CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-862P-2JPG-8GG4
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.
{
"affected": [],
"aliases": [
"CVE-2018-6307"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-19T16:29:00Z",
"severity": "HIGH"
},
"details": "LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.",
"id": "GHSA-862p-2jpg-8gg4",
"modified": "2022-05-13T01:30:45Z",
"published": "2022-05-13T01:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6307"
},
{
"type": "WEB",
"url": "https://github.com/LibVNC/libvncserver/issues/241"
},
{
"type": "WEB",
"url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-026-libvnc-heap-use-after-free"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3877-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8634-CQM9-9GFH
Vulnerability from github – Published: 2026-03-02 18:31 – Updated: 2026-03-02 18:31Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls.
{
"affected": [],
"aliases": [
"CVE-2025-47377"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-02T17:16:25Z",
"severity": "HIGH"
},
"details": "Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls.",
"id": "GHSA-8634-cqm9-9gfh",
"modified": "2026-03-02T18:31:45Z",
"published": "2026-03-02T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47377"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-864F-QFFM-34WC
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31In the Linux kernel, the following vulnerability has been resolved:
atm: fore200e: fix use-after-free in tasklets during device removal
When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().
One of the race conditions can occur as follows:
CPU 0 (cleanup) | CPU 1 (tasklet) fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet() | fore200e-> // UAF
Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch...case structure.
This bug was identified through static analysis.
{
"affected": [],
"aliases": [
"CVE-2026-43203"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:39Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: fore200e: fix use-after-free in tasklets during device removal\n\nWhen the PCA-200E or SBA-200E adapter is being detached, the fore200e\nis deallocated. However, the tx_tasklet or rx_tasklet may still be running\nor pending, leading to use-after-free bug when the already freed fore200e\nis accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().\n\nOne of the race conditions can occur as follows:\n\nCPU 0 (cleanup) | CPU 1 (tasklet)\nfore200e_pca_remove_one() | fore200e_interrupt()\n fore200e_shutdown() | tasklet_schedule()\n kfree(fore200e) | fore200e_tx_tasklet()\n | fore200e-\u003e // UAF\n\nFix this by ensuring tx_tasklet or rx_tasklet is properly canceled before\nthe fore200e is released. Add tasklet_kill() in fore200e_shutdown() to\nsynchronize with any pending or running tasklets. Moreover, since\nfore200e_reset() could prevent further interrupts or data transfers,\nthe tasklet_kill() should be placed after fore200e_reset() to prevent\nthe tasklet from being rescheduled in fore200e_interrupt(). Finally,\nit only needs to do tasklet_kill() when the fore200e state is greater\nthan or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized\nin earlier states. In a word, the tasklet_kill() should be placed in\nthe FORE200E_STATE_IRQ branch within the switch...case structure.\n\nThis bug was identified through static analysis.",
"id": "GHSA-864f-qffm-34wc",
"modified": "2026-05-08T15:31:17Z",
"published": "2026-05-06T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43203"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5189368f10903956be05062d160b2804bf5e5016"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/73fbc5d1a9ccb626937500bbd67136f077d8237b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8930878101cd40063888a68af73b1b0f8b6c79bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/91f25749aaf57c47ae1e12478144e6ea8c8562f2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97900f512252a59f23d6ce4ab215cc88fed66e68"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aba0b4bc09376dfc3d53c826514fe38fc8337f52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e075ec9b08f862dade8011481058f7eb5f716c57"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-864G-2436-49MM
Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2022-05-24 17:06An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2019-5131"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software\u0027s Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
"id": "GHSA-864g-2436-49mm",
"modified": "2022-05-24T17:06:50Z",
"published": "2022-05-24T17:06:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5131"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0920"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-864J-6GWG-G82X
Vulnerability from github – Published: 2024-01-02 06:30 – Updated: 2024-01-02 06:30Memory corruption while running VK synchronization with KASAN enabled.
{
"affected": [],
"aliases": [
"CVE-2023-33094"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T06:15:11Z",
"severity": "HIGH"
},
"details": "Memory corruption while running VK synchronization with KASAN enabled.",
"id": "GHSA-864j-6gwg-g82x",
"modified": "2024-01-02T06:30:31Z",
"published": "2024-01-02T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33094"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-865H-4RJV-52PG
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2025-10-22 00:32Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-28550"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-02T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-865h-4rjv-52pg",
"modified": "2025-10-22T00:32:19Z",
"published": "2022-05-24T19:12:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28550"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-29.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28550"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-867G-7M7P-X84G
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-58734"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:55Z",
"severity": "HIGH"
},
"details": "Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.",
"id": "GHSA-867g-7m7p-x84g",
"modified": "2025-10-14T18:30:33Z",
"published": "2025-10-14T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58734"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58734"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-867H-H9JH-9VF4
Vulnerability from github – Published: 2024-01-24 00:30 – Updated: 2025-06-20 21:31Use after free in Reading Mode in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2024-0813"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-24T00:15:08Z",
"severity": "HIGH"
},
"details": "Use after free in Reading Mode in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. (Chromium security severity: Medium)",
"id": "GHSA-867h-h9jh-9vf4",
"modified": "2025-06-20T21:31:51Z",
"published": "2024-01-24T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0813"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1477151"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMI6GXFONZV6HE3BPZO3AP6GUVQLG4JQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXDSGAFQD4BDB4IB2O4ZUSHC3JCVQEKC"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-868Q-J7QX-M3GF
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33Windows Remote Desktop Services Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-49108"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:04:36Z",
"severity": "HIGH"
},
"details": "Windows Remote Desktop Services Remote Code Execution Vulnerability",
"id": "GHSA-868q-j7qx-m3gf",
"modified": "2024-12-12T03:33:05Z",
"published": "2024-12-12T03:33:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49108"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-86CV-V7JV-38F6
Vulnerability from github – Published: 2022-05-14 03:10 – Updated: 2025-11-25 18:32A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
{
"affected": [],
"aliases": [
"CVE-2017-7809"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 52.3, Firefox ESR \u003c 52.3, and Firefox \u003c 55.",
"id": "GHSA-86cv-v7jv-38f6",
"modified": "2025-11-25T18:32:09Z",
"published": "2022-05-14T03:10:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7809"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2534"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1380284"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201803-14"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3928"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3968"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-18"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-19"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-20"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100203"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039124"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.