Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-8M45-P293-9XVP

Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-08-01 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/mes: fix use-after-free issue

Delete fence fallback timer to fix the ramdom use-after-free issue.

v2: move to amdgpu_mes.c

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-19T14:15:18Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/mes: fix use-after-free issue\n\nDelete fence fallback timer to fix the ramdom\nuse-after-free issue.\n\nv2: move to amdgpu_mes.c",
  "id": "GHSA-8m45-p293-9xvp",
  "modified": "2024-08-01T21:31:40Z",
  "published": "2024-06-19T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38581"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f98c144c15c8fc0f3176c994bd4e727ef718a5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/39cfce75168c11421d70b8c0c65f6133edccb82a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70b1bf6d9edc8692d241f59a65f073aec6d501de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/948255282074d9367e01908b3f5dcf8c10fc9c3d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8M47-H338-9QFH

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2023-06-12 09:30
VLAI
Details

Use after free can occur due to improper handling of response from firmware in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-13T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free can occur due to improper handling of response from firmware in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
  "id": "GHSA-8m47-h338-9qfh",
  "modified": "2023-06-12T09:30:19Z",
  "published": "2022-05-24T19:07:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1940"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/july-2021-bulletin"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/172856/Qualcomm-NPU-Use-After-Free-Information-Leak.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8M8M-PRW4-V58W

Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32
VLAI
Details

Trimble SketchUp Viewer SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24105.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T21:15:25Z",
    "severity": "HIGH"
  },
  "details": "Trimble SketchUp Viewer SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24105.",
  "id": "GHSA-8m8m-prw4-v58w",
  "modified": "2024-11-22T21:32:20Z",
  "published": "2024-11-22T21:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9721"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1482"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MC9-3VV7-XWF3

Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30
VLAI
Details

Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T17:15:30Z",
    "severity": "HIGH"
  },
  "details": "Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability",
  "id": "GHSA-8mc9-3vv7-xwf3",
  "modified": "2024-09-10T18:30:46Z",
  "published": "2024-09-10T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38253"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38253"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MGW-7PFH-QV6C

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows Kernel Mode Driver allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T17:17:12Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Kernel Mode Driver allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-8mgw-7pfh-qv6c",
  "modified": "2026-07-14T18:32:11Z",
  "published": "2026-07-14T18:32:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58602"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MHW-PHFM-55JR

Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00
VLAI
Details

Use after free in survey in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-01T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in survey in Google Chrome on ChromeOS prior to 106.0.5249.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)",
  "id": "GHSA-8mhw-phfm-55jr",
  "modified": "2022-11-02T19:00:25Z",
  "published": "2022-11-02T12:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3305"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop_27.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1319229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MVR-J92P-V42J

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

Use after free in DevTools in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform a sandbox escape via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-09T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in DevTools in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform a sandbox escape via a crafted file.",
  "id": "GHSA-8mvr-j92p-v42j",
  "modified": "2022-05-24T17:41:35Z",
  "published": "2022-05-24T17:41:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21138"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1122487"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8MW5-FW53-VQ24

Vulnerability from github – Published: 2023-09-11 21:30 – Updated: 2024-04-04 07:35
VLAI
Details

An issue in Cppcheck 2.12 dev allows a local attacker to execute arbitrary code via the removeContradiction parameter in token.cpp:1934.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-11T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "An issue in Cppcheck 2.12 dev allows a local attacker to execute arbitrary code via the removeContradiction parameter in token.cpp:1934.",
  "id": "GHSA-8mw5-fw53-vq24",
  "modified": "2024-04-04T07:35:54Z",
  "published": "2023-09-11T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39070"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/cppcheck/discussion/general/thread/fa43fb8ab1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MX3-669M-HQMF

Vulnerability from github – Published: 2023-03-08 00:30 – Updated: 2023-03-11 03:30
VLAI
Details

Use after free in Swiftshader in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-07T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Swiftshader in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-8mx3-669m-hqmf",
  "modified": "2023-03-11T03:30:17Z",
  "published": "2023-03-08T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1213"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2023/03/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1411210"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8P2M-944P-WQ2V

Vulnerability from github – Published: 2024-07-09 21:30 – Updated: 2024-07-11 15:30
VLAI
Details

In multiple functions of StatsService.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T21:15:14Z",
    "severity": "HIGH"
  },
  "details": "In multiple functions of StatsService.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-8p2m-944p-wq2v",
  "modified": "2024-07-11T15:30:46Z",
  "published": "2024-07-09T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31339"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/packages/modules/StatsD/+/795a0da721992432cae20fc9be21bcbce318bf5a"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2024-07-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.