Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9814 vulnerabilities reference this CWE, most recent first.

GHSA-PGQ5-9C6X-F99F

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38
VLAI
Details

Use after free in payments in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-08T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Use after free in payments in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.",
  "id": "GHSA-pgq5-9c6x-f99f",
  "modified": "2022-05-24T17:38:16Z",
  "published": "2022-05-24T17:38:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16018"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1136078"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PGWX-747M-9MGH

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: caif: Fix use-after-free in cfusbl_device_notify()

syzbot reported use-after-free in cfusbl_device_notify() [1]. This causes a stack trace like below:

BUG: KASAN: use-after-free in cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138 Read of size 8 at addr ffff88807ac4e6f0 by task kworker/u4:6/1214

CPU: 0 PID: 1214 Comm: kworker/u4:6 Not tainted 5.19.0-rc3-syzkaller-00146-g92f20ff72066 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10227 [inline] netdev_run_todo+0xbc0/0x10f0 net/core/dev.c:10341 default_device_exit_batch+0x44e/0x590 net/core/dev.c:11334 ops_exit_list+0x125/0x170 net/core/net_namespace.c:167 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

When unregistering a net device, unregister_netdevice_many_notify() sets the device's reg_state to NETREG_UNREGISTERING, calls notifiers with NETDEV_UNREGISTER, and adds the device to the todo list.

Later on, devices in the todo list are processed by netdev_run_todo(). netdev_run_todo() waits devices' reference count become 1 while rebdoadcasting NETDEV_UNREGISTER notification.

When cfusbl_device_notify() is called with NETDEV_UNREGISTER multiple times, the parent device might be freed. This could cause UAF. Processing NETDEV_UNREGISTER multiple times also causes inbalance of reference count for the module.

This patch fixes the issue by accepting only first NETDEV_UNREGISTER notification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:32Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: Fix use-after-free in cfusbl_device_notify()\n\nsyzbot reported use-after-free in cfusbl_device_notify() [1].  This\ncauses a stack trace like below:\n\nBUG: KASAN: use-after-free in cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138\nRead of size 8 at addr ffff88807ac4e6f0 by task kworker/u4:6/1214\n\nCPU: 0 PID: 1214 Comm: kworker/u4:6 Not tainted 5.19.0-rc3-syzkaller-00146-g92f20ff72066 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nWorkqueue: netns cleanup_net\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313\n print_report mm/kasan/report.c:429 [inline]\n kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491\n cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138\n notifier_call_chain+0xb5/0x200 kernel/notifier.c:87\n call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945\n call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]\n call_netdevice_notifiers net/core/dev.c:1997 [inline]\n netdev_wait_allrefs_any net/core/dev.c:10227 [inline]\n netdev_run_todo+0xbc0/0x10f0 net/core/dev.c:10341\n default_device_exit_batch+0x44e/0x590 net/core/dev.c:11334\n ops_exit_list+0x125/0x170 net/core/net_namespace.c:167\n cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594\n process_one_work+0x996/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e9/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302\n \u003c/TASK\u003e\n\nWhen unregistering a net device, unregister_netdevice_many_notify()\nsets the device\u0027s reg_state to NETREG_UNREGISTERING, calls notifiers\nwith NETDEV_UNREGISTER, and adds the device to the todo list.\n\nLater on, devices in the todo list are processed by netdev_run_todo().\nnetdev_run_todo() waits devices\u0027 reference count become 1 while\nrebdoadcasting NETDEV_UNREGISTER notification.\n\nWhen cfusbl_device_notify() is called with NETDEV_UNREGISTER multiple\ntimes, the parent device might be freed.  This could cause UAF.\nProcessing NETDEV_UNREGISTER multiple times also causes inbalance of\nreference count for the module.\n\nThis patch fixes the issue by accepting only first NETDEV_UNREGISTER\nnotification.",
  "id": "GHSA-pgwx-747m-9mgh",
  "modified": "2025-11-10T18:30:30Z",
  "published": "2025-05-02T18:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53138"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1793da97a23e31c5bf06631f3f3e5a25f368fd64"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/287027d8a567168a5d8ce5cb0cba16a34791a48c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f14457e1584224f4296af613bbd99deb60b5d91"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68a45c3cf0e2242a533657f4f535d9b6a7447a79"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9781e98a97110f5e76999058368b4be76a788484"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9dc16be373b382ddd4c274052a6e870a95e76c01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c3aaec463a632cf4187dc017e421bfa69d7834a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d1a11bbdbb5ea9f172019c5a4a3e9d8eabd72179"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH5F-PJVP-H9X6

Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32
VLAI
Details

Use after free in GPU in Google Chrome on Android prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T21:16:42Z",
    "severity": "HIGH"
  },
  "details": "Use after free in GPU in Google Chrome on Android prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-ph5f-pjvp-h9x6",
  "modified": "2026-07-14T21:32:21Z",
  "published": "2026-07-14T21:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15772"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_0353146366.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/525317502"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH5M-227M-FC5G

Vulnerability from github – Published: 2024-06-20 00:30 – Updated: 2024-06-21 15:31
VLAI
Details

Use after free in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T00:15:10Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-ph5m-227m-fc5g",
  "modified": "2024-06-21T15:31:05Z",
  "published": "2024-06-20T00:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6103"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/344639860"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH63-5FF2-3JC3

Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31
VLAI
Details

Use after free in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-10T18:18:31Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-ph63-5ff2-3jc3",
  "modified": "2026-03-10T18:31:20Z",
  "published": "2026-03-10T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25171"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25171"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH6H-MVRC-7RQ5

Vulnerability from github – Published: 2023-09-04 15:30 – Updated: 2026-06-23 18:31
VLAI
Details

Use After Free in GitHub repository vim/vim prior to 9.0.1857.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-04T14:15:08Z",
    "severity": "HIGH"
  },
  "details": "Use After Free in GitHub repository vim/vim prior to 9.0.1857.",
  "id": "GHSA-ph6h-mvrc-7rq5",
  "modified": "2026-06-23T18:31:30Z",
  "published": "2023-09-04T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1ab3ebdf-fe7d-4436-b483-9a586e03b0ea"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213984"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Oct/24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH87-W4J3-8MJ7

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

Use-after-free vulnerability in the obj_toSource function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via a crafted web page referencing JavaScript Proxy objects that are not properly handled during garbage collection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-0756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-01-13T20:55:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in the obj_toSource function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 allows remote attackers to execute arbitrary code via a crafted web page referencing JavaScript Proxy objects that are not properly handled during garbage collection.",
  "id": "GHSA-ph87-w4j3-8mj7",
  "modified": "2022-05-13T01:23:59Z",
  "published": "2022-05-13T01:23:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0756"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=814029"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17101"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "http://www.mozilla.org/security/announce/2013/mfsa2013-19.html"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1681-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1681-2"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1681-4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PH8P-RRMJ-8GF2

Vulnerability from github – Published: 2023-09-06 15:30 – Updated: 2025-02-13 18:31
VLAI
Details

A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.

When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-06T14:15:11Z",
    "severity": "HIGH"
  },
  "details": "A use-after-free vulnerability in the Linux kernel\u0027s net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\n\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\n\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.",
  "id": "GHSA-ph8p-rrmj-8gf2",
  "modified": "2025-02-13T18:31:51Z",
  "published": "2023-09-06T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4208"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81"
    },
    {
      "type": "WEB",
      "url": "https://kernel.dance/3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5492"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PH92-FM2F-7W7P

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-23T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.",
  "id": "GHSA-ph92-fm2f-7w7p",
  "modified": "2022-05-24T17:34:48Z",
  "published": "2022-05-24T17:34:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14586"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=1995"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00032.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PHC9-MF56-R5F6

Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2025-01-14 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: fix use-after-free in do_zone_finish()

Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070.

BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007

CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30

Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76

Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76

The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)

The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish().

The sequence of events is as follows:

btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed

cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device

The reason for this is that we're using a ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T06:15:10Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G        W          6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x5b/0x90\n  print_report+0xcf/0x670\n  ? __virt_addr_valid+0x200/0x3e0\n  kasan_report+0xd8/0x110\n  ? do_zone_finish+0x91a/0xb90 [btrfs]\n  ? do_zone_finish+0x91a/0xb90 [btrfs]\n  do_zone_finish+0x91a/0xb90 [btrfs]\n  btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n  ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n  ? btrfs_put_root+0x2d/0x220 [btrfs]\n  ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n  cleaner_kthread+0x21e/0x380 [btrfs]\n  ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n  kthread+0x2e3/0x3c0\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x31/0x70\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1b/0x30\n  \u003c/TASK\u003e\n\n Allocated by task 3493983:\n  kasan_save_stack+0x33/0x60\n  kasan_save_track+0x14/0x30\n  __kasan_kmalloc+0xaa/0xb0\n  btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n  device_list_add.constprop.0+0x993/0x1630 [btrfs]\n  btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n  btrfs_control_ioctl+0x26e/0x310 [btrfs]\n  __x64_sys_ioctl+0x134/0x1b0\n  do_syscall_64+0x99/0x190\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n  kasan_save_stack+0x33/0x60\n  kasan_save_track+0x14/0x30\n  kasan_save_free_info+0x3f/0x60\n  poison_slab_object+0x102/0x170\n  __kasan_slab_free+0x32/0x70\n  kfree+0x11b/0x320\n  btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n  btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n  btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n  btrfs_ioctl+0xb27/0x57d0 [btrfs]\n  __x64_sys_ioctl+0x134/0x1b0\n  do_syscall_64+0x99/0x190\n  entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n  which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n  freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u003effff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                                        ^\n  ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we\u0027re accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n  btrfs_scrub_dev\n   btrfs_dev_replace_finishing\n    btrfs_dev_replace_update_device_in_mapping_tree \u003c-- devices replaced\n    btrfs_rm_dev_replace_free_srcdev\n     btrfs_free_device                              \u003c-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n  btrfs_zone_finish\n   do_zone_finish              \u003c-- refers the freed device\n\nThe reason for this is that we\u0027re using a\n---truncated---",
  "id": "GHSA-phc9-mf56-r5f6",
  "modified": "2025-01-14T15:30:49Z",
  "published": "2024-05-01T06:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26944"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.