CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-992G-JF7J-F3WC
Vulnerability from github – Published: 2024-10-21 12:30 – Updated: 2026-05-12 12:32In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: always wait for both firmware loading attempts
In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually the wowlan one) is still in progress, causing UAF detected by KASAN.
{
"affected": [],
"aliases": [
"CVE-2024-47718"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T12:15:08Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: always wait for both firmware loading attempts\n\nIn \u0027rtw_wait_firmware_completion()\u0027, always wait for both (regular and\nwowlan) firmware loading attempts. Otherwise if \u0027rtw_usb_intf_init()\u0027\nhas failed in \u0027rtw_usb_probe()\u0027, \u0027rtw_usb_disconnect()\u0027 may issue\n\u0027ieee80211_free_hw()\u0027 when one of \u0027rtw_load_firmware_cb()\u0027 (usually\nthe wowlan one) is still in progress, causing UAF detected by KASAN.",
"id": "GHSA-992g-jf7j-f3wc",
"modified": "2026-05-12T12:32:10Z",
"published": "2024-10-21T12:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47718"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b8178a2ae272256ea0dc4f940320a81003535e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7887ad11995a4142671cc49146db536f923c8568"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9432185540bafd42b7bfac6e6ef2f0a0fb4be447"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0c1e2da652cf70825739bc12d49ea15805690bf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ceaab3fb64d6a5426a3db8f87f3e5757964f2532"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9a78d9417e167410d6fb83c4e908b077ad8ba6d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-993H-57JH-87G6
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:47Use-after-free vulnerability in Autodesk Design Review versions 2011, 2012, 2013, and 2018. An attacker may trick a user into opening a malicious DWF file that may leverage a use-after-free vulnerability, which may result in code execution.
{
"affected": [],
"aliases": [
"CVE-2019-7363"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-23T20:15:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in Autodesk Design Review versions 2011, 2012, 2013, and 2018. An attacker may trick a user into opening a malicious DWF file that may leverage a use-after-free vulnerability, which may result in code execution.",
"id": "GHSA-993h-57jh-87g6",
"modified": "2024-04-04T01:47:13Z",
"published": "2022-05-24T16:54:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7363"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2019-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-993M-7MXH-9WWG
Vulnerability from github – Published: 2022-05-14 03:55 – Updated: 2022-05-14 03:55Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, and CVE-2016-6932.
{
"affected": [],
"aliases": [
"CVE-2016-6927"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-14T18:59:00Z",
"severity": "CRITICAL"
},
"details": "Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4272, CVE-2016-4279, CVE-2016-6921, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, and CVE-2016-6932.",
"id": "GHSA-993m-7mxh-9wwg",
"modified": "2022-05-14T03:55:56Z",
"published": "2022-05-14T03:55:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6927"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb16-29.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201610-10"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1865.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92927"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036791"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-993Q-FVMM-5HV9
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-10 21:31In the Linux kernel, the following vulnerability has been resolved:
spi: mpc52xx: fix use-after-free on unbind
The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.
{
"affected": [],
"aliases": [
"CVE-2026-46219"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:37Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: mpc52xx: fix use-after-free on unbind\n\nThe state machine work is scheduled by the interrupt handler and\ntherefore needs to be cancelled after disabling interrupts to avoid a\npotential use-after-free.",
"id": "GHSA-993q-fvmm-5hv9",
"modified": "2026-06-10T21:31:25Z",
"published": "2026-05-28T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46219"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0944b20e9dfa2917bd70eb5b301cbb67fe54a718"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac8316c896c79f32c1d0a38cb41fd2b14cf8112e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ed929d40963073f23cfb50219ccbcc6e0c3ea641"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9947-X7WP-628P
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Use after free in TabStrip in Google Chrome prior to 91.0.4472.77 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30524"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-07T20:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in TabStrip in Google Chrome prior to 91.0.4472.77 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-9947-x7wp-628p",
"modified": "2022-05-24T19:04:12Z",
"published": "2022-05-24T19:04:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30524"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1197146"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9963-GJF7-VW2R
Vulnerability from github – Published: 2022-12-21 15:30 – Updated: 2022-12-21 15:30In btif_a2dp_sink_command_ready of btif_a2dp_sink.cc, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-243922806
{
"affected": [],
"aliases": [
"CVE-2022-20552"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "In btif_a2dp_sink_command_ready of btif_a2dp_sink.cc, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-243922806",
"id": "GHSA-9963-gjf7-vw2r",
"modified": "2022-12-21T15:30:18Z",
"published": "2022-12-21T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20552"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-996R-PRHC-HFJ8
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-24 18:32In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana_ib: Disable RX steering on RSS QP destroy
When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects.
If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs:
WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false) WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)
Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that mana_fence_rqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver.
Refactor the disable logic into a shared mana_disable_vport_rx() in mana_en, exported for use by mana_ib, replacing the duplicate code. The ethernet driver's mana_dealloc_queues() is also updated to call this common function.
{
"affected": [],
"aliases": [
"CVE-2026-46084"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:29Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana_ib: Disable RX steering on RSS QP destroy\n\nWhen an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()\ndestroys the RX WQ objects but does not disable vPort RX steering in\nfirmware. This leaves stale steering configuration that still points to\nthe destroyed RX objects.\n\nIf traffic continues to arrive (e.g. peer VM is still transmitting) and\nthe VF interface is subsequently brought up (mana_open), the firmware\nmay deliver completions using stale CQ IDs from the old RX objects.\nThese CQ IDs can be reused by the ethernet driver for new TX CQs,\ncausing RX completions to land on TX CQs:\n\n WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false)\n WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)\n\nFix this by disabling vPort RX steering before destroying RX WQ objects.\nNote that mana_fence_rqs() cannot be used here because the fence\ncompletion is delivered on the CQ, which is polled by user-mode (e.g.\nDPDK) and not visible to the kernel driver.\n\nRefactor the disable logic into a shared mana_disable_vport_rx() in\nmana_en, exported for use by mana_ib, replacing the duplicate code.\nThe ethernet driver\u0027s mana_dealloc_queues() is also updated to call\nthis common function.",
"id": "GHSA-996r-prhc-hfj8",
"modified": "2026-06-24T18:32:30Z",
"published": "2026-05-27T15:33:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46084"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9979-85JW-XP9M
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-03-24 21:31Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
{
"affected": [],
"aliases": [
"CVE-2026-4711"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:07Z",
"severity": "CRITICAL"
},
"details": "Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefox \u003c 149 and Firefox ESR \u003c 140.9.",
"id": "GHSA-9979-85jw-xp9m",
"modified": "2026-03-24T21:31:22Z",
"published": "2026-03-24T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4711"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2017002"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-997V-V566-5FF3
Vulnerability from github – Published: 2022-07-29 00:00 – Updated: 2022-08-03 00:00Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-2480"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-28T02:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-997v-v566-5ff3",
"modified": "2022-08-03T00:00:52Z",
"published": "2022-07-29T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2480"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1339844"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKLJ3B3D5BCVWE3QNP4N7HHF26OHD567"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-35"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/168115/Chrome-content-ServiceWorkerVersion-MaybeTimeoutRequest-Heap-Use-After-Free.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9994-PJ6V-QVFQ
Vulnerability from github – Published: 2025-10-14 21:30 – Updated: 2025-10-14 21:30Substance3D - Stager versions 3.1.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-61802"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T20:15:52Z",
"severity": "HIGH"
},
"details": "Substance3D - Stager versions 3.1.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-9994-pj6v-qvfq",
"modified": "2025-10-14T21:30:47Z",
"published": "2025-10-14T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61802"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb25-104.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.