Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-9CRJ-F8M2-WRGJ

Vulnerability from github – Published: 2022-05-17 02:24 – Updated: 2022-05-17 02:24
VLAI
Details

Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "btypevec."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-4487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-24T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to \"btypevec.\"",
  "id": "GHSA-9crj-f8m2-wrgj",
  "modified": "2022-05-17T02:24:42Z",
  "published": "2022-05-17T02:24:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4487"
    },
    {
      "type": "WEB",
      "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/05/05/5"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/90025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CV6-QCJW-4GRX

Vulnerability from github – Published: 2026-06-19 20:47 – Updated: 2026-06-19 20:47
VLAI
Summary
Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling
Details

Summary

Oj::Parser#parse in usual mode with create_id enabled is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form_attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge size_t), corrupting heap memory and crashing the process.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/usual.c
  • Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/usual.c, form_attr:

// usual.c:55–64
static ID form_attr(const char *str, size_t slen) {
    char        buf[4096];
    // ...
    int  blen = (int)slen + 1;    // ← truncates: 65535 + 1 = 65536 → wraps to 0
                                  //   or: 65535 cast to int = 65535 (fits),
                                  //   but blen = 65536 → INT overflow on +1 if slen=INT_MAX
    // ...
    memcpy(buf, "@", 1);
    memcpy(buf + 1, str, (size_t)blen);  // ← size_t(-1) = SIZE_MAX
}

The cache (cache_intern) uses a fixed 65,536-byte slab. When slen = 65535, the arithmetic wraps and memcpy is called with (size_t)-1.

ASAN report:

==80452==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 memcpy
    #1 form_attr          /ext/oj/usual.c:63
    #2 cache_intern       /ext/oj/cache.c:326
    #3 get_attr_id        /ext/oj/usual.c:186
    #4 close_object_create  /ext/oj/usual.c:374
    #5 parse              /ext/oj/parser.c:693
    #6 parser_parse       /ext/oj/parser.c:1408
0x531000528800 is located 0 bytes inside of 65536-byte region [0x531000528800, 0x531000538800)

Reproduce

Generate the payload:

key = 'A' * 65535
with open('poc.json', 'w') as f:
    f.write('{"json_class":"Oj::Bag","' + key + '":1}')

Trigger:

require 'oj'
Oj::Parser.new(:usual, create_id: 'json_class').parse(STDIN.read)
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.17.2"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "oj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.17.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:47:23Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`Oj::Parser#parse` in usual mode with `create_id` enabled is vulnerable to heap corruption via a negative-size `memcpy`. When a JSON object key is exactly 65,535 bytes long, an integer truncation in `form_attr` (`usual.c:63`) converts the length to `-1` before passing it to `memcpy`. This causes `memcpy` to copy `SIZE_MAX` bytes (interpreted as a huge `size_t`), corrupting heap memory and crashing the process.\n\n### Version\n\n- **Software**: oj gem\n- **Affected**: all versions with `ext/oj/usual.c`\n- **Latest tested**: 3.17.1 (confirmed present)\n\n### Details\n\n`ext/oj/usual.c`, `form_attr`:\n\n```c\n// usual.c:55\u201364\nstatic ID form_attr(const char *str, size_t slen) {\n    char        buf[4096];\n    // ...\n    int  blen = (int)slen + 1;    // \u2190 truncates: 65535 + 1 = 65536 \u2192 wraps to 0\n                                  //   or: 65535 cast to int = 65535 (fits),\n                                  //   but blen = 65536 \u2192 INT overflow on +1 if slen=INT_MAX\n    // ...\n    memcpy(buf, \"@\", 1);\n    memcpy(buf + 1, str, (size_t)blen);  // \u2190 size_t(-1) = SIZE_MAX\n}\n```\n\nThe cache (`cache_intern`) uses a fixed 65,536-byte slab. When `slen = 65535`, the arithmetic wraps and `memcpy` is called with `(size_t)-1`.\n\nASAN report:\n```\n==80452==ERROR: AddressSanitizer: negative-size-param: (size=-1)\n    #0 memcpy\n    #1 form_attr          /ext/oj/usual.c:63\n    #2 cache_intern       /ext/oj/cache.c:326\n    #3 get_attr_id        /ext/oj/usual.c:186\n    #4 close_object_create  /ext/oj/usual.c:374\n    #5 parse              /ext/oj/parser.c:693\n    #6 parser_parse       /ext/oj/parser.c:1408\n0x531000528800 is located 0 bytes inside of 65536-byte region [0x531000528800, 0x531000538800)\n```\n\n### Reproduce\n\nGenerate the payload:\n\n```python\nkey = \u0027A\u0027 * 65535\nwith open(\u0027poc.json\u0027, \u0027w\u0027) as f:\n    f.write(\u0027{\"json_class\":\"Oj::Bag\",\"\u0027 + key + \u0027\":1}\u0027)\n```\n\nTrigger:\n\n```ruby\nrequire \u0027oj\u0027\nOj::Parser.new(:usual, create_id: \u0027json_class\u0027).parse(STDIN.read)\n```",
  "id": "GHSA-9cv6-qcjw-4grx",
  "modified": "2026-06-19T20:47:23Z",
  "published": "2026-06-19T20:47:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ohler55/oj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling"
}

GHSA-9CWC-PF2G-QX32

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 18:31
VLAI
Details

Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:14Z",
    "severity": "CRITICAL"
  },
  "details": "Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-9cwc-pf2g-qx32",
  "modified": "2026-06-05T18:31:35Z",
  "published": "2026-06-05T00:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11094"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/500174874"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F2J-4QC4-329W

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-15 15:32
VLAI
Details

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:18:44Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-9f2j-4qc4-329w",
  "modified": "2026-07-15T15:32:53Z",
  "published": "2026-07-14T18:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58613"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58613"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2426"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F4G-PMFG-4P4Q

Vulnerability from github – Published: 2023-04-13 09:30 – Updated: 2024-04-04 03:26
VLAI
Details

Memory corruption due to use after free in Modem while modem initialization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-13T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption due to use after free in Modem while modem initialization.",
  "id": "GHSA-9f4g-pmfg-4p4q",
  "modified": "2024-04-04T03:26:04Z",
  "published": "2023-04-13T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33298"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/april-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F66-CV49-738X

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ila: call nf_unregister_net_hooks() sooner

syzbot found an use-after-free Read in ila_nf_input [1]

Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks().

It should be done in the reverse way, with a synchronize_rcu().

This is a good match for a pre_exit() method.

[1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16

CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] kmalloclarge_node+0x8b/0x1d0 mm/slub.c:4103 kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: call nf_unregister_net_hooks() sooner\n\nsyzbot found an use-after-free Read in ila_nf_input [1]\n\nIssue here is that ila_xlat_exit_net() frees the rhashtable,\nthen call nf_unregister_net_hooks().\n\nIt should be done in the reverse way, with a synchronize_rcu().\n\nThis is a good match for a pre_exit() method.\n\n[1]\n BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\nRead of size 4 at addr ffff888064620008 by task ksoftirqd/0/16\n\nCPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:93 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n  print_address_description mm/kasan/report.c:377 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:488\n  kasan_report+0x143/0x180 mm/kasan/report.c:601\n  rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n  __rhashtable_lookup include/linux/rhashtable.h:604 [inline]\n  rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n  rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672\n  ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]\n  ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n  ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190\n  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n  nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n  nf_hook include/linux/netfilter.h:269 [inline]\n  NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312\n  __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n  __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775\n  process_backlog+0x662/0x15b0 net/core/dev.c:6108\n  __napi_poll+0xcb/0x490 net/core/dev.c:6772\n  napi_poll net/core/dev.c:6841 [inline]\n  net_rx_action+0x89b/0x1240 net/core/dev.c:6963\n  handle_softirqs+0x2c4/0x970 kernel/softirq.c:554\n  run_ksoftirqd+0xca/0x130 kernel/softirq.c:928\n  smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164\n  kthread+0x2f0/0x390 kernel/kthread.c:389\n  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xbfffffff(buddy)\nraw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000\nraw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187\n  set_page_owner include/linux/page_owner.h:32 [inline]\n  post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493\n  prep_new_page mm/page_alloc.c:1501 [inline]\n  get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439\n  __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695\n  __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]\n  alloc_pages_node_noprof include/linux/gfp.h:296 [inline]\n  ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103\n  __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130\n  __do_kmalloc_node mm/slub.c:4146 [inline]\n  __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164\n  __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650\n  bucket_table_alloc lib/rhashtable.c:186 [inline]\n  rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071\n  ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613\n  ops_ini\n---truncated---",
  "id": "GHSA-9f66-cv49-738x",
  "modified": "2025-11-04T00:31:29Z",
  "published": "2024-09-18T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46782"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/031ae72825cef43e4650140b800ad58bf7a6a466"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18a5a16940464b301ea91bf5da3a324aedb347b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43d34110882b97ba1ec66cc8234b18983efb9abf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47abd8adddbc0aecb8f231269ef659148d5dabe4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/925c18a7cff93d8a4320d652351294ff7d0ac93c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93ee345ba349922834e6a9d1dadabaedcc12dce6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bda4d84ac0d5421b346faee720011f58bdb99673"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dcaf4e2216824839d26727a15b638c6a677bd9fc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F8F-453P-RG87

Vulnerability from github – Published: 2024-06-25 00:34 – Updated: 2024-07-03 18:46
VLAI
Details

Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-24T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-9f8f-453p-rg87",
  "modified": "2024-07-03T18:46:39Z",
  "published": "2024-06-25T00:34:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6293"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_24.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/345993680"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6OJ65HWXYSYMH55VDO6N36EOZFUNL4O"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHV5WTU27YOIBIM2CON42SHWY6J2HPRS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F8V-8FJG-5P5W

Vulnerability from github – Published: 2022-05-14 00:53 – Updated: 2022-05-14 00:53
VLAI
Details

Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-09T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.",
  "id": "GHSA-9f8v-8fjg-5p5w",
  "modified": "2022-05-14T00:53:29Z",
  "published": "2022-05-14T00:53:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4954"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb18-09.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-18-442"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104169"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040920"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FG2-HVWM-63R7

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-26 00:30
VLAI
Details

PuTTY before 0.73 might allow remote SSH-1 servers to cause a denial of service by accessing freed memory locations via an SSH1_MSG_DISCONNECT message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-01T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "PuTTY before 0.73 might allow remote SSH-1 servers to cause a denial of service by accessing freed memory locations via an SSH1_MSG_DISCONNECT message.",
  "id": "GHSA-9fg2-hvwm-63r7",
  "modified": "2024-04-26T00:30:34Z",
  "published": "2022-05-24T16:57:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17069"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191127-0003"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00020.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00030.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FGP-MFM2-3437

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-05-24 17:08
VLAI
Details

Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-3745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Acrobat and Reader versions 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .",
  "id": "GHSA-9fgp-mfm2-3437",
  "modified": "2022-05-24T17:08:58Z",
  "published": "2022-05-24T17:08:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3745"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb20-05.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.