CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-P8H7-JC93-WGQ3
Vulnerability from github – Published: 2024-02-29 06:30 – Updated: 2025-01-13 18:31In the Linux kernel, the following vulnerability has been resolved:
mctp: perform route lookups under a RCU read-side lock
Our current route lookups (mctp_route_lookup and mctp_route_lookup_null) traverse the net's route list without the RCU read lock held. This means the route lookup is subject to preemption, resulting in an potential grace period expiry, and so an eventual kfree() while we still have the route pointer.
Add the proper read-side critical section locks around the route lookups, preventing premption and a possible parallel kfree.
The remaining net->mctp.routes accesses are already under a rcu_read_lock, or protected by the RTNL for updates.
Based on an analysis from Sili Luo rootlab@huawei.com, where introducing a delay in the route lookup could cause a UAF on simultaneous sendmsg() and route deletion.
{
"affected": [],
"aliases": [
"CVE-2023-52483"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T06:15:46Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net\u0027s route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net-\u003emctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo \u003crootlab@huawei.com\u003e, where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.",
"id": "GHSA-p8h7-jc93-wgq3",
"modified": "2025-01-13T18:31:55Z",
"published": "2024-02-29T06:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52483"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8HC-PQ6W-V45R
Vulnerability from github – Published: 2023-03-10 21:30 – Updated: 2023-03-15 18:30In gpu device, there is a memory corruption due to a use after free. This could lead to local denial of service in kernel.
{
"affected": [],
"aliases": [
"CVE-2022-47460"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "In gpu device, there is a memory corruption due to a use after free. This could lead to local denial of service in kernel.",
"id": "GHSA-p8hc-pq6w-v45r",
"modified": "2023-03-15T18:30:27Z",
"published": "2023-03-10T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47460"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1632612109718192129"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8HJ-PPGC-2FFW
Vulnerability from github – Published: 2022-07-22 00:00 – Updated: 2022-07-27 00:00Use after free in Extensions in Google Chrome prior to 99.0.4844.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-0972"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-21T23:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Extensions in Google Chrome prior to 99.0.4844.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-p8hj-ppgc-2ffw",
"modified": "2022-07-27T00:00:45Z",
"published": "2022-07-22T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0972"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1301320"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8M4-QHM5-5GM6
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate private keys and possibly other information.
{
"affected": [],
"aliases": [
"CVE-2016-7835"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-09T16:29:00Z",
"severity": "CRITICAL"
},
"details": "Use-after-free vulnerability in H2O allows remote attackers to cause a denial-of-service (DoS) or obtain server certificate private keys and possibly other information.",
"id": "GHSA-p8m4-qhm5-5gm6",
"modified": "2022-05-13T01:10:47Z",
"published": "2022-05-13T01:10:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7835"
},
{
"type": "WEB",
"url": "https://github.com/h2o/h2o/issues/1144"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN44566208/index.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8M9-GXW7-G5PF
Vulnerability from github – Published: 2022-05-24 17:04 – Updated: 2025-10-22 00:31A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.4. An application may be able to gain elevated privileges.
{
"affected": [],
"aliases": [
"CVE-2019-8526"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-18T18:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.4. An application may be able to gain elevated privileges.",
"id": "GHSA-p8m9-gxw7-g5pf",
"modified": "2025-10-22T00:31:49Z",
"published": "2022-05-24T17:04:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8526"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT209600"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-8526"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8PM-49M7-8863
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
ftrace: Also allocate and copy hash for reading of filter files
Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs.
Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers.
{
"affected": [],
"aliases": [
"CVE-2025-39689"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:45Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Also allocate and copy hash for reading of filter files\n\nCurrently the reader of set_ftrace_filter and set_ftrace_notrace just adds\nthe pointer to the global tracer hash to its iterator. Unlike the writer\nthat allocates a copy of the hash, the reader keeps the pointer to the\nfilter hashes. This is problematic because this pointer is static across\nfunction calls that release the locks that can update the global tracer\nhashes. This can cause UAF and similar bugs.\n\nAllocate and copy the hash for reading the filter files like it is done\nfor the writers. This not only fixes UAF bugs, but also makes the code a\nbit simpler as it doesn\u0027t have to differentiate when to free the\niterator\u0027s hash between writers and readers.",
"id": "GHSA-p8pm-49m7-8863",
"modified": "2026-05-12T15:31:03Z",
"published": "2025-09-05T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39689"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/12064e1880fc9202be75ff668205b1703d92f74f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b114a3282ab1a12cb4618a8f45db5d7185e784a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64db338140d2bad99a0a8c6a118dd60b3e1fb8cb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bfb336cf97df7b37b2b2edec0f69773e06d11955"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c4cd93811e038d19f961985735ef7bb128078dfb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c591ba1acd081d4980713e47869dd1cc3d963d19"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0b6b223167e1edde5c82edf38e393c06eda1f13"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8PM-J3F3-XMRF
Vulnerability from github – Published: 2022-12-21 00:30 – Updated: 2022-12-21 00:30In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel
{
"affected": [],
"aliases": [
"CVE-2022-20566"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "HIGH"
},
"details": "In l2cap_chan_put of l2cap_core, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-165329981References: Upstream kernel",
"id": "GHSA-p8pm-j3f3-xmrf",
"modified": "2022-12-21T00:30:29Z",
"published": "2022-12-21T00:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20566"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8QV-RW4Q-GFW4
Vulnerability from github – Published: 2022-05-17 00:28 – Updated: 2022-05-17 00:28The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.
{
"affected": [],
"aliases": [
"CVE-2014-9940"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-02T21:59:00Z",
"severity": "HIGH"
},
"details": "The regulator_ena_gpio_free function in drivers/regulator/core.c in the Linux kernel before 3.19 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted application.",
"id": "GHSA-p8qv-rw4q-gfw4",
"modified": "2022-05-17T00:28:34Z",
"published": "2022-05-17T00:28:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9940"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/60a2362f769cf549dc466134efe71c8bf9fbaaba"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-05-01"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=60a2362f769cf549dc466134efe71c8bf9fbaaba"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3945"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98195"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8R2-HM7Q-CVFJ
Vulnerability from github – Published: 2022-02-15 00:02 – Updated: 2022-02-20 00:00Use after free in Scheduling in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-0298"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-12T02:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Scheduling in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-p8r2-hm7q-cvfj",
"modified": "2022-02-20T00:00:47Z",
"published": "2022-02-15T00:02:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0298"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop_19.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1212957"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P8R7-WFJ6-Q9HX
Vulnerability from github – Published: 2022-05-14 03:09 – Updated: 2024-10-21 15:32A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
{
"affected": [],
"aliases": [
"CVE-2017-5435"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 52.1, Firefox ESR \u003c 45.9, Firefox ESR \u003c 52.1, and Firefox \u003c 53.",
"id": "GHSA-p8r7-wfj6-q9hx",
"modified": "2024-10-21T15:32:18Z",
"published": "2022-05-14T03:09:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5435"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1104"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1106"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1201"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1350683"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3831"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-10"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-11"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-12"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-13"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97940"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038320"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.