Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-P967-4MGH-R94W

Vulnerability from github – Published: 2025-02-27 18:31 – Updated: 2025-02-27 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfc: nci: add flush_workqueue to prevent uaf

Our detector found a concurrent use-after-free bug when detaching an NCI device. The main reason for this bug is the unexpected scheduling between the used delayed mechanism (timer and workqueue).

The race can be demonstrated below:

Thread-1 Thread-2 | nci_dev_up() | nci_open_device() | __nci_request(nci_reset_req) | nci_send_cmd | queue_work(cmd_work) nci_unregister_device() | nci_close_device() | ... del_timer_sync(cmd_timer)[1] | ... | Worker nci_free_device() | nci_cmd_work() kfree(ndev)[3] | mod_timer(cmd_timer)[2]

In short, the cleanup routine thought that the cmd_timer has already been detached by [1] but the mod_timer can re-attach the timer [2], even it is already released [3], resulting in UAF.

This UAF is easy to trigger, crash trace by POC is like below

[ 66.703713] ================================================================== [ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490 [ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33 [ 66.703974] [ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5 [ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work [ 66.703974] Call Trace: [ 66.703974] [ 66.703974] dump_stack_lvl+0x57/0x7d [ 66.703974] print_report.cold+0x5e/0x5db [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] kasan_report+0xbe/0x1c0 [ 66.703974] ? enqueue_timer+0x448/0x490 [ 66.703974] enqueue_timer+0x448/0x490 [ 66.703974] __mod_timer+0x5e6/0xb80 [ 66.703974] ? mark_held_locks+0x9e/0xe0 [ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410 [ 66.703974] ? queue_work_on+0x61/0x80 [ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130 [ 66.703974] process_one_work+0x8bb/0x1510 [ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230 [ 66.703974] ? rwlock_bug.part.0+0x90/0x90 [ 66.703974] ? _raw_spin_lock_irq+0x41/0x50 [ 66.703974] worker_thread+0x575/0x1190 [ 66.703974] ? process_one_work+0x1510/0x1510 [ 66.703974] kthread+0x2a0/0x340 [ 66.703974] ? kthread_complete_and_exit+0x20/0x20 [ 66.703974] ret_from_fork+0x22/0x30 [ 66.703974] [ 66.703974] [ 66.703974] Allocated by task 267: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] __kasan_kmalloc+0x81/0xa0 [ 66.703974] nci_allocate_device+0xd3/0x390 [ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0 [ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd [ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0 [ 66.703974] tty_ioctl+0x764/0x1310 [ 66.703974] __x64_sys_ioctl+0x122/0x190 [ 66.703974] do_syscall_64+0x3b/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 66.703974] [ 66.703974] Freed by task 406: [ 66.703974] kasan_save_stack+0x1e/0x40 [ 66.703974] kasan_set_track+0x21/0x30 [ 66.703974] kasan_set_free_info+0x20/0x30 [ 66.703974] __kasan_slab_free+0x108/0x170 [ 66.703974] kfree+0xb0/0x330 [ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0 [ 66.703974] nci_uart_tty_close+0xdf/0x180 [ 66.703974] tty_ldisc_kill+0x73/0x110 [ 66.703974] tty_ldisc_hangup+0x281/0x5b0 [ 66.703974] __tty_hangup.part.0+0x431/0x890 [ 66.703974] tty_release+0x3a8/0xc80 [ 66.703974] __fput+0x1f0/0x8c0 [ 66.703974] task_work_run+0xc9/0x170 [ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0 [ 66.703974] syscall_exit_to_user_mode+0x19/0x50 [ 66.703974] do_syscall_64+0x48/0x90 [ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0x ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:43Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: add flush_workqueue to prevent uaf\n\nOur detector found a concurrent use-after-free bug when detaching an\nNCI device. The main reason for this bug is the unexpected scheduling\nbetween the used delayed mechanism (timer and workqueue).\n\nThe race can be demonstrated below:\n\nThread-1                           Thread-2\n                                 | nci_dev_up()\n                                 |   nci_open_device()\n                                 |     __nci_request(nci_reset_req)\n                                 |       nci_send_cmd\n                                 |         queue_work(cmd_work)\nnci_unregister_device()          |\n  nci_close_device()             | ...\n    del_timer_sync(cmd_timer)[1] |\n...                              | Worker\nnci_free_device()                | nci_cmd_work()\n  kfree(ndev)[3]                 |   mod_timer(cmd_timer)[2]\n\nIn short, the cleanup routine thought that the cmd_timer has already\nbeen detached by [1] but the mod_timer can re-attach the timer [2], even\nit is already released [3], resulting in UAF.\n\nThis UAF is easy to trigger, crash trace by POC is like below\n\n[   66.703713] ==================================================================\n[   66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490\n[   66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33\n[   66.703974]\n[   66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5\n[   66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work\n[   66.703974] Call Trace:\n[   66.703974]  \u003cTASK\u003e\n[   66.703974]  dump_stack_lvl+0x57/0x7d\n[   66.703974]  print_report.cold+0x5e/0x5db\n[   66.703974]  ? enqueue_timer+0x448/0x490\n[   66.703974]  kasan_report+0xbe/0x1c0\n[   66.703974]  ? enqueue_timer+0x448/0x490\n[   66.703974]  enqueue_timer+0x448/0x490\n[   66.703974]  __mod_timer+0x5e6/0xb80\n[   66.703974]  ? mark_held_locks+0x9e/0xe0\n[   66.703974]  ? try_to_del_timer_sync+0xf0/0xf0\n[   66.703974]  ? lockdep_hardirqs_on_prepare+0x17b/0x410\n[   66.703974]  ? queue_work_on+0x61/0x80\n[   66.703974]  ? lockdep_hardirqs_on+0xbf/0x130\n[   66.703974]  process_one_work+0x8bb/0x1510\n[   66.703974]  ? lockdep_hardirqs_on_prepare+0x410/0x410\n[   66.703974]  ? pwq_dec_nr_in_flight+0x230/0x230\n[   66.703974]  ? rwlock_bug.part.0+0x90/0x90\n[   66.703974]  ? _raw_spin_lock_irq+0x41/0x50\n[   66.703974]  worker_thread+0x575/0x1190\n[   66.703974]  ? process_one_work+0x1510/0x1510\n[   66.703974]  kthread+0x2a0/0x340\n[   66.703974]  ? kthread_complete_and_exit+0x20/0x20\n[   66.703974]  ret_from_fork+0x22/0x30\n[   66.703974]  \u003c/TASK\u003e\n[   66.703974]\n[   66.703974] Allocated by task 267:\n[   66.703974]  kasan_save_stack+0x1e/0x40\n[   66.703974]  __kasan_kmalloc+0x81/0xa0\n[   66.703974]  nci_allocate_device+0xd3/0x390\n[   66.703974]  nfcmrvl_nci_register_dev+0x183/0x2c0\n[   66.703974]  nfcmrvl_nci_uart_open+0xf2/0x1dd\n[   66.703974]  nci_uart_tty_ioctl+0x2c3/0x4a0\n[   66.703974]  tty_ioctl+0x764/0x1310\n[   66.703974]  __x64_sys_ioctl+0x122/0x190\n[   66.703974]  do_syscall_64+0x3b/0x90\n[   66.703974]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[   66.703974]\n[   66.703974] Freed by task 406:\n[   66.703974]  kasan_save_stack+0x1e/0x40\n[   66.703974]  kasan_set_track+0x21/0x30\n[   66.703974]  kasan_set_free_info+0x20/0x30\n[   66.703974]  __kasan_slab_free+0x108/0x170\n[   66.703974]  kfree+0xb0/0x330\n[   66.703974]  nfcmrvl_nci_unregister_dev+0x90/0xd0\n[   66.703974]  nci_uart_tty_close+0xdf/0x180\n[   66.703974]  tty_ldisc_kill+0x73/0x110\n[   66.703974]  tty_ldisc_hangup+0x281/0x5b0\n[   66.703974]  __tty_hangup.part.0+0x431/0x890\n[   66.703974]  tty_release+0x3a8/0xc80\n[   66.703974]  __fput+0x1f0/0x8c0\n[   66.703974]  task_work_run+0xc9/0x170\n[   66.703974]  exit_to_user_mode_prepare+0x194/0x1a0\n[   66.703974]  syscall_exit_to_user_mode+0x19/0x50\n[   66.703974]  do_syscall_64+0x48/0x90\n[   66.703974]  entry_SYSCALL_64_after_hwframe+0x44/0x\n---truncated---",
  "id": "GHSA-p967-4mgh-r94w",
  "modified": "2025-02-27T18:31:08Z",
  "published": "2025-02-27T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49059"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a1748d0dd0f0a98535c6baeef671c8722107639"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c63ad2b0a267a524c12c88acb1ba9c2d109a801"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67677050cecbe0edfdd81cd508415e9636ba7c65"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d3232214ca4ea8f7d18df264c3b254aa8089d7f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d243aff5f7e6b04e907c617426bbdf26e996ac8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ded5ae40f4fe37fcc28f36d76bf45df20be5432"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/edd4600120641e1714e30112e69a548cfb68e067"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef27324e2cb7bb24542d6cb2571740eefe6b00dc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P96H-697J-3C35

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44
VLAI
Details

In StopServicesAndLogViolations of reboot.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-170315126

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-10T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "In StopServicesAndLogViolations of reboot.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-170315126",
  "id": "GHSA-p96h-697j-3c35",
  "modified": "2022-05-24T17:44:09Z",
  "published": "2022-05-24T17:44:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0395"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P96W-FC3F-MJ48

Vulnerability from github – Published: 2025-09-11 18:35 – Updated: 2025-11-25 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/migrate: prevent potential UAF

If we hit the error path, the previous fence (if there is one) has already been put() prior to this, so doing a fence_wait could lead to UAF. Tweak the flow to do to the put() until after we do the wait.

(cherry picked from commit 9b7ca35ed28fe5fad86e9d9c24ebd1271e4c9c3e)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-11T17:15:36Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/migrate: prevent potential UAF\n\nIf we hit the error path, the previous fence (if there is one) has\nalready been put() prior to this, so doing a fence_wait could lead to\nUAF. Tweak the flow to do to the put() until after we do the wait.\n\n(cherry picked from commit 9b7ca35ed28fe5fad86e9d9c24ebd1271e4c9c3e)",
  "id": "GHSA-p96w-fc3f-mj48",
  "modified": "2025-11-25T21:32:04Z",
  "published": "2025-09-11T18:35:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39740"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/145832fbdd17b1d77ffd6cdd1642259e101d1b7e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e46fa64a4b94208563c3a5bf1d7f4346f94abea"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P97G-V8QV-GXJW

Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32
VLAI
Details

Tungsten Automation Power PDF XPS File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tungsten Automation Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of XPS files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24385.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T21:15:26Z",
    "severity": "HIGH"
  },
  "details": "Tungsten Automation Power PDF XPS File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tungsten Automation Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XPS files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24385.",
  "id": "GHSA-p97g-v8qv-gxjw",
  "modified": "2024-11-22T21:32:20Z",
  "published": "2024-11-22T21:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9732"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1337"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9G7-9RVQ-FCJ5

Vulnerability from github – Published: 2026-07-06 21:30 – Updated: 2026-07-06 21:30
VLAI
Details

Memory Corruption when processing multiple IOCTL calls with the same buffer file descriptor input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T21:16:52Z",
    "severity": "MODERATE"
  },
  "details": "Memory Corruption when processing multiple IOCTL calls with the same buffer file descriptor input.",
  "id": "GHSA-p9g7-9rvq-fcj5",
  "modified": "2026-07-06T21:30:41Z",
  "published": "2026-07-06T21:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59617"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9GQ-M942-6H3H

Vulnerability from github – Published: 2022-02-13 00:00 – Updated: 2022-03-17 00:05
VLAI
Details

Use after free in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who convinced a user to perform specific user gesture to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-12T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker who convinced a user to perform specific user gesture to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-p9gq-m942-6h3h",
  "modified": "2022-03-17T00:05:41Z",
  "published": "2022-02-13T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0106"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1278960"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9GW-J9JR-FGJM

Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2024-04-04 06:02
VLAI
Details

Use-After-Free, Out-of-bounds Write and Heap-based Buffer Overflow vulnerabilities exist in the DWG and DXF file reading procedure in SOLIDWORKS Desktop from Release SOLIDWORKS 2021 through Release SOLIDWORKS 2023. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted DWG or DXF file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-12T08:15:10Z",
    "severity": "HIGH"
  },
  "details": "Use-After-Free, Out-of-bounds Write and Heap-based Buffer Overflow vulnerabilities exist in the DWG and DXF file reading procedure in SOLIDWORKS Desktop from Release SOLIDWORKS 2021 through Release SOLIDWORKS 2023. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted DWG or DXF file.",
  "id": "GHSA-p9gw-j9jr-fgjm",
  "modified": "2024-04-04T06:02:15Z",
  "published": "2023-07-12T09:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2763"
    },
    {
      "type": "WEB",
      "url": "https://www.3ds.com/vulnerability/advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9HQ-CCP8-R44H

Vulnerability from github – Published: 2022-06-16 00:00 – Updated: 2022-06-16 00:00
VLAI
Details

Adobe Bridge version 12.0.1 (and earlier versions) is affected by a Use-After-Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-15T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Bridge version 12.0.1 (and earlier versions) is affected by a Use-After-Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-p9hq-ccp8-r44h",
  "modified": "2022-06-16T00:00:20Z",
  "published": "2022-06-16T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28842"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/bridge/apsb22-25.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9JR-4XJC-3F6Q

Vulnerability from github – Published: 2026-03-02 09:30 – Updated: 2026-03-02 15:31
VLAI
Details

In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431940; Issue ID: MSV-5843.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-02T09:16:16Z",
    "severity": "MODERATE"
  },
  "details": "In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431940; Issue ID: MSV-5843.",
  "id": "GHSA-p9jr-4xjc-3f6q",
  "modified": "2026-03-02T15:31:23Z",
  "published": "2026-03-02T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20437"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/March-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9MM-H9C2-9J9J

Vulnerability from github – Published: 2022-05-14 01:30 – Updated: 2022-05-14 01:30
VLAI
Details

Use-after-free vulnerability will occur as there is no protection for the route table`s rule in IPA driver in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in versions MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-13900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-25T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability will occur as there is no protection for the route table`s rule in IPA driver in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables in versions MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24.",
  "id": "GHSA-p9mm-h9c2-9j9j",
  "modified": "2022-05-14T01:30:40Z",
  "published": "2022-05-14T01:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13900"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2019/02/04/february-2019-code-aurora-security-bulletin"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.