:30In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free bug of ns_writer on remount
If a nilfs2 filesystem is downgraded to read-only due to metadata corruption on disk and is remounted read/write, or if emergency read-only remount is performed, detaching a log writer and synchronizing the filesystem can be done at the same time.
In these cases, use-after-free of the log writer (hereinafter nilfs->ns_writer) can happen as shown in the scenario below:
Task1 Task2 -------------------------------- ------------------------------ nilfs_construct_segment nilfs_segctor_sync init_wait init_waitqueue_entry add_wait_queue schedule nilfs_remount (R/W remount case) nilfs_attach_log_writer nilfs_detach_log_writer nilfs_segctor_destroy kfree finish_wait _raw_spin_lock_irqsave __raw_spin_lock_irqsave do_raw_spin_lock debug_spin_lock_before <-- use-after-free
While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 waked up, Task1 accesses nilfs->ns_writer which is already freed. This scenario diagram is based on the Shigeru Yoshida's post [1].
This patch fixes the issue by not detaching nilfs->ns_writer on remount so that this UAF race doesn't happen. Along with this change, this patch also inserts a few necessary read-only checks with superblock instance where only the ns_writer pointer was used to check if the filesystem is read-only.
{
"affected": [],
"aliases": [
"CVE-2022-49834"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:06Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free bug of ns_writer on remount\n\nIf a nilfs2 filesystem is downgraded to read-only due to metadata\ncorruption on disk and is remounted read/write, or if emergency read-only\nremount is performed, detaching a log writer and synchronizing the\nfilesystem can be done at the same time.\n\nIn these cases, use-after-free of the log writer (hereinafter\nnilfs-\u003ens_writer) can happen as shown in the scenario below:\n\n Task1 Task2\n -------------------------------- ------------------------------\n nilfs_construct_segment\n nilfs_segctor_sync\n init_wait\n init_waitqueue_entry\n add_wait_queue\n schedule\n nilfs_remount (R/W remount case)\n\t\t\t\t nilfs_attach_log_writer\n nilfs_detach_log_writer\n nilfs_segctor_destroy\n kfree\n finish_wait\n _raw_spin_lock_irqsave\n __raw_spin_lock_irqsave\n do_raw_spin_lock\n debug_spin_lock_before \u003c-- use-after-free\n\nWhile Task1 is sleeping, nilfs-\u003ens_writer is freed by Task2. After Task1\nwaked up, Task1 accesses nilfs-\u003ens_writer which is already freed. This\nscenario diagram is based on the Shigeru Yoshida\u0027s post [1].\n\nThis patch fixes the issue by not detaching nilfs-\u003ens_writer on remount so\nthat this UAF race doesn\u0027t happen. Along with this change, this patch\nalso inserts a few necessary read-only checks with superblock instance\nwhere only the ns_writer pointer was used to check if the filesystem is\nread-only.",
"id": "GHSA-7jwj-6g7w-4c9q",
"modified": "2025-11-10T21:30:28Z",
"published": "2025-05-01T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49834"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39a3ed68270b079c6b874d4e4727a512b9b4882c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4feedde5486c07ea79787839153a71ca71329c7d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8cccf05fe857a18ee26e20d11a8455a73ffd4efd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b162e81045266a2d5b44df9dffdf05c54de9cca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/afbd1188382a75f6cfe22c0b68533f7f9664f182"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b152300d5a1ba4258dacf9916bff20e6a8c7603b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2fbf10040216ef5ee270773755fc2f5da65b749"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4736ab5542112fe0a40f140a0a0b072954f34da"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.