CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9812 vulnerabilities reference this CWE, most recent first.
GHSA-8747-7F43-99GQ
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-15 00:30Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-8512"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T20:17:11Z",
"severity": "HIGH"
},
"details": "Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)",
"id": "GHSA-8747-7f43-99gq",
"modified": "2026-05-15T00:30:29Z",
"published": "2026-05-14T21:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8512"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/495782021"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8755-H2RP-P3RR
Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30Use after free in the UEFI firmware of some Intel(R) Server M20NTP BIOS may allow a privileged user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2024-40885"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-13T21:15:28Z",
"severity": "HIGH"
},
"details": "Use after free in the UEFI firmware of some Intel(R) Server M20NTP BIOS may allow a privileged user to potentially enable escalation of privilege via local access.",
"id": "GHSA-8755-h2rp-p3rr",
"modified": "2024-11-13T21:30:38Z",
"published": "2024-11-13T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40885"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01175.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-875J-57VX-426C
Vulnerability from github – Published: 2024-07-30 09:31 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix inode number range checks
Patch series "nilfs2: fix potential issues related to reserved inodes".
This series fixes one use-after-free issue reported by syzbot, caused by nilfs2's internal inode being exposed in the namespace on a corrupted filesystem, and a couple of flaws that cause problems if the starting number of non-reserved inodes written in the on-disk super block is intentionally (or corruptly) changed from its default value.
This patch (of 3):
In the current implementation of nilfs2, "nilfs->ns_first_ino", which gives the first non-reserved inode number, is read from the superblock, but its lower limit is not checked.
As a result, if a number that overlaps with the inode number range of reserved inodes such as the root directory or metadata files is set in the super block parameter, the inode number test macros (NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly.
In addition, these test macros use left bit-shift calculations using with the inode number as the shift count via the BIT macro, but the result of a shift calculation that exceeds the bit width of an integer is undefined in the C specification, so if "ns_first_ino" is set to a large value other than the default value NILFS_USER_INO (=11), the macros may potentially malfunction depending on the environment.
Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and by preventing bit shifts equal to or greater than the NILFS_USER_INO constant in the inode number test macros.
Also, change the type of "ns_first_ino" from signed integer to unsigned integer to avoid the need for type casting in comparisons such as the lower bound check introduced this time.
{
"affected": [],
"aliases": [
"CVE-2024-42105"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T08:15:03Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix inode number range checks\n\nPatch series \"nilfs2: fix potential issues related to reserved inodes\".\n\nThis series fixes one use-after-free issue reported by syzbot, caused by\nnilfs2\u0027s internal inode being exposed in the namespace on a corrupted\nfilesystem, and a couple of flaws that cause problems if the starting\nnumber of non-reserved inodes written in the on-disk super block is\nintentionally (or corruptly) changed from its default value. \n\n\nThis patch (of 3):\n\nIn the current implementation of nilfs2, \"nilfs-\u003ens_first_ino\", which\ngives the first non-reserved inode number, is read from the superblock,\nbut its lower limit is not checked.\n\nAs a result, if a number that overlaps with the inode number range of\nreserved inodes such as the root directory or metadata files is set in the\nsuper block parameter, the inode number test macros (NILFS_MDT_INODE and\nNILFS_VALID_INODE) will not function properly.\n\nIn addition, these test macros use left bit-shift calculations using with\nthe inode number as the shift count via the BIT macro, but the result of a\nshift calculation that exceeds the bit width of an integer is undefined in\nthe C specification, so if \"ns_first_ino\" is set to a large value other\nthan the default value NILFS_USER_INO (=11), the macros may potentially\nmalfunction depending on the environment.\n\nFix these issues by checking the lower bound of \"nilfs-\u003ens_first_ino\" and\nby preventing bit shifts equal to or greater than the NILFS_USER_INO\nconstant in the inode number test macros.\n\nAlso, change the type of \"ns_first_ino\" from signed integer to unsigned\ninteger to avoid the need for type casting in comparisons such as the\nlower bound check introduced this time.",
"id": "GHSA-875j-57vx-426c",
"modified": "2025-11-04T00:31:05Z",
"published": "2024-07-30T09:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42105"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/08cab183a624ba71603f3754643ae11cab34dbc4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c91058425a01131ea30dda6cf43c67b17884d6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3be4dcc8d7bea52ea41f87aa4bbf959efe7a5987"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/57235c3c88bb430043728d0d02f44a4efe386476"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/731011ac6c37cbe97ece229fc6daa486276052c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9194f8ca57527958bee207919458e372d638d783"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e2fec219a36e0993642844be0f345513507031f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fae1959d6ab2c52677b113935e36ab4e25df37ea"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-875M-Q5C9-G9V7
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:50A use-after-free flaw in the sandbox container implemented in cmdguard.sys in Comodo Antivirus 12.0.0.6870 can be triggered due to a race condition when handling IRP_MJ_CLEANUP requests in the minifilter for directory change notifications. This allows an attacker to cause a denial of service (BSOD) when an executable is run inside the container.
{
"affected": [],
"aliases": [
"CVE-2019-14694"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "A use-after-free flaw in the sandbox container implemented in cmdguard.sys in Comodo Antivirus 12.0.0.6870 can be triggered due to a race condition when handling IRP_MJ_CLEANUP requests in the minifilter for directory change notifications. This allows an attacker to cause a denial of service (BSOD) when an executable is run inside the container.",
"id": "GHSA-875m-q5c9-g9v7",
"modified": "2024-04-04T01:50:13Z",
"published": "2022-05-24T16:55:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14694"
},
{
"type": "WEB",
"url": "https://github.com/SouhailHammou/Exploits/blob/master/CVE-2019-14694%20-%20Comodo%20AV%20Sandbox%20Race%20Condition%20UAF/comodo_av_uaf_poc.c"
},
{
"type": "WEB",
"url": "http://rce4fun.blogspot.com/2019/08/comodo-antivirus-sandbox-race-condition.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-877F-88X9-CX9X
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-23 03:30In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF
ib_dealloc_device() should be called only after device cleanup. Fix the dealloc sequence.
{
"affected": [],
"aliases": [
"CVE-2023-53504"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:54Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF\n\nib_dealloc_device() should be called only after device cleanup. Fix the\ndealloc sequence.",
"id": "GHSA-877f-88x9-cx9x",
"modified": "2026-01-23T03:30:29Z",
"published": "2025-10-01T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53504"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5363fc488da579923edf6a2fdca3d3b651dd800b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c95863f6d970ef968e7c1f3c481f72a4b0734654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-877W-H65V-8769
Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00An issue was discovered in yasm version 1.3.0. There is a use-after-free in pp_getline() in modules/preprocs/nasm/nasm-pp.c.
{
"affected": [],
"aliases": [
"CVE-2021-33467"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-26T13:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in yasm version 1.3.0. There is a use-after-free in pp_getline() in modules/preprocs/nasm/nasm-pp.c.",
"id": "GHSA-877w-h65v-8769",
"modified": "2022-07-29T00:00:33Z",
"published": "2022-07-27T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33467"
},
{
"type": "WEB",
"url": "https://github.com/yasm/yasm/issues/163"
},
{
"type": "WEB",
"url": "https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-879W-9VPF-9PW9
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
{
"affected": [],
"aliases": [
"CVE-2020-8265"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-06T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.",
"id": "GHSA-879w-9vpf-9pw9",
"modified": "2022-05-24T17:38:07Z",
"published": "2022-05-24T17:38:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8265"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/988103"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H472D5HPXN6RRXCNFML3BK5OYC52CXF2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/january-2021-security-releases"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210212-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4826"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-87C4-94W2-RW7J
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-11-03 21:34A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12.
{
"affected": [],
"aliases": [
"CVE-2025-6424"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T13:15:23Z",
"severity": "CRITICAL"
},
"details": "A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox \u003c 140, Firefox ESR \u003c 115.25, and Firefox ESR \u003c 128.12.",
"id": "GHSA-87c4-94w2-rw7j",
"modified": "2025-11-03T21:34:04Z",
"published": "2025-06-26T21:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6424"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1966423"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-51"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-52"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-53"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-54"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-55"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-87CP-V4GR-V7CG
Vulnerability from github – Published: 2022-05-14 03:57 – Updated: 2022-05-14 03:57Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, and CVE-2016-6932.
{
"affected": [],
"aliases": [
"CVE-2016-4272"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-14T18:59:00Z",
"severity": "CRITICAL"
},
"details": "Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, and CVE-2016-6932.",
"id": "GHSA-87cp-v4gr-v7cg",
"modified": "2022-05-14T03:57:22Z",
"published": "2022-05-14T03:57:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4272"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb16-29.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201610-10"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1865.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92927"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036791"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-87GX-4GW3-WVR8
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48Use after free in navigation in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-21226"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-26T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Use after free in navigation in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.",
"id": "GHSA-87gx-4gw3-wvr8",
"modified": "2022-05-24T17:48:46Z",
"published": "2022-05-24T17:48:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21226"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1197904"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202104-08"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4906"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.