CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-8R72-QQQ9-Q3QQ
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-49711"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T17:15:58Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.",
"id": "GHSA-8r72-qqq9-q3qq",
"modified": "2025-07-08T18:31:48Z",
"published": "2025-07-08T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49711"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49711"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R77-RXC7-QGVV
Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2025-11-03 21:33Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird ESR < 128.9.
{
"affected": [],
"aliases": [
"CVE-2025-3030"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T13:15:41Z",
"severity": "HIGH"
},
"details": "Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 137, Firefox ESR \u003c 128.9, Thunderbird \u003c 137, and Thunderbird ESR \u003c 128.9.",
"id": "GHSA-8r77-rxc7-qgvv",
"modified": "2025-11-03T21:33:20Z",
"published": "2025-04-01T15:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3030"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1850615%2C1932468%2C1942551%2C1951017%2C1951494"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00005.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-23"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R7R-57G7-WQ5J
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-45599"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:28Z",
"severity": "HIGH"
},
"details": "Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network.",
"id": "GHSA-8r7r-57g7-wq5j",
"modified": "2026-06-09T18:30:51Z",
"published": "2026-06-09T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45599"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45599"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R7R-5QGR-54W2
Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-21 21:31Use after free in Passwords in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-3055"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-26T16:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Passwords in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-8r7r-5qgr-54w2",
"modified": "2025-05-21T21:31:09Z",
"published": "2022-09-27T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3055"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1351969"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R7R-QMQ5-VJR8
Vulnerability from github – Published: 2023-04-04 15:30 – Updated: 2023-04-11 18:30SWFTools v0.9.2 was discovered to contain a stack-use-after-scope in the swf_ReadSWF2 function in lib/rfxswf.c.
{
"affected": [],
"aliases": [
"CVE-2023-26991"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-04T15:15:00Z",
"severity": "HIGH"
},
"details": "SWFTools v0.9.2 was discovered to contain a stack-use-after-scope in the swf_ReadSWF2 function in lib/rfxswf.c.",
"id": "GHSA-8r7r-qmq5-vjr8",
"modified": "2023-04-11T18:30:28Z",
"published": "2023-04-04T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26991"
},
{
"type": "WEB",
"url": "https://github.com/matthiaskramm/swftools/issues/196"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R7X-5H24-W5CX
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:22Multiple open and close from multiple threads will lead camera driver to access destroyed session data pointer in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDM660, SDX20, SDX24, Snapdragon_High_Med_2016
{
"affected": [],
"aliases": [
"CVE-2019-2290"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-25T17:15:00Z",
"severity": "HIGH"
},
"details": "Multiple open and close from multiple threads will lead camera driver to access destroyed session data pointer in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDM660, SDX20, SDX24, Snapdragon_High_Med_2016",
"id": "GHSA-8r7x-5h24-w5cx",
"modified": "2024-04-04T01:22:27Z",
"published": "2022-05-24T16:51:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2290"
},
{
"type": "WEB",
"url": "https://www.codeaurora.org/security-bulletin/2019/07/01/july-2019-code-aurora-security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R89-R77H-8GVM
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31In the Linux kernel, the following vulnerability has been resolved:
ASoC: core: Fix use-after-free in snd_soc_exit()
KASAN reports a use-after-free:
BUG: KASAN: use-after-free in device_del+0xb5b/0xc60 Read of size 8 at addr ffff888008655050 by task rmmod/387 CPU: 2 PID: 387 Comm: rmmod Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl+0x79/0x9a print_report+0x17f/0x47b kasan_report+0xbb/0xf0 device_del+0xb5b/0xc60 platform_device_del.part.0+0x24/0x200 platform_device_unregister+0x2e/0x40 snd_soc_exit+0xa/0x22 [snd_soc_core] __do_sys_delete_module.constprop.0+0x34f/0x5b0 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd ...
It's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail, but its ret is ignored, which makes soc_dummy_dev unregistered twice.
snd_soc_init() snd_soc_util_init() platform_device_register_simple(soc_dummy_dev) platform_driver_register() # fail platform_device_unregister(soc_dummy_dev) platform_driver_register() # success ... snd_soc_exit() snd_soc_util_exit() # soc_dummy_dev will be unregistered for second time
To fix it, handle error and stop snd_soc_init() when util_init() fail. Also clean debugfs when util_init() or driver_register() fail.
{
"affected": [],
"aliases": [
"CVE-2022-49842"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Fix use-after-free in snd_soc_exit()\n\nKASAN reports a use-after-free:\n\nBUG: KASAN: use-after-free in device_del+0xb5b/0xc60\nRead of size 8 at addr ffff888008655050 by task rmmod/387\nCPU: 2 PID: 387 Comm: rmmod\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x79/0x9a\nprint_report+0x17f/0x47b\nkasan_report+0xbb/0xf0\ndevice_del+0xb5b/0xc60\nplatform_device_del.part.0+0x24/0x200\nplatform_device_unregister+0x2e/0x40\nsnd_soc_exit+0xa/0x22 [snd_soc_core]\n__do_sys_delete_module.constprop.0+0x34f/0x5b0\ndo_syscall_64+0x3a/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n...\n\u003c/TASK\u003e\n\nIt\u0027s bacause in snd_soc_init(), snd_soc_util_init() is possble to fail,\nbut its ret is ignored, which makes soc_dummy_dev unregistered twice.\n\nsnd_soc_init()\n snd_soc_util_init()\n platform_device_register_simple(soc_dummy_dev)\n platform_driver_register() # fail\n \tplatform_device_unregister(soc_dummy_dev)\n platform_driver_register() # success\n...\nsnd_soc_exit()\n snd_soc_util_exit()\n # soc_dummy_dev will be unregistered for second time\n\nTo fix it, handle error and stop snd_soc_init() when util_init() fail.\nAlso clean debugfs when util_init() or driver_register() fail.",
"id": "GHSA-8r89-r77h-8gvm",
"modified": "2025-05-07T15:31:24Z",
"published": "2025-05-01T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49842"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ec3f558db343b045a7c7419cdbaec266b8ac1a7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/34eee4189bcebbd5f6a2ff25ef0cb893ad33d51e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41fad4f712e081acdfde8b59847f9f66eaf407a0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6ec27c53886c8963729885bcf2dd996eba2767a7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d21554ec7680e9585fb852d933203c3db60dad1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90bbdf30a51e42378cb23a312005a022794b8e1e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a3365e62239dc064019a244bde5686ac18527c22"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5674bd073c0fd9f620ca550c5ff08d0d429bdd9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R96-VH27-XGF4
Vulnerability from github – Published: 2025-07-28 12:30 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
tls: always refresh the queue when reading sock
After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the queue have matching decrypt state and geometry.
BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]
(net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)
Read of size 4 at addr ffff888013085750 by task tls/13529
CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme
Call Trace:
kasan_report+0xca/0x100
tls_strp_check_rcv+0x898/0x9a0 [tls]
tls_rx_rec_wait+0x2c9/0x8d0 [tls]
tls_sw_recvmsg+0x40f/0x1aa0 [tls]
inet_recvmsg+0x1c3/0x1f0
Always reload the queue, fast path is to have the record in the queue when we wake, anyway (IOW the path going down "if !strp->stm.full_len").
{
"affected": [],
"aliases": [
"CVE-2025-38471"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T12:15:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: always refresh the queue when reading sock\n\nAfter recent changes in net-next TCP compacts skbs much more\naggressively. This unearthed a bug in TLS where we may try\nto operate on an old skb when checking if all skbs in the\nqueue have matching decrypt state and geometry.\n\n BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]\n (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)\n Read of size 4 at addr ffff888013085750 by task tls/13529\n\n CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme\n Call Trace:\n kasan_report+0xca/0x100\n tls_strp_check_rcv+0x898/0x9a0 [tls]\n tls_rx_rec_wait+0x2c9/0x8d0 [tls]\n tls_sw_recvmsg+0x40f/0x1aa0 [tls]\n inet_recvmsg+0x1c3/0x1f0\n\nAlways reload the queue, fast path is to have the record in the queue\nwhen we wake, anyway (IOW the path going down \"if !strp-\u003estm.full_len\").",
"id": "GHSA-8r96-vh27-xgf4",
"modified": "2026-05-12T15:30:58Z",
"published": "2025-07-28T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38471"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f3a429c21e0e43e8b8c55d30701e91411a4df02"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ab26bce3969f8fd925fe6f6f551e4d1a508c68b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/730fed2ff5e259495712518e18d9f521f61972bb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c76f6f437c46b2390888e0e1dc7aafafa9f4e0c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cdb767915fc9a15d88d19d52a1455f1dc3e5ddc8"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8R9Q-V9VQ-PQRF
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
{
"affected": [],
"aliases": [
"CVE-2020-3746"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-13T16:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .",
"id": "GHSA-8r9q-v9vq-pqrf",
"modified": "2022-05-24T17:08:58Z",
"published": "2022-05-24T17:08:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3746"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb20-05.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8RC5-MR4F-M243
Vulnerability from github – Published: 2021-08-25 20:46 – Updated: 2021-08-19 21:18An issue was discovered in the rio crate through 2020-05-11 for Rust. A struct can be leaked, allowing attackers to obtain sensitive information, cause a use-after-free, or cause a data race.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35876"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-772"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:18:55Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "An issue was discovered in the rio crate through 2020-05-11 for Rust. A struct can be leaked, allowing attackers to obtain sensitive information, cause a use-after-free, or cause a data race.",
"id": "GHSA-8rc5-mr4f-m243",
"modified": "2021-08-19T21:18:55Z",
"published": "2021-08-25T20:46:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35876"
},
{
"type": "WEB",
"url": "https://github.com/spacejam/rio/issues/11"
},
{
"type": "WEB",
"url": "https://github.com/spacejam/rio/pull/31"
},
{
"type": "PACKAGE",
"url": "https://github.com/spacejam/rio"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use after free in rio"
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.