Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-922C-WMF5-RMHJ

Vulnerability from github – Published: 2023-09-11 15:31 – Updated: 2024-04-04 07:35
VLAI
Details

GPAC through 2.2.1 has a use-after-free vulnerability in the function gf_bifs_flush_command_list in bifs/memory_decoder.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-11T15:16:02Z",
    "severity": "MODERATE"
  },
  "details": "GPAC through 2.2.1 has a use-after-free vulnerability in the function gf_bifs_flush_command_list in bifs/memory_decoder.c.",
  "id": "GHSA-922c-wmf5-rmhj",
  "modified": "2024-04-04T07:35:24Z",
  "published": "2023-09-11T15:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41000"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/2550"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-922W-VH7F-4CXH

Vulnerability from github – Published: 2024-11-27 12:31 – Updated: 2024-11-27 12:31
VLAI
Details

There was discovered a use after free bug in browser.c in the es_browser_get_variant function

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-27T12:15:20Z",
    "severity": "MODERATE"
  },
  "details": "There was discovered a use after free bug in browser.c in the es_browser_get_variant function",
  "id": "GHSA-922w-vh7f-4cxh",
  "modified": "2024-11-27T12:31:54Z",
  "published": "2024-11-27T12:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42326"
    },
    {
      "type": "WEB",
      "url": "https://support.zabbix.com/browse/ZBX-25622"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-923J-376F-6X65

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows Internal System User Profile allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:45Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Internal System User Profile allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-923j-376f-6x65",
  "modified": "2026-07-14T18:32:22Z",
  "published": "2026-07-14T18:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50425"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50425"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-926M-QFG2-2W89

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-30 12:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_conn: fix potential UAF in create_big_sync

Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().

Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().

hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.

Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:26Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fix potential UAF in create_big_sync\n\nAdd hci_conn_valid() check in create_big_sync() to detect stale\nconnections before proceeding with BIG creation. Handle the\nresulting -ECANCELED in create_big_complete() and re-validate the\nconnection under hci_dev_lock() before dereferencing, matching the\npattern used by create_le_conn_complete() and create_pa_complete().\n\nKeep the hci_conn object alive across the async boundary by taking\na reference via hci_conn_get() when queueing create_big_sync(), and\ndropping it in the completion callback. The refcount and the lock\nare complementary: the refcount keeps the object allocated, while\nhci_dev_lock() serializes hci_conn_hash_del()\u0027s list_del_rcu() on\nhdev-\u003econn_hash, as required by hci_conn_del().\n\nhci_conn_put() is called outside hci_dev_unlock() so the final put\n(which resolves to kfree() via bt_link_release) does not run under\nhdev-\u003elock, though the release path would be safe either way.\n\nWithout this, create_big_complete() would unconditionally\ndereference the conn pointer on error, causing a use-after-free\nvia hci_connect_cfm() and hci_conn_del().",
  "id": "GHSA-926m-qfg2-2w89",
  "modified": "2026-05-30T12:30:25Z",
  "published": "2026-05-28T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46111"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0beddb0c380bed5f5b8e61ddbe14635bb73d0b41"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1750a2df0eab61dc421a7afae74abdd239a44b85"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6823f730bf195fc296d9edd09e2ca94bc1ff5584"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc34f8d8240f25dd137dc2758ebbcc75e3779142"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8eaf92c57ad99358dd372580d5ff87623343a72"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92C9-MCJW-QRH5

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the exportAsFDF function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6332.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the exportAsFDF function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6332.",
  "id": "GHSA-92c9-mcjw-qrh5",
  "modified": "2022-05-13T01:34:33Z",
  "published": "2022-05-13T01:34:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14312"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-772"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92CX-4XM7-JR9M

Vulnerability from github – Published: 2022-01-06 22:02 – Updated: 2022-01-07 16:09
VLAI
Summary
Use After Free in rusqlite
Details

An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_scalar_function has a use-after-free.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rusqlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.25.0"
            },
            {
              "fixed": "0.25.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rusqlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.26.0"
            },
            {
              "fixed": "0.26.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-45713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-05T21:05:16Z",
    "nvd_published_at": "2021-12-26T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and 0.26.x before 0.26.2 for Rust. create_scalar_function has a use-after-free.",
  "id": "GHSA-92cx-4xm7-jr9m",
  "modified": "2022-01-07T16:09:58Z",
  "published": "2022-01-06T22:02:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rusqlite/rusqlite/issues/1048"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rusqlite/rusqlite/pull/1049"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rusqlite/rusqlite/commit/30f8c8c502675011603c4d066396bf317fd49e71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rusqlite/rusqlite/commit/612158507e90f41d409cd0fa80eb21c992b1bc08"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rusqlite/rusqlite/commit/934e0c709e156753881da98b32e9853f9ffe4a1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rusqlite/rusqlite/commit/f4f95f8caf9fd53bffd0c19530be2484c644cc16"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rusqlite/rusqlite"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/rusqlite/RUSTSEC-2021-0128.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0128.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use After Free in rusqlite"
}

GHSA-92CX-CG65-38VH

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-21 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The problem was in incorrect htc_handle->drv_priv initialization.

Probable call trace which can trigger use-after-free:

ath9k_htc_probe_device() / htc_handle->drv_priv = priv; / ath9k_htc_wait_for_target() <--- Failed ieee80211_free_hw() <--- priv pointer is freed

... ath9k_hif_usb_rx_cb() ath9k_hif_usb_rx_stream() RX_STAT_INC() <--- htc_handle->drv_priv access

In order to not add fancy protection for drv_priv we can move htc_handle->drv_priv initialization at the end of the ath9k_htc_probe_device() and add helper macro to make all STAT macros NULL safe, since syzbot has reported related NULL deref in that macros [1]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:48Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath9k: fix use-after-free in ath9k_hif_usb_rx_cb\n\nSyzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The\nproblem was in incorrect htc_handle-\u003edrv_priv initialization.\n\nProbable call trace which can trigger use-after-free:\n\nath9k_htc_probe_device()\n  /* htc_handle-\u003edrv_priv = priv; */\n  ath9k_htc_wait_for_target()      \u003c--- Failed\n  ieee80211_free_hw()\t\t   \u003c--- priv pointer is freed\n\n\u003cIRQ\u003e\n...\nath9k_hif_usb_rx_cb()\n  ath9k_hif_usb_rx_stream()\n   RX_STAT_INC()\t\t\u003c--- htc_handle-\u003edrv_priv access\n\nIn order to not add fancy protection for drv_priv we can move\nhtc_handle-\u003edrv_priv initialization at the end of the\nath9k_htc_probe_device() and add helper macro to make\nall *_STAT_* macros NULL safe, since syzbot has reported related NULL\nderef in that macros [1]",
  "id": "GHSA-92cx-cg65-38vh",
  "modified": "2025-11-21T00:30:18Z",
  "published": "2025-06-18T12:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50179"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03ca957c5f7b55660957eda20b5db4110319ac7a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0ac4827f78c7ffe8eef074bc010e7e34bc22f533"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62bc1ea5c7401d77eaf73d0c6a15f3d2e742856e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b14ab47937ba441e75e8dbb9fbfc9c55efa41c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab7a0ddf5f1cdec63cb21840369873806fc36d80"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b66ebac40f64336ae2d053883bee85261060bd27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9e21206b8ea62220b486310c61277e7ebfe7cec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eccd7c3e2596b574241a7670b5b53f5322f470e5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92F7-C7HW-58CR

Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-06-26 00:31
VLAI
Details

netfilter: nft_set_rbtree: skip end interval element from gc

rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-20T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "netfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.",
  "id": "GHSA-92f7-c7hw-58cr",
  "modified": "2024-06-26T00:31:34Z",
  "published": "2024-02-20T15:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10e9cb39313627f2eae4cd70c4b742074e998fd8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1296c110c5a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1296c110c5a0b45a8fcf58e7d18bc5da61a565cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2bab493a5624444ec6e648ad0d55a362bcb4c003"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4cee42fcf54fec46b344681e7cc4f234bb22f85a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60c0c230c6f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60c0c230c6f046da536d3df8b39a20b9a9fd6af0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6eb14441f106"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6eb14441f10602fa1cf691da9d685718b68b78a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b734f7a47aeb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c60d252949caf9aba537525195edae6bbabc35eb"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92GW-RWM2-JQV6

Vulnerability from github – Published: 2022-05-14 00:53 – Updated: 2022-05-14 00:53
VLAI
Details

Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-20T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.",
  "id": "GHSA-92gw-rwm2-jqv6",
  "modified": "2022-05-14T00:53:19Z",
  "published": "2022-05-14T00:53:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5009"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb18-21.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104701"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-92HV-JCVF-RQG6

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ip6_gre: Use cached t->net in ip6erspan_changelink().

After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.

This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().

Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).

ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:27Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: Use cached t-\u003enet in ip6erspan_changelink().\n\nAfter commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of\nrtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns\nip6gre hash via link_net. ip6erspan_changelink() was not converted in\nthat series and still uses dev_net(dev), which diverges from the\ndevice\u0027s creation netns after IFLA_NET_NS_FD migration.\n\nThis re-inserts the tunnel into the wrong per-netns hash. The\noriginal netns keeps a stale entry. When that netns is later\ndestroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a\nslab-use-after-free reported by KASAN, followed by a kernel BUG at\nnet/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().\n\nReachable from an unprivileged user namespace (unshare --user\n--map-root-user --net).\n\nip6gre_changelink() earlier in the same file already uses the cached\nt-\u003enet; only ip6erspan_changelink() has the wrong shape.",
  "id": "GHSA-92hv-jcvf-rqg6",
  "modified": "2026-06-01T18:31:36Z",
  "published": "2026-05-28T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46120"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01b71ff2857d3598337de11e7840a8e3ff21553c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0fcf6731706f73494245a9c0d64f93bebf95bb51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d324c2f43f70c965f25c58cc3611c779adbe47e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/311fdd26eb4443d43b909cc67a10f3a5fd1b21b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7bd0f2b162b426b343a114e1b329f0d8d14fdc6e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf7fc624329e76c6394653d12353e1d033adea91"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e70cfb40c3a99b232cd42c6a6a10f0d8e039dc82"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eca62bb0569de4d43a4dac06a2092a9d4ca1d702"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.