Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-84FP-H279-GGMW

Vulnerability from github – Published: 2024-02-22 18:30 – Updated: 2024-06-27 12:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: pvrusb2: fix use after free on context disconnection

Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-22T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix use after free on context disconnection\n\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.",
  "id": "GHSA-84fp-h279-ggmw",
  "modified": "2024-06-27T12:30:43Z",
  "published": "2024-02-22T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52445"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2cf0005d315549b8d2b940ff96a66c2a889aa795"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30773ea47d41773f9611ffb4ebc9bda9d19a9e7e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3233d8bf7893550045682192cb227af7fa3defeb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/437b5f57732bb4cc32cc9f8895d2010ee9ff521c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47aa8fcd5e8b5563af4042a00f25ba89bef8f33d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ded85b0c0edd8f45fec88783d7555a5b982449c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec3634ebe23fc3c44ebc67c6d25917300bc68c08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec36c134dd020d28e312c2f1766f85525e747aab"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84GC-MWWX-2X6J

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allows attackers to execute arbitrary code via a crafted WillSave document action, a different vulnerability than CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6687, CVE-2015-6688, CVE-2015-6690, CVE-2015-6691, CVE-2015-7615, CVE-2015-7617, and CVE-2015-7621.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-6689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-10-14T23:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allows attackers to execute arbitrary code via a crafted WillSave document action, a different vulnerability than CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6687, CVE-2015-6688, CVE-2015-6690, CVE-2015-6691, CVE-2015-7615, CVE-2015-7617, and CVE-2015-7621.",
  "id": "GHSA-84gc-mwwx-2x6j",
  "modified": "2022-05-13T01:06:42Z",
  "published": "2022-05-13T01:06:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6689"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb15-24.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1033796"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-15-470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-84HG-9FJM-PCR7

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets

When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task may still be running or pending, leading to use-after-free bugs when the already freed fst_card_info is accessed in fst_process_tx_work_q() or fst_process_int_work_q().

A typical race condition is depicted below:

CPU 0 (cleanup) | CPU 1 (tasklet) | fst_start_xmit() fst_remove_one() | tasklet_schedule() unregister_hdlc_device()| | fst_process_tx_work_q() //handler kfree(card) //free | do_bottom_half_tx() | card-> //use

The following KASAN trace was captured:

================================================================== BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcb/0x5d0 ? do_bottom_half_tx+0xb88/0xd00 kasan_report+0xb8/0xf0 ? do_bottom_half_tx+0xb88/0xd00 do_bottom_half_tx+0xb88/0xd00 ? _raw_spin_lock_irqsave+0x85/0xe0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfxhrtimerrun_queues+0x10/0x10 fst_process_tx_work_q+0x67/0x90 tasklet_action_common+0x1fa/0x720 ? hrtimer_interrupt+0x31f/0x780 handle_softirqs+0x176/0x530 irq_exit_rcu+0xab/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ...

Allocated by task 41 on cpu 3 at 72.330843s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x7f/0x90 fst_add_one+0x1a5/0x1cd0 local_pci_probe+0xdd/0x190 pci_device_probe+0x341/0x480 really_probe+0x1c6/0x6a0 __driver_probe_device+0x248/0x310 driver_probe_device+0x48/0x210 __device_attach_driver+0x160/0x320 bus_for_each_drv+0x101/0x190 __device_attach+0x198/0x3a0 device_initial_probe+0x78/0xa0 pci_bus_add_device+0x81/0xc0 pci_bus_add_devices+0x7e/0x190 enable_slot+0x9b9/0x1130 acpiphp_check_bridge.part.0+0x2e1/0x460 acpiphp_hotplug_notify+0x36c/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ...

Freed by task 41 on cpu 1 at 75.138639s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x135/0x410 fst_remove_one+0x2ca/0x540 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0x364/0x530 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device+0xd/0x20 disable_slot+0x116/0x260 acpiphp_disable_and_eject_slot+0x4b/0x190 acpiphp_hotplug_notify+0x230/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ...

The buggy address belongs to the object at ffff88800aad1000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 28 bytes inside of freed 1024-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff88800aad1000: fa fb ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:43Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets\n\nWhen the FarSync T-series card is being detached, the fst_card_info is\ndeallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task\nmay still be running or pending, leading to use-after-free bugs when the\nalready freed fst_card_info is accessed in fst_process_tx_work_q() or\nfst_process_int_work_q().\n\nA typical race condition is depicted below:\n\nCPU 0 (cleanup)           | CPU 1 (tasklet)\n                          | fst_start_xmit()\nfst_remove_one()          |   tasklet_schedule()\n  unregister_hdlc_device()|\n                          | fst_process_tx_work_q() //handler\n  kfree(card) //free      |   do_bottom_half_tx()\n                          |     card-\u003e //use\n\nThe following KASAN trace was captured:\n\n==================================================================\n BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00\n Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32\n ...\n Call Trace:\n  \u003cIRQ\u003e\n  dump_stack_lvl+0x55/0x70\n  print_report+0xcb/0x5d0\n  ? do_bottom_half_tx+0xb88/0xd00\n  kasan_report+0xb8/0xf0\n  ? do_bottom_half_tx+0xb88/0xd00\n  do_bottom_half_tx+0xb88/0xd00\n  ? _raw_spin_lock_irqsave+0x85/0xe0\n  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n  ? __pfx___hrtimer_run_queues+0x10/0x10\n  fst_process_tx_work_q+0x67/0x90\n  tasklet_action_common+0x1fa/0x720\n  ? hrtimer_interrupt+0x31f/0x780\n  handle_softirqs+0x176/0x530\n  __irq_exit_rcu+0xab/0xe0\n  sysvec_apic_timer_interrupt+0x70/0x80\n ...\n\n Allocated by task 41 on cpu 3 at 72.330843s:\n  kasan_save_stack+0x24/0x50\n  kasan_save_track+0x17/0x60\n  __kasan_kmalloc+0x7f/0x90\n  fst_add_one+0x1a5/0x1cd0\n  local_pci_probe+0xdd/0x190\n  pci_device_probe+0x341/0x480\n  really_probe+0x1c6/0x6a0\n  __driver_probe_device+0x248/0x310\n  driver_probe_device+0x48/0x210\n  __device_attach_driver+0x160/0x320\n  bus_for_each_drv+0x101/0x190\n  __device_attach+0x198/0x3a0\n  device_initial_probe+0x78/0xa0\n  pci_bus_add_device+0x81/0xc0\n  pci_bus_add_devices+0x7e/0x190\n  enable_slot+0x9b9/0x1130\n  acpiphp_check_bridge.part.0+0x2e1/0x460\n  acpiphp_hotplug_notify+0x36c/0x3c0\n  acpi_device_hotplug+0x203/0xb10\n  acpi_hotplug_work_fn+0x59/0x80\n ...\n\n Freed by task 41 on cpu 1 at 75.138639s:\n  kasan_save_stack+0x24/0x50\n  kasan_save_track+0x17/0x60\n  kasan_save_free_info+0x3b/0x60\n  __kasan_slab_free+0x43/0x70\n  kfree+0x135/0x410\n  fst_remove_one+0x2ca/0x540\n  pci_device_remove+0xa6/0x1d0\n  device_release_driver_internal+0x364/0x530\n  pci_stop_bus_device+0x105/0x150\n  pci_stop_and_remove_bus_device+0xd/0x20\n  disable_slot+0x116/0x260\n  acpiphp_disable_and_eject_slot+0x4b/0x190\n  acpiphp_hotplug_notify+0x230/0x3c0\n  acpi_device_hotplug+0x203/0xb10\n  acpi_hotplug_work_fn+0x59/0x80\n ...\n\n The buggy address belongs to the object at ffff88800aad1000\n  which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 28 bytes inside of\n  freed 1024-byte region\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x100000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\n head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000\n head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\n head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff\n head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n  ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n \u003effff88800aad1000: fa fb\n---truncated---",
  "id": "GHSA-84hg-9fjm-pcr7",
  "modified": "2026-05-08T15:31:18Z",
  "published": "2026-05-06T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43232"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04edfdfdfcdefc02408ab670607261b0a0a9a02e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/086131807d119238cd464e5b0845e48d938dfd79"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/200bdb8d367ca9b478f9c56ebe56411604d55c81"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21d341fe514fd07e345ed264c9eee21cb2061ca2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/337d7b4112a47984ee319171b75b73bab47e7924"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bae8a5d2e759da2e0cba33ab2080deee96a09373"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cac048ebfbb92d91d719f74b59177cb70a7633b8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84HR-Q2HC-2M5C

Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-05-02 09:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI

If lpfc_issue_els_flogi() fails and returns non-zero status, the node reference count is decremented to trigger the release of the nodelist structure. However, if there is a prior registration or dev-loss-evt work pending, the node may be released prematurely. When dev-loss-evt completes, the released node is referenced causing a use-after-free null pointer dereference.

Similarly, when processing non-zero ELS PLOGI completion status in lpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport registration before triggering node removal. If dev-loss-evt work is pending, the node may be released prematurely and a subsequent call to lpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.

Add test for pending dev-loss before decrementing the node reference count for FLOGI, PLOGI, PRLI, and ADISC handling.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:29Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI\n\nIf lpfc_issue_els_flogi() fails and returns non-zero status, the node\nreference count is decremented to trigger the release of the nodelist\nstructure. However, if there is a prior registration or dev-loss-evt work\npending, the node may be released prematurely.  When dev-loss-evt\ncompletes, the released node is referenced causing a use-after-free null\npointer dereference.\n\nSimilarly, when processing non-zero ELS PLOGI completion status in\nlpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport\nregistration before triggering node removal.  If dev-loss-evt work is\npending, the node may be released prematurely and a subsequent call to\nlpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.\n\nAdd test for pending dev-loss before decrementing the node reference count\nfor FLOGI, PLOGI, PRLI, and ADISC handling.",
  "id": "GHSA-84hr-q2hc-2m5c",
  "modified": "2025-05-02T09:30:30Z",
  "published": "2025-02-27T21:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49535"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/577a942df3de2666f6947bdd3a5c9e8d30073424"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c7dc74ab7975c9b96284abfe4cca756d75fa4604"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84P5-CQQQ-H4GR

Vulnerability from github – Published: 2025-01-26 06:30 – Updated: 2025-11-03 21:32
VLAI
Details

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-26T06:15:21Z",
    "severity": "HIGH"
  },
  "details": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.",
  "id": "GHSA-84p5-cqqq-h4gr",
  "modified": "2025-11-03T21:32:23Z",
  "published": "2025-01-26T06:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49043"
    },
    {
      "type": "WEB",
      "url": "https://github.com/php/php-src/issues/17467"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84QC-CGRR-M4WP

Vulnerability from github – Published: 2022-05-01 18:18 – Updated: 2025-04-09 03:44
VLAI
Details

Use-after-free vulnerability in the BitTorrent support in Opera before 9.22 allows user-assisted remote attackers to execute arbitrary code via a crafted header in a torrent file, which leaves a dangling pointer to an invalid object.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-3929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-07-21T00:30:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in the BitTorrent support in Opera before 9.22 allows user-assisted remote attackers to execute arbitrary code via a crafted header in a torrent file, which leaves a dangling pointer to an invalid object.",
  "id": "GHSA-84qc-cgrr-m4wp",
  "modified": "2025-04-09T03:44:16Z",
  "published": "2022-05-01T18:18:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3929"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35509"
    },
    {
      "type": "WEB",
      "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=564"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26138"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26545"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200708-17.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
    },
    {
      "type": "WEB",
      "url": "http://www.opera.com/support/search/view/862"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/24970"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1018431"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/2584"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-84R7-X76R-M562

Vulnerability from github – Published: 2022-05-14 00:52 – Updated: 2022-05-14 00:52
VLAI
Details

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-12T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.",
  "id": "GHSA-84r7-x76r-m562",
  "modified": "2022-05-14T00:52:43Z",
  "published": "2022-05-14T00:52:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15920"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb18-30.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105441"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041809"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84RJ-W682-G977

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35
VLAI
Details

A use-after-free vulnerability exists in a way Pixar OpenUSD 20.08 processes reference paths textual USD files. A specially crafted file can trigger the reuse of a freed memory which can result in further memory corruption and arbitrary code execution. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-03T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use-after-free vulnerability exists in a way Pixar OpenUSD 20.08 processes reference paths textual USD files. A specially crafted file can trigger the reuse of a freed memory which can result in further memory corruption and arbitrary code execution. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.",
  "id": "GHSA-84rj-w682-g977",
  "modified": "2022-05-24T17:35:06Z",
  "published": "2022-05-24T17:35:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13531"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1145"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84V6-6VMQ-3V62

Vulnerability from github – Published: 2025-09-11 18:35 – Updated: 2026-05-12 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/debug_vm_pgtable: clear page table entries at destroy_args()

The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also its manually allocated mm_struct. That in itself is ok, but when it exits, at destroy_args() it fails to clear those entries with the *_clear functions.

The problem is that leaves stale entries. If another process allocates an mm_struct with a pgd at the same address, it may end up running into the stale entry. This is happening in practice on a debug kernel with CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra debugging I added (it prints a warning trace if pgtables_bytes goes negative, in addition to the warning at check_mm() function):

[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000 [ 2.539366] kmem_cache info [ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508 [ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e (...) [ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0 [ 2.552816] Modules linked in: [ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY [ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries [ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90 [ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug) [ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a [ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0 [ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001 [ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff [ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000 [ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb [ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0 [ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000 [ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001 [ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760 [ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0 [ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0 [ 2.553199] Call Trace: [ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable) [ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0 [ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570 [ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650 [ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290 [ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0 [ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870 [ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150 [ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50 [ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0 [ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec (...) [ 2.558892] ---[ end trace 0000000000000000 ]--- [ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1 [ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144

Here the modprobe process ended up with an allocated mm_struct from the mm_struct slab that was used before by the debug_vm_pgtable test. That is not a problem, since the mm_stru ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-11T17:15:43Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/debug_vm_pgtable: clear page table entries at destroy_args()\n\nThe mm/debug_vm_pagetable test allocates manually page table entries for\nthe tests it runs, using also its manually allocated mm_struct.  That in\nitself is ok, but when it exits, at destroy_args() it fails to clear those\nentries with the *_clear functions.\n\nThe problem is that leaves stale entries.  If another process allocates an\nmm_struct with a pgd at the same address, it may end up running into the\nstale entry.  This is happening in practice on a debug kernel with\nCONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra\ndebugging I added (it prints a warning trace if pgtables_bytes goes\nnegative, in addition to the warning at check_mm() function):\n\n[    2.539353] debug_vm_pgtable: [get_random_vaddr         ]: random_vaddr is 0x7ea247140000\n[    2.539366] kmem_cache info\n[    2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508\n[    2.539447] debug_vm_pgtable: [init_args                ]: args-\u003emm is 0x000000002267cc9e\n(...)\n[    2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0\n[    2.552816] Modules linked in:\n[    2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY\n[    2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries\n[    2.552872] NIP:  c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90\n[    2.552885] REGS: c0000000622e73b0 TRAP: 0700   Not tainted  (6.12.0-105.debug_vm2.el10.ppc64le+debug)\n[    2.552899] MSR:  800000000282b033 \u003cSF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e  CR: 24002822  XER: 0000000a\n[    2.552954] CFAR: c0000000008f03f0 IRQMASK: 0\n[    2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001\n[    2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff\n[    2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000\n[    2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb\n[    2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0\n[    2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000\n[    2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001\n[    2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760\n[    2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0\n[    2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0\n[    2.553199] Call Trace:\n[    2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)\n[    2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0\n[    2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570\n[    2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650\n[    2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290\n[    2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0\n[    2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870\n[    2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150\n[    2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50\n[    2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0\n[    2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\n(...)\n[    2.558892] ---[ end trace 0000000000000000 ]---\n[    2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1\n[    2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144\n\nHere the modprobe process ended up with an allocated mm_struct from the\nmm_struct slab that was used before by the debug_vm_pgtable test.  That is\nnot a problem, since the mm_stru\n---truncated---",
  "id": "GHSA-84v6-6vmq-3v62",
  "modified": "2026-05-12T15:31:07Z",
  "published": "2025-09-11T18:35:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39776"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47d2a149611b8a94d24add9868c442a4af278658"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/561171db3b3eb759ba3f284dba7a76f4476ade03"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61a9f2e5c49f05e3ea2c16674540a075a1b4be6f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/63962ff932ef359925b94be2a88df6b4fd4fed0a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7bf57a0709cd7c9088cea8de023d6f4fbf2518b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dde30854bddfb5d69f30022b53c5955a41088b33"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84XM-R438-86PX

Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 22:54
VLAI
Summary
Envoy: HTTP - filter chain execution on reset streams causing UAF crash
Details

Note: This vulnerability was originally reported to the Google OSS VRP (Issue ID: 477542544). The Google Security Team requested that I coordinate directly with the Envoy maintainers for triage and remediation. I am submitting this report here to facilitate that process.

Technical Details I have identified a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up.

Mechanism: The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method.

When an HTTP/2 stream encounters a reset condition (e.g., StreamIdleTimeout, OverloadManager limits, or a local reset triggered by a filter), Envoy calls onResetStream. This method: 1. Sets the internal state state_.saw_downstream_reset_ = true. 2. Invokes onDestroy() on all filters in the chain (allowing them to release resources/pointers). 3. Schedules the ActiveStream object for deferred deletion (cleanup happens later in the event loop).

The Flaw: The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData.

FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy().

Root Cause Code Location: File: source/common/http/filter_manager.cc Function: FilterManager::decodeData

void FilterManager::decodeData(...) {
  if (stopDecoderFilterChain()) { return; }

  // Vulnerability: Missing check for state_.saw_downstream_reset_
  // Execution proceeds into the loop even if the stream is logically dead.

  auto trailers_added_entry = decoder_filters_.end();
  for (; entry != decoder_filters_.end(); entry++) {
      // ... calls (*entry)->handle_->decodeData(data) on destroyed filters ...
  }
}

Suggested Fix: Add an explicit state check at the beginning of FilterManager::decodeData.

// Prevent execution on streams that have been reset but not yet destroyed.
if (state_.saw_downstream_reset_) {
  return;
}

Impact Analysis

Who can exploit this: Any remote attacker capable of establishing an HTTP/2 or HTTP/3 connection. No privileges/authentication required.

Impact & Gain: 1. Memory Corruption & Potential Remote Code Execution: While the immediate symptom is a crash (DoS), the underlying primitive is a Use-After-Free (CWE-416). * Mechanism: When onDestroy() is called on filters (e.g., Lua, Wasm, or complex native filters), they release internal structures and invalidate pointers. * Exploitation: By forcing decodeData() to execute on these now-freed objects, an attacker triggers undefined behavior. In a heap-groomed environment, an attacker could potentially replace the freed filter object with a malicious payload before the "Zombie" decodeData call occurs. This would allow for vtable hijacking or arbitrary write-what-where primitives, leading to Remote Code Execution (RCE). * Risk Amplification: This is particularly dangerous for Envoy deployments using memory-unsafe extensions or third-party filters (C++ extensions), where onDestroy logic is relied upon for safety.

2. Security Control Bypass: The vulnerability defeats Envoy's "Fail-Closed" security architecture. * Scenario: If a stream is reset due to a security violation (e.g., StreamIdleTimeout, OverloadManager rejection, or WAF triggering), this vulnerability allows the attacker to bypass the termination. * Result: The attacker can force the processing of "Data" frames on a connection that the security policy explicitly attempted to close, allowing malicious payloads to reach deeper into the filter chain or backend services despite the rejection.


Proof of Concept (Unit Test)

Description: The attached C++ unit test (zombie_stream_poc_test.cc) deterministically reproduces the vulnerability. It creates a stream, manually triggers a reset (simulating an Overload), and then immediately injects a DATA frame. The test asserts that the filter's decodeData callback is invoked on the reset stream.

#include "test/common/http/conn_manager_impl_test_base.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"

using testing::_;
using testing::Invoke;
using testing::NiceMock;
using testing::Return;

namespace Envoy {
namespace Http {

/**
 * Proof of Concept for "Zombie Stream Filter Execution" (HTTP/2 Reset Re-entrancy)
 * * Logic flow:
 * 1. Open a stream with HEADERS.
 * 2. Force a stream reset (simulating an Overload or Timeout).
 * 3. Immediately inject DATA into the stream.
 * 4. ASSERT that the filter's decodeData is called despite the stream being reset.
 */
class ZombieStreamPocTest : public HttpConnectionManagerImplTest {
};

TEST_F(ZombieStreamPocTest, ReproducedZombieFilterExecution) {
  setup(SetupOpts().setTracing(false));

  // 1. Setup a mock filter
  std::shared_ptr<MockStreamDecoderFilter> filter(new NiceMock<MockStreamDecoderFilter>());

  // Vuln confirmation:
  // We expect decodeData to be called on this filter even though the stream is reset.
  // In a secure/patched implementation, this EXPECT_CALL should fail (Times(0)).
  EXPECT_CALL(*filter, decodeData(_, _))
      .Times(1)
      .WillOnce(Invoke([&](Buffer::Instance&, bool) -> FilterDataStatus {
          ENVOY_LOG_MISC(error, "!!! VULNERABILITY REPRODUCED: decodeData called on a reset stream !!!");
          return FilterDataStatus::Continue;
      }));

  EXPECT_CALL(*filter, decodeHeaders(_, false))
      .WillOnce(Return(FilterHeadersStatus::StopIteration));

  // Register the filter
  EXPECT_CALL(filter_factory_, createFilterChain(_))
      .WillOnce(Invoke([&](FilterChainFactoryCallbacks& callbacks) -> bool {
        auto factory = createDecoderFilterFactoryCb(filter);
        callbacks.setFilterConfigName("vulnerable_filter");
        factory(callbacks);
        return true;
      }));

  // 2. Start the stream
  EXPECT_CALL(*codec_, dispatch(_))
      .WillOnce(Invoke([&](Buffer::Instance&) -> Http::Status {
        decoder_ = &conn_manager_->newStream(response_encoder_);
        RequestHeaderMapPtr headers{new TestRequestHeaderMapImpl{
            {":authority", "host"}, {":path", "/"}, {":method", "POST"}}};
        decoder_->decodeHeaders(std::move(headers), false);
        return Http::okStatus();
      }));

  // Dispatch headers
  Buffer::OwnedImpl header_buffer("headers");
  conn_manager_->onData(header_buffer, false);

  // 3. Trigger a Reset on the ActiveStream
  // This simulates Envoy terminating the stream due to an external event (Overload, Timeout).
  auto* active_stream = dynamic_cast<ConnectionManagerImpl::ActiveStream*>(decoder_);

  // This sets state_.saw_downstream_reset_ = true and triggers filter->onDestroy()
  active_stream->onResetStream(StreamResetReason::LocalReset, "simulated_overload");

  // 4. Attack: Send DATA to the "Zombie" stream
  // The ActiveStream object is still alive in the deferred delete list.
  Buffer::OwnedImpl malicious_payload("attacker_data");

  // This call reaches the filter because FilterManager::decodeData misses the check!
  active_stream->decodeData(malicious_payload, false);
}

} // namespace Http
} // namespace Envoy
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "versions": [
        "1.37.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.36.0"
            },
            {
              "last_affected": "1.36.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.35.0"
            },
            {
              "last_affected": "1.35.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.34.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:31:23Z",
    "nvd_published_at": "2026-03-10T20:16:36Z",
    "severity": "MODERATE"
  },
  "details": "**Note:**\nThis vulnerability was originally reported to the Google OSS VRP (Issue ID: [477542544](https://issuetracker.google.com/issues/477542544)). The Google Security Team requested that I coordinate directly with the Envoy maintainers for triage and remediation. I am submitting this report here to facilitate that process.\n\n**Technical Details**\nI have identified a logic vulnerability in Envoy\u0027s HTTP connection manager (`FilterManager`) that allows for **Zombie Stream Filter Execution**. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up.\n\n**Mechanism:**\nThe vulnerability resides in `source/common/http/filter_manager.cc` within the `FilterManager::decodeData` method.\n\nWhen an HTTP/2 stream encounters a reset condition (e.g., `StreamIdleTimeout`, `OverloadManager` limits, or a local reset triggered by a filter), Envoy calls `onResetStream`. This method:\n1.  Sets the internal state `state_.saw_downstream_reset_ = true`.\n2.  Invokes `onDestroy()` on all filters in the chain (allowing them to release resources/pointers).\n3.  Schedules the `ActiveStream` object for **deferred deletion** (cleanup happens later in the event loop).\n\n**The Flaw:**\nThe `ActiveStream` object remains valid in memory during the deferred deletion window. If a `DATA` frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes `ActiveStream::decodeData`, which cascades to `FilterManager::decodeData`.\n\n`FilterManager::decodeData` **fails to check the `saw_downstream_reset_` flag**. It iterates over the `decoder_filters_` list and invokes `decodeData()` on filters that have already received `onDestroy()`.\n\n**Root Cause Code Location:**\nFile: `source/common/http/filter_manager.cc`\nFunction: `FilterManager::decodeData`\n\n```cpp\nvoid FilterManager::decodeData(...) {\n  if (stopDecoderFilterChain()) { return; }\n\n  // Vulnerability: Missing check for state_.saw_downstream_reset_\n  // Execution proceeds into the loop even if the stream is logically dead.\n\n  auto trailers_added_entry = decoder_filters_.end();\n  for (; entry != decoder_filters_.end(); entry++) {\n      // ... calls (*entry)-\u003ehandle_-\u003edecodeData(data) on destroyed filters ...\n  }\n}\n```\n\n**Suggested Fix:**\nAdd an explicit state check at the beginning of `FilterManager::decodeData`.\n\n```cpp\n// Prevent execution on streams that have been reset but not yet destroyed.\nif (state_.saw_downstream_reset_) {\n  return;\n}\n```\n\n---\n\n## Impact Analysis\n\n**Who can exploit this:**\nAny remote attacker capable of establishing an HTTP/2 or HTTP/3 connection. No privileges/authentication required.\n\n**Impact \u0026 Gain:**\n**1. Memory Corruption \u0026 Potential Remote Code Execution:**\nWhile the immediate symptom is a crash (DoS), the underlying primitive is a **Use-After-Free (CWE-416)**.\n* **Mechanism:** When `onDestroy()` is called on filters (e.g., Lua, Wasm, or complex native filters), they release internal structures and invalidate pointers.\n* **Exploitation:** By forcing `decodeData()` to execute on these now-freed objects, an attacker triggers undefined behavior. In a heap-groomed environment, an attacker could potentially replace the freed filter object with a malicious payload before the \"Zombie\" `decodeData` call occurs. This would allow for vtable hijacking or arbitrary write-what-where primitives, leading to **Remote Code Execution (RCE)**.\n* **Risk Amplification:** This is particularly dangerous for Envoy deployments using memory-unsafe extensions or third-party filters (C++ extensions), where `onDestroy` logic is relied upon for safety.\n\n**2. Security Control Bypass:**\nThe vulnerability defeats Envoy\u0027s \"Fail-Closed\" security architecture.\n* **Scenario:** If a stream is reset due to a security violation (e.g., `StreamIdleTimeout`, `OverloadManager` rejection, or WAF triggering), this vulnerability allows the attacker to **bypass the termination**.\n* **Result:** The attacker can force the processing of \"Data\" frames on a connection that the security policy explicitly attempted to close, allowing malicious payloads to reach deeper into the filter chain or backend services despite the rejection.\n\n---\n\n## Proof of Concept (Unit Test)\n\n**Description:**\nThe attached C++ unit test (`zombie_stream_poc_test.cc`) deterministically reproduces the vulnerability. It creates a stream, manually triggers a reset (simulating an Overload), and then immediately injects a DATA frame. The test asserts that the filter\u0027s `decodeData` callback is invoked on the reset stream.\n\n```cpp\n#include \"test/common/http/conn_manager_impl_test_base.h\"\n#include \"gmock/gmock.h\"\n#include \"gtest/gtest.h\"\n\nusing testing::_;\nusing testing::Invoke;\nusing testing::NiceMock;\nusing testing::Return;\n\nnamespace Envoy {\nnamespace Http {\n\n/**\n * Proof of Concept for \"Zombie Stream Filter Execution\" (HTTP/2 Reset Re-entrancy)\n * * Logic flow:\n * 1. Open a stream with HEADERS.\n * 2. Force a stream reset (simulating an Overload or Timeout).\n * 3. Immediately inject DATA into the stream.\n * 4. ASSERT that the filter\u0027s decodeData is called despite the stream being reset.\n */\nclass ZombieStreamPocTest : public HttpConnectionManagerImplTest {\n};\n\nTEST_F(ZombieStreamPocTest, ReproducedZombieFilterExecution) {\n  setup(SetupOpts().setTracing(false));\n\n  // 1. Setup a mock filter\n  std::shared_ptr\u003cMockStreamDecoderFilter\u003e filter(new NiceMock\u003cMockStreamDecoderFilter\u003e());\n   \n  // Vuln confirmation:\n  // We expect decodeData to be called on this filter even though the stream is reset.\n  // In a secure/patched implementation, this EXPECT_CALL should fail (Times(0)).\n  EXPECT_CALL(*filter, decodeData(_, _))\n      .Times(1)\n      .WillOnce(Invoke([\u0026](Buffer::Instance\u0026, bool) -\u003e FilterDataStatus {\n          ENVOY_LOG_MISC(error, \"!!! VULNERABILITY REPRODUCED: decodeData called on a reset stream !!!\");\n          return FilterDataStatus::Continue;\n      }));\n\n  EXPECT_CALL(*filter, decodeHeaders(_, false))\n      .WillOnce(Return(FilterHeadersStatus::StopIteration));\n\n  // Register the filter\n  EXPECT_CALL(filter_factory_, createFilterChain(_))\n      .WillOnce(Invoke([\u0026](FilterChainFactoryCallbacks\u0026 callbacks) -\u003e bool {\n        auto factory = createDecoderFilterFactoryCb(filter);\n        callbacks.setFilterConfigName(\"vulnerable_filter\");\n        factory(callbacks);\n        return true;\n      }));\n\n  // 2. Start the stream\n  EXPECT_CALL(*codec_, dispatch(_))\n      .WillOnce(Invoke([\u0026](Buffer::Instance\u0026) -\u003e Http::Status {\n        decoder_ = \u0026conn_manager_-\u003enewStream(response_encoder_);\n        RequestHeaderMapPtr headers{new TestRequestHeaderMapImpl{\n            {\":authority\", \"host\"}, {\":path\", \"/\"}, {\":method\", \"POST\"}}};\n        decoder_-\u003edecodeHeaders(std::move(headers), false);\n        return Http::okStatus();\n      }));\n\n  // Dispatch headers\n  Buffer::OwnedImpl header_buffer(\"headers\");\n  conn_manager_-\u003eonData(header_buffer, false);\n\n  // 3. Trigger a Reset on the ActiveStream\n  // This simulates Envoy terminating the stream due to an external event (Overload, Timeout).\n  auto* active_stream = dynamic_cast\u003cConnectionManagerImpl::ActiveStream*\u003e(decoder_);\n  \n  // This sets state_.saw_downstream_reset_ = true and triggers filter-\u003eonDestroy()\n  active_stream-\u003eonResetStream(StreamResetReason::LocalReset, \"simulated_overload\");\n\n  // 4. Attack: Send DATA to the \"Zombie\" stream\n  // The ActiveStream object is still alive in the deferred delete list.\n  Buffer::OwnedImpl malicious_payload(\"attacker_data\");\n   \n  // This call reaches the filter because FilterManager::decodeData misses the check!\n  active_stream-\u003edecodeData(malicious_payload, false);\n}\n\n} // namespace Http\n} // namespace Envoy\n```",
  "id": "GHSA-84xm-r438-86px",
  "modified": "2026-03-10T22:54:46Z",
  "published": "2026-03-10T18:31:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26311"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/envoy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy: HTTP - filter chain execution on reset streams causing UAF crash"
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.