Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-83CG-48P4-2HXG

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T18:15:41Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-83cg-48p4-2hxg",
  "modified": "2025-08-12T18:31:32Z",
  "published": "2025-08-12T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53721"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53721"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83GR-6443-3Q7Q

Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30
VLAI
Details

Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T17:17:16Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-83gr-6443-3q7q",
  "modified": "2026-06-09T18:30:47Z",
  "published": "2026-06-09T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44808"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44808"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83HH-PJ86-JR69

Vulnerability from github – Published: 2024-07-29 15:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: wait for ondemand_object_worker to finish when dropping object

When queuing ondemand_object_worker() to re-open the object, cachefiles_object is not pinned. The cachefiles_object may be freed when the pending read request is completed intentionally and the related erofs is umounted. If ondemand_object_worker() runs after the object is freed, it will incur use-after-free problem as shown below.

process A processs B process C process D

cachefiles_ondemand_send_req() // send a read req X // wait for its completion

       // close ondemand fd
       cachefiles_ondemand_fd_release()
       // set object as CLOSE

                   cachefiles_ondemand_daemon_read()
                   // set object as REOPENING
                   queue_work(fscache_wq, &info->ondemand_work)

                            // close /dev/cachefiles
                            cachefiles_daemon_release
                            cachefiles_flush_reqs
                            complete(&req->done)

// read req X is completed // umount the erofs fs cachefiles_put_object() // object will be freed cachefiles_ondemand_deinit_obj_info() kmem_cache_free(object) // both info and object are freed ondemand_object_worker()

When dropping an object, it is no longer necessary to reopen the object, so use cancel_work_sync() to cancel or wait for ondemand_object_worker() to finish.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T15:15:13Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: wait for ondemand_object_worker to finish when dropping object\n\nWhen queuing ondemand_object_worker() to re-open the object,\ncachefiles_object is not pinned. The cachefiles_object may be freed when\nthe pending read request is completed intentionally and the related\nerofs is umounted. If ondemand_object_worker() runs after the object is\nfreed, it will incur use-after-free problem as shown below.\n\nprocess A  processs B  process C  process D\n\ncachefiles_ondemand_send_req()\n// send a read req X\n// wait for its completion\n\n           // close ondemand fd\n           cachefiles_ondemand_fd_release()\n           // set object as CLOSE\n\n                       cachefiles_ondemand_daemon_read()\n                       // set object as REOPENING\n                       queue_work(fscache_wq, \u0026info-\u003eondemand_work)\n\n                                // close /dev/cachefiles\n                                cachefiles_daemon_release\n                                cachefiles_flush_reqs\n                                complete(\u0026req-\u003edone)\n\n// read req X is completed\n// umount the erofs fs\ncachefiles_put_object()\n// object will be freed\ncachefiles_ondemand_deinit_obj_info()\nkmem_cache_free(object)\n                       // both info and object are freed\n                       ondemand_object_worker()\n\nWhen dropping an object, it is no longer necessary to reopen the object,\nso use cancel_work_sync() to cancel or wait for ondemand_object_worker()\nto finish.",
  "id": "GHSA-83hh-pj86-jr69",
  "modified": "2025-11-04T00:31:00Z",
  "published": "2024-07-29T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41051"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12e009d60852f7bce0afc373ca0b320f14150418"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b26525b2183632f16a3a4108fe6a4bfa8afac6ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3179bae72b1b5e555ba839d6d9f40a350a4d78a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec9289369259d982e735a71437e32e6b4035290c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83JF-V646-GP24

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 06:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix use-after-free when reverting termination table

When having multiple dests with termination tables and second one or afterwards fails the driver reverts usage of term tables but doesn't reset the assignment in attr->dests[num_vport_dests].termtbl which case a use-after-free when releasing the rule. Fix by resetting the assignment of termtbl to null.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:13Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix use-after-free when reverting termination table\n\nWhen having multiple dests with termination tables and second one\nor afterwards fails the driver reverts usage of term tables but\ndoesn\u0027t reset the assignment in attr-\u003edests[num_vport_dests].termtbl\nwhich case a use-after-free when releasing the rule.\nFix by resetting the assignment of termtbl to null.",
  "id": "GHSA-83jf-v646-gp24",
  "modified": "2024-10-24T06:30:29Z",
  "published": "2024-10-21T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49025"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a2d73a77060c3cbdc6e801cd5d979d674cd404b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d2f9d95d9fbe993f3c4bafb87d59897b0325aff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/372eb550faa0757349040fd43f59483cbfdb2c0b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52c795af04441d76f565c4634f893e5b553df2ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6d2d26a49c3a9cd46b232975e45236304810904"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83MC-PMQP-53X3

Vulnerability from github – Published: 2022-05-14 03:38 – Updated: 2022-05-14 03:38
VLAI
Details

The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations (mbox.c operations on bounce messages). If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-26T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations (mbox.c operations on bounce messages). If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition.",
  "id": "GHSA-83mc-pmqp-53x3",
  "modified": "2022-05-14T03:38:01Z",
  "published": "2022-05-14T03:38:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12374"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.clamav.net/show_bug.cgi?id=11939"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3550-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3550-2"
    },
    {
      "type": "WEB",
      "url": "http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83PQ-FMF8-563Q

Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: airoha: Fix use-after-free in metadata dst teardown

airoha_metadata_dst_free() runs metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, an use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T09:16:42Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Fix use-after-free in metadata dst teardown\n\nairoha_metadata_dst_free() runs metadata_dst_free() which frees the\nmetadata_dst with kfree() immediately, bypassing the RCU grace period.\nIn the RX path, skb_dst_set_noref() sets a non-refcounted pointer from\nthe skb to the metadata_dst. This function requires RCU read-side\nprotection and the dst must remain valid until all RCU readers complete.\nSince metadata_dst_free() calls kfree() directly, an use-after-free can\noccur if any skb still holds a noref pointer to the dst when the driver\ntears it down.\nReplace metadata_dst_free() with dst_release() which properly goes\nthrough the refcount path: when the refcount drops to zero, it schedules\nthe actual free via call_rcu_hurry(), ensuring all RCU readers have\ncompleted before the memory is freed.",
  "id": "GHSA-83pq-fmf8-563q",
  "modified": "2026-06-28T09:31:46Z",
  "published": "2026-06-25T09:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53248"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b5a574e033e66d2131eff1c18feef8d8643c67e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f829e2c17a53a35321268339cd252aff6d6d723"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b38cae85d1c45ff189d7ecb6ac36f41cdc3d84d0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83QH-8JFH-6RG6

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19
VLAI
Details

Use after free in payments in Google Chrome on MacOS prior to 83.0.4103.97 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-03T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Use after free in payments in Google Chrome on MacOS prior to 83.0.4103.97 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.",
  "id": "GHSA-83qh-8jfh-6rg6",
  "modified": "2022-05-24T17:19:22Z",
  "published": "2022-05-24T17:19:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6496"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1085990"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202006-02"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4714"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00038.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-83QW-P55Q-P84M

Vulnerability from github – Published: 2023-04-12 21:30 – Updated: 2023-04-12 21:30
VLAI
Details

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-12T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-83qw-p55q-p84m",
  "modified": "2023-04-12T21:30:18Z",
  "published": "2023-04-12T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26418"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb23-24.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83RM-VX9W-VP88

Vulnerability from github – Published: 2025-03-04 06:30 – Updated: 2025-03-04 06:30
VLAI
Details

in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-04T04:15:13Z",
    "severity": "LOW"
  },
  "details": "in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.",
  "id": "GHSA-83rm-vx9w-vp88",
  "modified": "2025-03-04T06:30:33Z",
  "published": "2025-03-04T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20081"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83VF-8JP3-7V72

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2023-12-29 18:30
VLAI
Details

Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24067, CVE-2021-24068, CVE-2021-24069.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-25T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24067, CVE-2021-24068, CVE-2021-24069.",
  "id": "GHSA-83vf-8jp3-7v72",
  "modified": "2023-12-29T18:30:27Z",
  "published": "2022-05-24T17:43:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24070"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24070"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.