CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9813 vulnerabilities reference this CWE, most recent first.
GHSA-PMQX-RX95-G3W2
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-62216"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T18:15:49Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.",
"id": "GHSA-pmqx-rx95-g3w2",
"modified": "2025-11-11T18:30:23Z",
"published": "2025-11-11T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62216"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62216"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMRR-7VVQ-VPJ6
Vulnerability from github – Published: 2022-05-02 03:17 – Updated: 2024-02-02 18:30Use-after-free vulnerability in the GIFReadNextExtension function in lib/pngxtern/gif/gifread.c in OptiPNG 0.6.2 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted GIF image that causes the realloc function to return a new pointer, which triggers memory corruption when the old pointer is accessed.
{
"affected": [],
"aliases": [
"CVE-2009-0749"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-03-02T20:30:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in the GIFReadNextExtension function in lib/pngxtern/gif/gifread.c in OptiPNG 0.6.2 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted GIF image that causes the realloc function to return a new pointer, which triggers memory corruption when the old pointer is accessed.",
"id": "GHSA-pmrr-7vvq-vpj6",
"modified": "2024-02-02T18:30:21Z",
"published": "2022-05-02T03:17:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0749"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48879"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html"
},
{
"type": "WEB",
"url": "http://optipng.sourceforge.net"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/34035"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/34201"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/34259"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/35685"
},
{
"type": "WEB",
"url": "http://sourceforge.net/tracker/index.php?func=detail\u0026aid=2582013\u0026group_id=151404\u0026atid=780913"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200903-12.xml"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/02/24/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/02/25/4"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/33873"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/0510"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMV4-PG97-2F6V
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30Use after free in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-33101"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:17:32Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-pmv4-pg97-2f6v",
"modified": "2026-04-14T18:30:42Z",
"published": "2026-04-14T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33101"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33101"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PMXH-5JPF-C7JQ
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-26 00:30In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix UAF on smcsk after smc_listen_out()
BPF CI testing report a UAF issue:
[ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda73-dirty #4 2 [ 16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL E [ 16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201 4 [ 16.450201] Workqueue: smc_hs_wq smc_listen_wor k [ 16.450531] RIP: 0010:smc_listen_work+0xc02/0x159 0 [ 16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024 6 [ 16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030 0 [ 16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000 0 [ 16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000 5 [ 16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640 0 [ 16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092 0 [ 16.454996] FS: 0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000 0 [ 16.455557] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003 3 [ 16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef 0 [ 16.456459] PKRU: 5555555 4 [ 16.456654] Call Trace : [ 16.456832] [ 16.456989] ? __die+0x23/0x7 0 [ 16.457215] ? page_fault_oops+0x180/0x4c 0 [ 16.457508] ? __lock_acquire+0x3e6/0x249 0 [ 16.457801] ? exc_page_fault+0x68/0x20 0 [ 16.458080] ? asm_exc_page_fault+0x26/0x3 0 [ 16.458389] ? smc_listen_work+0xc02/0x159 0 [ 16.458689] ? smc_listen_work+0xc02/0x159 0 [ 16.458987] ? lock_is_held_type+0x8f/0x10 0 [ 16.459284] process_one_work+0x1ea/0x6d 0 [ 16.459570] worker_thread+0x1c3/0x38 0 [ 16.459839] ? __pfx_worker_thread+0x10/0x1 0 [ 16.460144] kthread+0xe0/0x11 0 [ 16.460372] ? __pfx_kthread+0x10/0x1 0 [ 16.460640] ret_from_fork+0x31/0x5 0 [ 16.460896] ? __pfx_kthread+0x10/0x1 0 [ 16.461166] ret_from_fork_asm+0x1a/0x3 0 [ 16.461453] [ 16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE) ] [ 16.462134] CR2: 000000000000003 0 [ 16.462380] ---[ end trace 0000000000000000 ]--- [ 16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590
The direct cause of this issue is that after smc_listen_out_connected(), newclcsock->sk may be NULL since it will releases the smcsk. Therefore, if the application closes the socket immediately after accept, newclcsock->sk can be NULL. A possible execution order could be as follows:
smc_listen_work | userspace
lock_sock(sk) | smc_listen_out_connected() | | - smc_listen_out | | | - release_sock | | |- sk->sk_data_ready() | | fd = accept(); | close(fd); | - socket->sk = NULL; / newclcsock->sk is NULL now / SMC_STAT_SERV_SUCC_INC(sock_net(newclcsock->sk))
Since smc_listen_out_connected() will not fail, simply swapping the order of the code can easily fix this issue.
{
"affected": [],
"aliases": [
"CVE-2025-38734"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:42Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix UAF on smcsk after smc_listen_out()\n\nBPF CI testing report a UAF issue:\n\n [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0\n [ 16.447134] #PF: supervisor read access in kernel mod e\n [ 16.447516] #PF: error_code(0x0000) - not-present pag e\n [ 16.447878] PGD 0 P4D 0\n [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I\n [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda73-dirty #4 2\n [ 16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL E\n [ 16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201 4\n [ 16.450201] Workqueue: smc_hs_wq smc_listen_wor k\n [ 16.450531] RIP: 0010:smc_listen_work+0xc02/0x159 0\n [ 16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024 6\n [ 16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030 0\n [ 16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000 0\n [ 16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000 5\n [ 16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640 0\n [ 16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092 0\n [ 16.454996] FS: 0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000 0\n [ 16.455557] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003 3\n [ 16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef 0\n [ 16.456459] PKRU: 5555555 4\n [ 16.456654] Call Trace :\n [ 16.456832] \u003cTASK \u003e\n [ 16.456989] ? __die+0x23/0x7 0\n [ 16.457215] ? page_fault_oops+0x180/0x4c 0\n [ 16.457508] ? __lock_acquire+0x3e6/0x249 0\n [ 16.457801] ? exc_page_fault+0x68/0x20 0\n [ 16.458080] ? asm_exc_page_fault+0x26/0x3 0\n [ 16.458389] ? smc_listen_work+0xc02/0x159 0\n [ 16.458689] ? smc_listen_work+0xc02/0x159 0\n [ 16.458987] ? lock_is_held_type+0x8f/0x10 0\n [ 16.459284] process_one_work+0x1ea/0x6d 0\n [ 16.459570] worker_thread+0x1c3/0x38 0\n [ 16.459839] ? __pfx_worker_thread+0x10/0x1 0\n [ 16.460144] kthread+0xe0/0x11 0\n [ 16.460372] ? __pfx_kthread+0x10/0x1 0\n [ 16.460640] ret_from_fork+0x31/0x5 0\n [ 16.460896] ? __pfx_kthread+0x10/0x1 0\n [ 16.461166] ret_from_fork_asm+0x1a/0x3 0\n [ 16.461453] \u003c/TASK \u003e\n [ 16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE) ]\n [ 16.462134] CR2: 000000000000003 0\n [ 16.462380] ---[ end trace 0000000000000000 ]---\n [ 16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590\n\nThe direct cause of this issue is that after smc_listen_out_connected(),\nnewclcsock-\u003esk may be NULL since it will releases the smcsk. Therefore,\nif the application closes the socket immediately after accept,\nnewclcsock-\u003esk can be NULL. A possible execution order could be as\nfollows:\n\nsmc_listen_work | userspace\n-----------------------------------------------------------------\nlock_sock(sk) |\nsmc_listen_out_connected() |\n| \\- smc_listen_out |\n| | \\- release_sock |\n | |- sk-\u003esk_data_ready() |\n | fd = accept();\n | close(fd);\n | \\- socket-\u003esk = NULL;\n/* newclcsock-\u003esk is NULL now */\nSMC_STAT_SERV_SUCC_INC(sock_net(newclcsock-\u003esk))\n\nSince smc_listen_out_connected() will not fail, simply swapping the order\nof the code can easily fix this issue.",
"id": "GHSA-pmxh-5jpf-c7jq",
"modified": "2025-11-26T00:30:16Z",
"published": "2025-09-05T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38734"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/070b4af44c4b6e4c35fb1ca7001a6a88fd2d318f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e765ba0ee0eae35688b443e97108308a716773e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85545f1525f9fa9bf44fec77ba011024f15da342"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9cef55ed49117bd63695446fb84b4b91815c0b4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP2G-Q4QR-J2VC
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32Use after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted WebRTC stream.
{
"affected": [],
"aliases": [
"CVE-2020-15987"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-03T03:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted WebRTC stream.",
"id": "GHSA-pp2g-q4qr-j2vc",
"modified": "2022-05-24T17:32:54Z",
"published": "2022-05-24T17:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15987"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1127774"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/24QFL4C3AZKMFVL7LVSYMU2DNE5VVUGS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GWCWNHTTYOH6HSFUXPGPBB6J6JYZHZE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SC3U3H6AISVZB5PLZLLNF4HMQ4UFFL7M"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-30"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4824"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00016.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PP4W-C8M6-4XVF
Vulnerability from github – Published: 2026-06-15 18:31 – Updated: 2026-06-30 03:37A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.
{
"affected": [],
"aliases": [
"CVE-2026-6040"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T18:16:36Z",
"severity": "MODERATE"
},
"details": "A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.",
"id": "GHSA-pp4w-c8m6-4xvf",
"modified": "2026-06-30T03:37:04Z",
"published": "2026-06-15T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6040"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-6040"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488966"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6040.json"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6040"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PP56-6C5P-HFMV
Vulnerability from github – Published: 2022-05-17 02:05 – Updated: 2024-02-02 18:30ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted IPP request.
{
"affected": [],
"aliases": [
"CVE-2010-2941"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-11-05T17:00:00Z",
"severity": "HIGH"
},
"details": "ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted IPP request.",
"id": "GHSA-pp56-6c5p-hfmv",
"modified": "2024-02-02T18:30:22Z",
"published": "2022-05-17T02:05:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2941"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=624438"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62882"
},
{
"type": "WEB",
"url": "http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefox"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050977.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051277.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051301.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2010-0811.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42287"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42867"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/43521"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201207-10.xml"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1024662"
},
{
"type": "WEB",
"url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2010\u0026m=slackware-security.468323"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4435"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2176"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:232"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:233"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:234"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/68951"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0866.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/44530"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1012-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/2856"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/3042"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/3088"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0061"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0535"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP6M-453G-G6J5
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-13560"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-22T18:15:00Z",
"severity": "HIGH"
},
"details": "A use after free vulnerability exists in the JavaScript engine of Foxit Software\u2019s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
"id": "GHSA-pp6m-453g-g6j5",
"modified": "2022-05-24T22:28:51Z",
"published": "2022-05-24T22:28:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13560"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP6W-HMM3-7P57
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2024-03-25 03:31In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
{
"affected": [],
"aliases": [
"CVE-2021-32606"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-11T23:15:00Z",
"severity": "HIGH"
},
"details": "In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)",
"id": "GHSA-pp6w-hmm3-7p57",
"modified": "2024-03-25T03:31:42Z",
"published": "2022-05-24T19:02:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32606"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2b17c400aeb44daf041627722581ade527bb3c1d"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/73D53S4IZFPFQMRABMXXLW4AJK3EULDX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GI7Z7UBWBGD3ABNIL2DC7RQDCGA4UVQW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HD3NJBG25AADVGPRC63RX2JOQBMPSWK4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/73D53S4IZFPFQMRABMXXLW4AJK3EULDX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GI7Z7UBWBGD3ABNIL2DC7RQDCGA4UVQW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HD3NJBG25AADVGPRC63RX2JOQBMPSWK4"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210625-0001"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/05/11/16"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/12/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/13/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/14/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/28/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PP85-5J63-XPQ3
Vulnerability from github – Published: 2026-06-30 18:48 – Updated: 2026-06-30 18:48Summary
A memory-safety vulnerability in Open Babel's GAMESS output parser caused a use-after-free when reading a crafted input file.
Details
The flaw was in GAMESSOutputFormat::ReadMolecule. A malformed input
caused the parser to dereference a stale pointer after the underlying
object had been freed.
Impact
Open Babel is a C++ library and CLI used to read and write chemistry
file formats; it is shipped by Linux distributions and embedded in
services that may parse untrusted input. Triggering this vulnerability
requires the victim to open a malicious GAMESS output file with the
obabel tool, the OBConversion API, or any of the language
bindings (Python, Ruby, Java, R, Perl, C#, PHP).
Affected versions
All releases up to and including 3.1.1.
Patched version
3.2.0 (released 2026-05-26).
Patch
Fix commit: https://github.com/openbabel/openbabel/commit/95033d27 Originally reported as #2834; fixes consolidated in #2913.
A minimized reproducer for this CVE is checked in under
test/files/fuzz_regress/ and is exercised on every CI build under
ASAN+UBSAN by the fuzzregresstest harness.
Credit
Reported via OSS-Fuzz.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openbabel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-10994"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:48:57Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\nA memory-safety vulnerability in Open Babel\u0027s GAMESS output parser\ncaused a use-after-free when reading a crafted input file.\n\n### Details\n\nThe flaw was in `GAMESSOutputFormat::ReadMolecule`. A malformed input\ncaused the parser to dereference a stale pointer after the underlying\nobject had been freed.\n\n### Impact\n\nOpen Babel is a C++ library and CLI used to read and write chemistry\nfile formats; it is shipped by Linux distributions and embedded in\nservices that may parse untrusted input. Triggering this vulnerability\nrequires the victim to open a malicious GAMESS output file with the\n`obabel` tool, the `OBConversion` API, or any of the language\nbindings (Python, Ruby, Java, R, Perl, C#, PHP).\n\n### Affected versions\n\nAll releases up to and including 3.1.1.\n\n### Patched version\n\n3.2.0 (released 2026-05-26).\n\n### Patch\n\nFix commit: https://github.com/openbabel/openbabel/commit/95033d27\nOriginally reported as #2834; fixes consolidated in #2913.\n\nA minimized reproducer for this CVE is checked in under\n`test/files/fuzz_regress/` and is exercised on every CI build under\nASAN+UBSAN by the `fuzzregresstest` harness.\n\n### Credit\n\nReported via OSS-Fuzz.",
"id": "GHSA-pp85-5j63-xpq3",
"modified": "2026-06-30T18:48:57Z",
"published": "2026-06-30T18:48:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/security/advisories/GHSA-pp85-5j63-xpq3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10994"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/issues/2834"
},
{
"type": "WEB",
"url": "https://github.com/openbabel/openbabel/commit/95033d27d23c07f98daa92d3cd3ae5ea07594a91"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbabel/openbabel"
},
{
"type": "WEB",
"url": "https://github.com/user-attachments/files/22318611/poc.zip"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325922"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325922"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.654057"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Open Babel has Use-after-free in GAMESS GAMESSOutputFormat::ReadMolecule"
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.