Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-97HP-RFMM-2C7W

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

An issue was discovered in Barrier before 2.3.4. An unauthenticated attacker can cause a segmentation fault in the barriers component (aka the server-side implementation of Barrier) by quickly opening and closing TCP connections while sending a Hello message for each TCP session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-08T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Barrier before 2.3.4. An unauthenticated attacker can cause a segmentation fault in the barriers component (aka the server-side implementation of Barrier) by quickly opening and closing TCP connections while sending a Hello message for each TCP session.",
  "id": "GHSA-97hp-rfmm-2c7w",
  "modified": "2022-05-24T19:20:04Z",
  "published": "2022-05-24T19:20:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42074"
    },
    {
      "type": "WEB",
      "url": "https://github.com/debauchee/barrier/releases/tag/v2.3.4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/11/02/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-97M7-V625-F2M3

Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2024-12-30 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()

Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35861"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T09:15:07Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.",
  "id": "GHSA-97m7-v625-f2m3",
  "modified": "2024-12-30T15:31:57Z",
  "published": "2024-05-19T09:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35861"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97VQ-MGMH-2R8Q

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-10-07 18:16
VLAI
Details

libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-after-free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-after-free.",
  "id": "GHSA-97vq-mgmh-2r8q",
  "modified": "2022-10-07T18:16:22Z",
  "published": "2022-05-24T17:17:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11866"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DFYDSKWFM2R5NKZOO2IN6X7SM3T2PWL"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/libemf/code/commit_browser"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/libemf/mailman/libemf-devel"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/libemf/news/2020/05/re-release-of-libemf-1012"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00036.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97VV-3JQH-R766

Vulnerability from github – Published: 2024-03-15 21:30 – Updated: 2025-02-27 03:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xen-netback: take a reference to the RX task thread

Do this in order to prevent the task from being freed if the thread returns (which can be triggered by the frontend) before the call to kthread_stop done as part of the backend tear down. Not taking the reference will lead to a use-after-free in that scenario. Such reference was taken before but dropped as part of the rework done in 2ac061ce97f4.

Reintroduce the reference taking and add a comment this time explaining why it's needed.

This is XSA-374 / CVE-2021-28691.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-15T21:15:06Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netback: take a reference to the RX task thread\n\nDo this in order to prevent the task from being freed if the thread\nreturns (which can be triggered by the frontend) before the call to\nkthread_stop done as part of the backend tear down. Not taking the\nreference will lead to a use-after-free in that scenario. Such\nreference was taken before but dropped as part of the rework done in\n2ac061ce97f4.\n\nReintroduce the reference taking and add a comment this time\nexplaining why it\u0027s needed.\n\nThis is XSA-374 / CVE-2021-28691.",
  "id": "GHSA-97vv-3jqh-r766",
  "modified": "2025-02-27T03:33:55Z",
  "published": "2024-03-15T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47111"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/107866a8eb0b664675a260f1ba0655010fac1e08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b53db8c4c14b4e7256f058d202908b54a7b85b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/caec9bcaeb1a5f03f2d406305355c853af10c13e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97W5-CCGQ-76PQ

Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2021-12-21 00:01
VLAI
Details

In periodic_io_work_func of lwis_periodic_io.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-195607566References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In periodic_io_work_func of lwis_periodic_io.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-195607566References: N/A",
  "id": "GHSA-97w5-ccgq-76pq",
  "modified": "2021-12-21T00:01:04Z",
  "published": "2021-12-16T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39638"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-97X4-GV8V-28VQ

Vulnerability from github – Published: 2024-09-27 15:30 – Updated: 2024-10-08 18:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info

The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine.

Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine.

Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T13:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info\n\nThe MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the\nroutine unconditionally frees submitted mailbox commands regardless of\nreturn status.  The issue is that for MBX_TIMEOUT cases, when firmware\nreturns SFP information at a later time, that same mailbox memory region\nreferences previously freed memory in its cmpl routine.\n\nFix by adding checks for the MBX_TIMEOUT return code.  During mailbox\nresource cleanup, check the mbox flag to make sure that the wait did not\ntimeout.  If the MBOX_WAKE flag is not set, then do not free the resources\nbecause it will be freed when firmware completes the mailbox at a later\ntime in its cmpl routine.\n\nAlso, increase the timeout from 30 to 60 seconds to accommodate boot\nscripts requiring longer timeouts.",
  "id": "GHSA-97x4-gv8v-28vq",
  "modified": "2024-10-08T18:33:07Z",
  "published": "2024-09-27T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46842"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bba47fe3b038cca3d3ebd799665ce69d6d273b58"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ede596b1434b57c0b3fd5c02b326efe5c54f6e48"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9834-966G-Q77H

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

serial: caif: fix use-after-free in caif_serial ldisc_close()

There is a use-after-free bug in caif_serial where handle_tx() may access ser->tty after the tty has been freed.

The race condition occurs between ldisc_close() and packet transmission:

CPU 0 (close)                     CPU 1 (xmit)
-------------                     ------------
ldisc_close()
  tty_kref_put(ser->tty)
  [tty may be freed here]
                 <-- race window -->
                                  caif_xmit()
                                    handle_tx()
                                      tty = ser->tty  // dangling ptr
                                      tty->ops->write() // UAF!
  schedule_work()
    ser_release()
      unregister_netdevice()

The root cause is that tty_kref_put() is called in ldisc_close() while the network device is still active and can receive packets.

Since ser and tty have a 1:1 binding relationship with consistent lifecycles (ser is allocated in ldisc_open and freed in ser_release via unregister_netdevice, and each ser binds exactly one tty), we can safely defer the tty reference release to ser_release() where the network device is unregistered.

Fix this by moving tty_kref_put() from ldisc_close() to ser_release(), after unregister_netdevice(). This ensures the tty reference is held as long as the network device exists, preventing the UAF.

Note: We save ser->tty before unregister_netdevice() because ser is embedded in netdev's private data and will be freed along with netdev (needs_free_netdev = true).

How to reproduce: Add mdelay(500) at the beginning of ldisc_close() to widen the race window, then run the reproducer program 1.

Note: There is a separate deadloop issue in handle_tx() when using PORT_UNKNOWN serial ports (e.g., /dev/ttyS3 in QEMU without proper serial backend). This deadloop exists even without this patch, and is likely caused by inconsistency between uart_write_room() and uart_write() in serial core. It has been addressed in a separate patch 2.

KASAN report:

================================================================== BUG: KASAN: slab-use-after-free in handle_tx+0x5d1/0x620 Read of size 1 at addr ffff8881131e1490 by task caif_uaf_trigge/9929

Call Trace: dump_stack_lvl+0x10e/0x1f0 print_report+0xd0/0x630 kasan_report+0xe4/0x120 handle_tx+0x5d1/0x620 dev_hard_start_xmit+0x9d/0x6c0 __dev_queue_xmit+0x6e2/0x4410 packet_xmit+0x243/0x360 packet_sendmsg+0x26cf/0x5500 __sys_sendto+0x4a3/0x520 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0xc9/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f615df2c0d7

Allocated by task 9930:

Freed by task 64:

Last potentially related work creation:

The buggy address belongs to the object at ffff8881131e1000 which belongs to the cache kmalloc-cg-2k of size 2048 The buggy address is located 1168 bytes inside of freed 2048-byte region [ffff8881131e1000, ffff8881131e1800)

The buggy address belongs to the physical page: page_owner tracks the page as allocated page last free pid 9778 tgid 9778 stack trace:

Memory state around the buggy address: ffff8881131e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff8881131e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881131e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:16:58Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: caif: fix use-after-free in caif_serial ldisc_close()\n\nThere is a use-after-free bug in caif_serial where handle_tx() may\naccess ser-\u003etty after the tty has been freed.\n\nThe race condition occurs between ldisc_close() and packet transmission:\n\n    CPU 0 (close)                     CPU 1 (xmit)\n    -------------                     ------------\n    ldisc_close()\n      tty_kref_put(ser-\u003etty)\n      [tty may be freed here]\n                     \u003c-- race window --\u003e\n                                      caif_xmit()\n                                        handle_tx()\n                                          tty = ser-\u003etty  // dangling ptr\n                                          tty-\u003eops-\u003ewrite() // UAF!\n      schedule_work()\n        ser_release()\n          unregister_netdevice()\n\nThe root cause is that tty_kref_put() is called in ldisc_close() while\nthe network device is still active and can receive packets.\n\nSince ser and tty have a 1:1 binding relationship with consistent\nlifecycles (ser is allocated in ldisc_open and freed in ser_release\nvia unregister_netdevice, and each ser binds exactly one tty), we can\nsafely defer the tty reference release to ser_release() where the\nnetwork device is unregistered.\n\nFix this by moving tty_kref_put() from ldisc_close() to ser_release(),\nafter unregister_netdevice(). This ensures the tty reference is held\nas long as the network device exists, preventing the UAF.\n\nNote: We save ser-\u003etty before unregister_netdevice() because ser is\nembedded in netdev\u0027s private data and will be freed along with netdev\n(needs_free_netdev = true).\n\nHow to reproduce: Add mdelay(500) at the beginning of ldisc_close()\nto widen the race window, then run the reproducer program [1].\n\nNote: There is a separate deadloop issue in handle_tx() when using\nPORT_UNKNOWN serial ports (e.g., /dev/ttyS3 in QEMU without proper\nserial backend). This deadloop exists even without this patch,\nand is likely caused by inconsistency between uart_write_room() and\nuart_write() in serial core. It has been addressed in a separate\npatch [2].\n\nKASAN report:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in handle_tx+0x5d1/0x620\nRead of size 1 at addr ffff8881131e1490 by task caif_uaf_trigge/9929\n\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x10e/0x1f0\n print_report+0xd0/0x630\n kasan_report+0xe4/0x120\n handle_tx+0x5d1/0x620\n dev_hard_start_xmit+0x9d/0x6c0\n __dev_queue_xmit+0x6e2/0x4410\n packet_xmit+0x243/0x360\n packet_sendmsg+0x26cf/0x5500\n __sys_sendto+0x4a3/0x520\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0xc9/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f615df2c0d7\n\nAllocated by task 9930:\n\nFreed by task 64:\n\nLast potentially related work creation:\n\nThe buggy address belongs to the object at ffff8881131e1000\n which belongs to the cache kmalloc-cg-2k of size 2048\nThe buggy address is located 1168 bytes inside of\n freed 2048-byte region [ffff8881131e1000, ffff8881131e1800)\n\nThe buggy address belongs to the physical page:\npage_owner tracks the page as allocated\npage last free pid 9778 tgid 9778 stack trace:\n\nMemory state around the buggy address:\n ffff8881131e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881131e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff8881131e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                         ^\n ffff8881131e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881131e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\n[1]: https://gist.github.com/mrpre/f683f244544f7b11e7fa87df9e6c2eeb\n[2]: https://lore.kernel.org/linux-serial/20260204074327.226165-1-jiayuan.chen@linux.dev/T/#u",
  "id": "GHSA-9834-966g-q77h",
  "modified": "2026-06-25T21:31:18Z",
  "published": "2026-05-27T15:33:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45866"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/308e7e4d0a846359685f40aade023aee7b27284c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/331e2b7051635780edea248dd08ae2026c126f4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/40962f2bf8cdba63af23aec95ad3f49b689e58e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e63d6f68544ae5269ac9735ae5b69b59b5b8725"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52731ef4438155cea782fac74e547a327ab9e7c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e266ba8d330d3b8e5bc198f238cd8901826cfa1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c8c197aaa56b25a2d54f3aa07e27e228d6c08546"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3c75db4e0460641dbcd274b40867e252d801da1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-983J-F2FQ-2775

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix freeze UAF in binder_release_work()

When a binder reference is cleaned up, any freeze work queued in the associated process should also be removed. Otherwise, the reference is freed while its ref->freeze.work is still queued in proc->work leading to a use-after-free issue as shown by the following KASAN report:

================================================================== BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0 Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211

CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: binder_release_work+0x398/0x3d0 binder_deferred_func+0xb60/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8

Allocated by task 703: __kmalloc_cache_noprof+0x130/0x280 binder_thread_write+0xdb4/0x42a0 binder_ioctl+0x18f0/0x25ac __arm64_sys_ioctl+0x124/0x190 invoke_syscall+0x6c/0x254

Freed by task 211: kfree+0xc4/0x230 binder_deferred_func+0xae8/0x109c process_one_work+0x51c/0xbd4 worker_thread+0x608/0xee8 ==================================================================

This commit fixes the issue by ensuring any queued freeze work is removed when cleaning up a binder reference.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:14Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix freeze UAF in binder_release_work()\n\nWhen a binder reference is cleaned up, any freeze work queued in the\nassociated process should also be removed. Otherwise, the reference is\nfreed while its ref-\u003efreeze.work is still queued in proc-\u003ework leading\nto a use-after-free issue as shown by the following KASAN report:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in binder_release_work+0x398/0x3d0\n  Read of size 8 at addr ffff31600ee91488 by task kworker/5:1/211\n\n  CPU: 5 UID: 0 PID: 211 Comm: kworker/5:1 Not tainted 6.11.0-rc7-00382-gfc6c92196396 #22\n  Hardware name: linux,dummy-virt (DT)\n  Workqueue: events binder_deferred_func\n  Call trace:\n   binder_release_work+0x398/0x3d0\n   binder_deferred_func+0xb60/0x109c\n   process_one_work+0x51c/0xbd4\n   worker_thread+0x608/0xee8\n\n  Allocated by task 703:\n   __kmalloc_cache_noprof+0x130/0x280\n   binder_thread_write+0xdb4/0x42a0\n   binder_ioctl+0x18f0/0x25ac\n   __arm64_sys_ioctl+0x124/0x190\n   invoke_syscall+0x6c/0x254\n\n  Freed by task 211:\n   kfree+0xc4/0x230\n   binder_deferred_func+0xae8/0x109c\n   process_one_work+0x51c/0xbd4\n   worker_thread+0x608/0xee8\n  ==================================================================\n\nThis commit fixes the issue by ensuring any queued freeze work is removed\nwhen cleaning up a binder reference.",
  "id": "GHSA-983j-f2fq-2775",
  "modified": "2025-01-14T18:31:54Z",
  "published": "2024-12-27T15:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56554"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e20434cbca814cb91a0a261ca0106815ef48e5f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe39e0ea2d0ba7f508ff453c4c9a44a95ec0de29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9853-CW3R-5W4V

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31
VLAI
Details

Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11055"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:09Z",
    "severity": "HIGH"
  },
  "details": "Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-9853-cw3r-5w4v",
  "modified": "2026-06-05T03:31:33Z",
  "published": "2026-06-05T00:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11055"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/498881735"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-986P-R23C-CVG4

Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 03:58
VLAI
Details

Use after free in the Intel(R) VROC software before version 7.7.6.1003 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T14:15:11Z",
    "severity": "HIGH"
  },
  "details": "Use after free in the Intel(R) VROC software before version 7.7.6.1003 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-986p-r23c-cvg4",
  "modified": "2024-04-04T03:58:54Z",
  "published": "2023-05-10T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29919"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00692.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.