CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9820 vulnerabilities reference this CWE, most recent first.
GHSA-MP92-4QPF-F4VR
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32Integer overflow in media in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-15986"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-03T03:15:00Z",
"severity": "MODERATE"
},
"details": "Integer overflow in media in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-mp92-4qpf-f4vr",
"modified": "2022-05-24T17:32:54Z",
"published": "2022-05-24T17:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15986"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1100247"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/24QFL4C3AZKMFVL7LVSYMU2DNE5VVUGS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GWCWNHTTYOH6HSFUXPGPBB6J6JYZHZE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SC3U3H6AISVZB5PLZLLNF4HMQ4UFFL7M"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4824"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00016.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MP96-4FRC-R2PG
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.
{
"affected": [],
"aliases": [
"CVE-2022-28282"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "By using a link with \u003ccode\u003erel=\"localization\"\u003c/code\u003e a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird \u003c 91.8, Firefox \u003c 99, and Firefox ESR \u003c 91.8.",
"id": "GHSA-mp96-4frc-r2pg",
"modified": "2025-04-15T21:31:23Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28282"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1751609"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-13"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-14"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MP9C-JX49-947F
Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-05-26 18:31NVIDIA vGPU software contains a vulnerability in the virtual GPU manager, where an attacker could cause a use-after-free for stack memory. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution.
{
"affected": [],
"aliases": [
"CVE-2026-24200"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T18:16:39Z",
"severity": "HIGH"
},
"details": "NVIDIA vGPU software contains a vulnerability in the virtual GPU manager, where an attacker could cause a use-after-free for stack memory. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution.",
"id": "GHSA-mp9c-jx49-947f",
"modified": "2026-05-26T18:31:49Z",
"published": "2026-05-26T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24200"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5821"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24200"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPC5-232J-WWMM
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-02-27 21:32In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu-v3-sva: Fix mm use-after-free
We currently call arm64_mm_context_put() without holding a reference to the mm, which can result in use-after-free. Call mmgrab()/mmdrop() to ensure the mm only gets freed after we unpinned the ASID.
{
"affected": [],
"aliases": [
"CVE-2022-49426"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3-sva: Fix mm use-after-free\n\nWe currently call arm64_mm_context_put() without holding a reference to\nthe mm, which can result in use-after-free. Call mmgrab()/mmdrop() to\nensure the mm only gets freed after we unpinned the ASID.",
"id": "GHSA-mpc5-232j-wwmm",
"modified": "2025-02-27T21:32:14Z",
"published": "2025-02-27T21:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49426"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9aa215450888cf29af0c479e14a712dc6b0c506c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cbd23144f7662b00bcde32a938c4a4057e476d68"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3cbbdbff8a4db5d053c53fd71be62ccccdb52b0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc90f13ea0dcd960e5002d204fa55cec4e0db2fa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPH8-6787-R8HW
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-06-22 18:20A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.7.2"
},
"package": {
"ecosystem": "npm",
"name": "hermes-engine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-24037"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-22T18:20:01Z",
"nvd_published_at": "2021-06-15T22:15:00Z",
"severity": "CRITICAL"
},
"details": "A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.",
"id": "GHSA-mph8-6787-r8hw",
"modified": "2022-06-22T18:20:01Z",
"published": "2022-05-24T19:05:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24037"
},
{
"type": "WEB",
"url": "https://github.com/facebook/hermes/commit/d86e185e485b6330216dee8e854455c694e3a36e"
},
{
"type": "PACKAGE",
"url": "https://github.com/facebook/hermes"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/CVE-2021-24037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use After Free in Hermes"
}
GHSA-MPRG-GW36-367P
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2023-01-09 18:30A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
{
"affected": [],
"aliases": [
"CVE-2020-36329"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-21T17:15:00Z",
"severity": "CRITICAL"
},
"details": "A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"id": "GHSA-mprg-gw36-367p",
"modified": "2023-01-09T18:30:22Z",
"published": "2022-05-24T19:02:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36329"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956843"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00006.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211112-0001"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212601"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4930"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Jul/54"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPRH-G3XH-WH7R
Vulnerability from github – Published: 2026-01-25 15:30 – Updated: 2026-03-25 21:30In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: remove call_control in inactive contexts
If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens.
This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps.
Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error.
{
"affected": [],
"aliases": [
"CVE-2026-23012"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-25T15:15:56Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: remove call_control in inactive contexts\n\nIf damon_call() is executed against a DAMON context that is not running,\nthe function returns error while keeping the damon_call_control object\nlinked to the context\u0027s call_controls list. Let\u0027s suppose the object is\ndeallocated after the damon_call(), and yet another damon_call() is\nexecuted against the same context. The function tries to add the new\ndamon_call_control object to the call_controls list, which still has the\npointer to the previous damon_call_control object, which is deallocated. \nAs a result, use-after-free happens.\n\nThis can actually be triggered using the DAMON sysfs interface. It is not\neasily exploitable since it requires the sysfs write permission and making\na definitely weird file writes, though. Please refer to the report for\nmore details about the issue reproduction steps.\n\nFix the issue by making two changes. Firstly, move the final\nkdamond_call() for cancelling all existing damon_call() requests from\nterminating DAMON context to be done before the ctx-\u003ekdamond reset. This\nmakes any code that sees NULL ctx-\u003ekdamond can safely assume the context\nmay not access damon_call() requests anymore. Secondly, let damon_call()\nto cleanup the damon_call_control objects that were added to the\nalready-terminated DAMON context, before returning the error.",
"id": "GHSA-mprh-g3xh-wh7r",
"modified": "2026-03-25T21:30:23Z",
"published": "2026-01-25T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23012"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPRX-JP8F-RW8W
Vulnerability from github – Published: 2025-07-11 21:31 – Updated: 2025-07-11 21:31An IBM MQ 9.3 and 9.4 Client connecting to an MQ Queue Manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it.
{
"affected": [],
"aliases": [
"CVE-2025-3631"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T19:15:23Z",
"severity": "MODERATE"
},
"details": "An IBM MQ 9.3 and 9.4 Client connecting to an MQ Queue Manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it.",
"id": "GHSA-mprx-jp8f-rw8w",
"modified": "2025-07-11T21:31:04Z",
"published": "2025-07-11T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3631"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7237025"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7238310"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPWX-3MQV-FM27
Vulnerability from github – Published: 2022-02-09 00:00 – Updated: 2022-02-12 00:01Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0.
{
"affected": [],
"aliases": [
"CVE-2022-0139"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-08T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0.",
"id": "GHSA-mpwx-3mqv-fm27",
"modified": "2022-02-12T00:01:04Z",
"published": "2022-02-09T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0139"
},
{
"type": "WEB",
"url": "https://github.com/radareorg/radare2/commit/37897226a1a31f982bfefdc4aeefc2e50355c73c"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3dcb6f40-45cd-403b-929f-db123fde32c0"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MPX4-2H8Q-35CJ
Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2022-07-16 00:00Adobe Photoshop versions 22.5.7 (and earlier) and 23.3.2 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-34243"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-15T16:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Photoshop versions 22.5.7 (and earlier) and 23.3.2 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-mpx4-2h8q-35cj",
"modified": "2022-07-16T00:00:29Z",
"published": "2022-07-16T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34243"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb22-35.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.