Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-P8H7-JC93-WGQ3

Vulnerability from github – Published: 2024-02-29 06:30 – Updated: 2025-01-13 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mctp: perform route lookups under a RCU read-side lock

Our current route lookups (mctp_route_lookup and mctp_route_lookup_null) traverse the net's route list without the RCU read lock held. This means the route lookup is subject to preemption, resulting in an potential grace period expiry, and so an eventual kfree() while we still have the route pointer.

Add the proper read-side critical section locks around the route lookups, preventing premption and a possible parallel kfree.

The remaining net->mctp.routes accesses are already under a rcu_read_lock, or protected by the RTNL for updates.

Based on an analysis from Sili Luo rootlab@huawei.com, where introducing a delay in the route lookup could cause a UAF on simultaneous sendmsg() and route deletion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T06:15:46Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net\u0027s route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net-\u003emctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo \u003crootlab@huawei.com\u003e, where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.",
  "id": "GHSA-p8h7-jc93-wgq3",
  "modified": "2025-01-13T18:31:55Z",
  "published": "2024-02-29T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52483"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8HC-PQ6W-V45R

Vulnerability from github – Published: 2023-03-10 21:30 – Updated: 2023-03-15 18:30
VLAI
Details

In gpu device, there is a memory corruption due to a use after free. This could lead to local denial of service in kernel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In gpu device, there is a memory corruption due to a use after free. This could lead to local denial of service in kernel.",
  "id": "GHSA-p8hc-pq6w-v45r",
  "modified": "2023-03-15T18:30:27Z",
  "published": "2023-03-10T21:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47460"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1632612109718192129"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8HJ-PPGC-2FFW

Vulnerability from github – Published: 2022-07-22 00:00 – Updated: 2022-07-27 00:00
VLAI
Details

Use after free in Extensions in Google Chrome prior to 99.0.4844.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-21T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Extensions in Google Chrome prior to 99.0.4844.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-p8hj-ppgc-2ffw",
  "modified": "2022-07-27T00:00:45Z",
  "published": "2022-07-22T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0972"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1301320"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8M4-QHM5-5GM6

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate private keys and possibly other information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-7835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-09T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate private keys and possibly other information.",
  "id": "GHSA-p8m4-qhm5-5gm6",
  "modified": "2022-05-13T01:10:47Z",
  "published": "2022-05-13T01:10:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h2o/h2o/issues/1144"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN44566208/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95061"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8M9-GXW7-G5PF

Vulnerability from github – Published: 2022-05-24 17:04 – Updated: 2025-10-22 00:31
VLAI
Details

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.4. An application may be able to gain elevated privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-18T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.4. An application may be able to gain elevated privileges.",
  "id": "GHSA-p8m9-gxw7-g5pf",
  "modified": "2025-10-22T00:31:49Z",
  "published": "2022-05-24T17:04:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8526"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT209600"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-8526"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8PM-49M7-8863

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-05-12 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ftrace: Also allocate and copy hash for reading of filter files

Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs.

Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T18:15:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Also allocate and copy hash for reading of filter files\n\nCurrently the reader of set_ftrace_filter and set_ftrace_notrace just adds\nthe pointer to the global tracer hash to its iterator. Unlike the writer\nthat allocates a copy of the hash, the reader keeps the pointer to the\nfilter hashes. This is problematic because this pointer is static across\nfunction calls that release the locks that can update the global tracer\nhashes. This can cause UAF and similar bugs.\n\nAllocate and copy the hash for reading the filter files like it is done\nfor the writers. This not only fixes UAF bugs, but also makes the code a\nbit simpler as it doesn\u0027t have to differentiate when to free the\niterator\u0027s hash between writers and readers.",
  "id": "GHSA-p8pm-49m7-8863",
  "modified": "2026-05-12T15:31:03Z",
  "published": "2025-09-05T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39689"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12064e1880fc9202be75ff668205b1703d92f74f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b114a3282ab1a12cb4618a8f45db5d7185e784a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64db338140d2bad99a0a8c6a118dd60b3e1fb8cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfb336cf97df7b37b2b2edec0f69773e06d11955"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4cd93811e038d19f961985735ef7bb128078dfb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c591ba1acd081d4980713e47869dd1cc3d963d19"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0b6b223167e1edde5c82edf38e393c06eda1f13"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8PM-J3F3-XMRF

Vulnerability from github – Published: 2022-12-21 00:30 – Updated: 2022-12-21 00:30
VLAI
Details

In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20566"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-16T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel",
  "id": "GHSA-p8pm-j3f3-xmrf",
  "modified": "2022-12-21T00:30:29Z",
  "published": "2022-12-21T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20566"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8QV-RW4Q-GFW4

Vulnerability from github – Published: 2022-05-17 00:28 – Updated: 2022-05-17 00:28
VLAI
Details

The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-9940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-02T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.",
  "id": "GHSA-p8qv-rw4q-gfw4",
  "modified": "2022-05-17T00:28:34Z",
  "published": "2022-05-17T00:28:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9940"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/60a2362f769cf549dc466134efe71c8bf9fbaaba"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-05-01"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=60a2362f769cf549dc466134efe71c8bf9fbaaba"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3945"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98195"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8R2-HM7Q-CVFJ

Vulnerability from github – Published: 2022-02-15 00:02 – Updated: 2022-02-20 00:00
VLAI
Details

Use after free in Scheduling in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-12T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Scheduling in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-p8r2-hm7q-cvfj",
  "modified": "2022-02-20T00:00:47Z",
  "published": "2022-02-15T00:02:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0298"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop_19.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1212957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P8R7-WFJ6-Q9HX

Vulnerability from github – Published: 2022-05-14 03:09 – Updated: 2024-10-21 15:32
VLAI
Details

A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-11T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 52.1, Firefox ESR \u003c 45.9, Firefox ESR \u003c 52.1, and Firefox \u003c 53.",
  "id": "GHSA-p8r7-wfj6-q9hx",
  "modified": "2024-10-21T15:32:18Z",
  "published": "2022-05-14T03:09:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5435"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1104"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1106"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1201"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1350683"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3831"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2017-10"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2017-11"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2017-12"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2017-13"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97940"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038320"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.