Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9816 vulnerabilities reference this CWE, most recent first.

GHSA-MJ7M-2XG5-Q6G9

Vulnerability from github – Published: 2022-04-09 00:00 – Updated: 2022-04-15 00:00
VLAI
Details

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-08T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.",
  "id": "GHSA-mj7m-2xg5-q6g9",
  "modified": "2022-04-15T00:00:58Z",
  "published": "2022-04-09T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28796"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/cc16eecae687912238ee6efbff71ad31e2bc414e"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.1"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220506-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJ8C-J6W6-JGXM

Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2024-12-23 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7925e: fix use-after-free in free_irq()

From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T13:15:50Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925e: fix use-after-free in free_irq()\n\nFrom commit a304e1b82808 (\"[PATCH] Debug shared irqs\"), there is a test\nto make sure the shared irq handler should be able to handle the unexpected\nevent after deregistration. For this case, let\u0027s apply MT76_REMOVED flag to\nindicate the device was removed and do not run into the resource access\nanymore.",
  "id": "GHSA-mj8c-j6w6-jgxm",
  "modified": "2024-12-23T21:30:50Z",
  "published": "2024-05-01T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27049"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d9930096e1f13cf6d9aabfbf95d0e05fb04144f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84470b48af03a818039d587478b415cbcb264ff5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5a5f4413d91f395cb2d89829d376d7393ad48b9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJC7-82X6-3544

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2024-10-17 21:31
VLAI
Details

A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbitrary code execution or privilege escalation depending on input/skills of attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbitrary code execution or privilege escalation depending on input/skills of attacker.",
  "id": "GHSA-mjc7-82x6-3544",
  "modified": "2024-10-17T21:31:29Z",
  "published": "2022-05-24T19:01:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20204"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956348"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/43JTGEMYMCTHD3LHFD7ENBNSWCNBCYEY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GB7T7DW7XRPJOUE25ZE7GF244FPCHBWY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OE23HBLIVKVPOQ5MVADWPOCFMREVF4QZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43JTGEMYMCTHD3LHFD7ENBNSWCNBCYEY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GB7T7DW7XRPJOUE25ZE7GF244FPCHBWY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OE23HBLIVKVPOQ5MVADWPOCFMREVF4QZ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJCM-HF7X-HM3W

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-03 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix potential UAF after skb_unshare() failure

If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops.

Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided.

And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:17Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix potential UAF after skb_unshare() failure\n\nIf skb_unshare() fails to unshare a packet due to allocation failure in\nrxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())\nwill be NULL\u0027d out.  This will likely cause the call to\ntrace_rxrpc_rx_done() to oops.\n\nFix this by moving the unsharing down to where rxrpc_input_call_event()\ncalls rxrpc_input_call_packet().  There are a number of places prior to\nthat where we ignore DATA packets for a variety of reasons (such as the\ncall already being complete) for which an unshare is then avoided.\n\nAnd with that, rxrpc_input_packet() doesn\u0027t need to take a pointer to the\npointer to the packet, so change that to just a pointer.",
  "id": "GHSA-mjcm-hf7x-hm3w",
  "modified": "2026-07-03T15:31:53Z",
  "published": "2026-05-27T15:33:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45998"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:34911"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45998"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482024"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45998.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJFQ-XMF5-HV6P

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07
VLAI
Details

In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the lzma_decompress_buf function of stream.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-02T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the lzma_decompress_buf function of stream.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
  "id": "GHSA-mjfq-xmf5-hv6p",
  "modified": "2022-05-13T01:07:37Z",
  "published": "2022-05-13T01:07:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10685"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckolivas/lrzip/issues/95"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJFR-374M-86MH

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

A heap-use-after-free in the av_freep function in libavutil/mem.c of FFmpeg 4.2 allows attackers to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-21688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-10T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A heap-use-after-free in the av_freep function in libavutil/mem.c of FFmpeg 4.2 allows attackers to execute arbitrary code.",
  "id": "GHSA-mjfr-374m-86mh",
  "modified": "2022-05-24T19:10:29Z",
  "published": "2022-05-24T19:10:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-21688"
    },
    {
      "type": "WEB",
      "url": "https://trac.ffmpeg.org/ticket/8186"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4998"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJH9-M22P-4J4M

Vulnerability from github – Published: 2023-09-07 15:30 – Updated: 2024-04-04 07:32
VLAI
Details

Adobe Premiere Pro versions 22.0 (and earlier) and 15.4.2 (and earlier) are affected by an Use-After-Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-07T13:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Premiere Pro versions 22.0 (and earlier) and 15.4.2 (and earlier) are affected by an Use-After-Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-mjh9-m22p-4j4m",
  "modified": "2024-04-04T07:32:35Z",
  "published": "2023-09-07T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40790"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/premiere_pro/apsb21-117.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJHM-5R72-MJX7

Vulnerability from github – Published: 2024-10-24 21:31 – Updated: 2024-11-05 18:32
VLAI
Details

An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function within the Assimp library.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-24T21:15:14Z",
    "severity": "HIGH"
  },
  "details": "An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function within the Assimp library.",
  "id": "GHSA-mjhm-5r72-mjx7",
  "modified": "2024-11-05T18:32:01Z",
  "published": "2024-10-24T21:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48423"
    },
    {
      "type": "WEB",
      "url": "https://github.com/assimp/assimp/issues/5788"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJP5-6CQ8-QV5G

Vulnerability from github – Published: 2025-01-28 21:31 – Updated: 2025-01-28 21:31
VLAI
Details

In TBD of TBD, there is a possible use-after-free due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-28T20:15:49Z",
    "severity": "HIGH"
  },
  "details": "In TBD of TBD, there is a possible use-after-free due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-mjp5-6cq8-qv5g",
  "modified": "2025-01-28T21:31:03Z",
  "published": "2025-01-28T21:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40649"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2024-10-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJP6-8Q33-2QX3

Vulnerability from github – Published: 2025-05-09 09:33 – Updated: 2025-11-17 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tracing: fprobe events: Fix possible UAF on modules

Commit ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module refcount") moved try_module_get() from __find_tracepoint_module_cb() to find_tracepoint() caller, but that introduced a possible UAF because the module can be unloaded before try_module_get(). In this case, the module object should be freed too. Thus, try_module_get() does not only fail but may access to the freed object.

To avoid that, try_module_get() in __find_tracepoint_module_cb() again.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-09T07:16:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: fprobe events: Fix possible UAF on modules\n\nCommit ac91052f0ae5 (\"tracing: tprobe-events: Fix leakage of module\nrefcount\") moved try_module_get() from __find_tracepoint_module_cb()\nto find_tracepoint() caller, but that introduced a possible UAF\nbecause the module can be unloaded before try_module_get(). In this\ncase, the module object should be freed too. Thus, try_module_get()\ndoes not only fail but may access to the freed object.\n\nTo avoid that, try_module_get() in __find_tracepoint_module_cb()\nagain.",
  "id": "GHSA-mjp6-8q33-2qx3",
  "modified": "2025-11-17T15:30:30Z",
  "published": "2025-05-09T09:33:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37845"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/626f01f4d26e8cf92e69c1df53036153c8e98a20"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/868df4eb784c3ccc7e4340a9ea993cbbedca167e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a27d2de2472b1cc7d582ab405d1d5832a80481de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd941507a9486252d6fcf11814387666792020f3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.