CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9820 vulnerabilities reference this CWE, most recent first.
GHSA-PXHG-RGCF-QJ38
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability. An authenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-28640"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-20T19:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Use-after-free vulnerability. An authenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-pxhg-rgcf-qj38",
"modified": "2022-05-24T19:11:46Z",
"published": "2022-05-24T19:11:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28640"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-51.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PXHW-6Q9J-34M8
Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2025-04-20 03:48Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2017-0861"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-16T23:29:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors.",
"id": "GHSA-pxhw-6q9j-34m8",
"modified": "2025-04-20T03:48:39Z",
"published": "2022-05-13T01:25:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0861"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4187"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3632-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3619-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3619-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3617-3"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3617-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3617-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3583-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3583-1"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2017-11-01"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-0861"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html"
},
{
"type": "WEB",
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=362bca57f5d78220f8b5907b875961af9436e229"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0036"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3096"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2390"
},
{
"type": "WEB",
"url": "http://lists.alioth.debian.org/pipermail/secure-testing-commits/2017-December/059967.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102329"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PXJC-2PXW-QCPG
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. A remote attacker may be able to cause unexpected app termination or arbitrary code execution
{
"affected": [],
"aliases": [
"CVE-2023-32387"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:12Z",
"severity": "CRITICAL"
},
"details": "A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.4, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. A remote attacker may be able to cause unexpected app termination or arbitrary code execution",
"id": "GHSA-pxjc-2pxw-qcpg",
"modified": "2024-04-04T05:07:47Z",
"published": "2023-06-23T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32387"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213758"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213759"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213760"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PXQ3-H2CM-CXRJ
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27Use-after-free vulnerability in SumatraPDF Reader 2.x before 2.2.1 allows remote attackers to execute arbitrary code via a crafted PDF file.
{
"affected": [],
"aliases": [
"CVE-2013-2830"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-08T23:29:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in SumatraPDF Reader 2.x before 2.2.1 allows remote attackers to execute arbitrary code via a crafted PDF file.",
"id": "GHSA-pxq3-h2cm-cxrj",
"modified": "2022-05-13T01:27:59Z",
"published": "2022-05-13T01:27:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2830"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/vulnerabilityresearchadvisories/2013/msvr13-005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PXV4-RWXF-M755
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
power: supply: cpcap-battery: Fix use-after-free in power_supply_changed()
Using the devm_ variant for requesting IRQ before the devm_
variant for allocating/registering the power_supply handle, means that
the power_supply handle will be deallocated/unregistered before the
interrupt handler (since devm_ naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just after the power_supply
handle has been freed, but just before the corresponding
unregistration of the IRQ handler has run.
This will lead to the IRQ handler calling power_supply_changed() with
a freed power_supply handle. Which usually crashes the system or
otherwise silently corrupts the memory...
Note that there is a similar situation which can also happen during
probe(); the possibility of an interrupt firing before registering
the power_supply handle. This would then lead to the nasty situation
of using the power_supply handle uninitialized in
power_supply_changed().
Fix this racy use-after-free by making sure the IRQ is requested after
the registration of the power_supply handle.
{
"affected": [],
"aliases": [
"CVE-2026-45885"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:02Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: cpcap-battery: Fix use-after-free in power_supply_changed()\n\nUsing the `devm_` variant for requesting IRQ _before_ the `devm_`\nvariant for allocating/registering the `power_supply` handle, means that\nthe `power_supply` handle will be deallocated/unregistered _before_ the\ninterrupt handler (since `devm_` naturally deallocates in reverse\nallocation order). This means that during removal, there is a race\ncondition where an interrupt can fire just _after_ the `power_supply`\nhandle has been freed, *but* just _before_ the corresponding\nunregistration of the IRQ handler has run.\n\nThis will lead to the IRQ handler calling `power_supply_changed()` with\na freed `power_supply` handle. Which usually crashes the system or\notherwise silently corrupts the memory...\n\nNote that there is a similar situation which can also happen during\n`probe()`; the possibility of an interrupt firing _before_ registering\nthe `power_supply` handle. This would then lead to the nasty situation\nof using the `power_supply` handle *uninitialized* in\n`power_supply_changed()`.\n\nFix this racy use-after-free by making sure the IRQ is requested _after_\nthe registration of the `power_supply` handle.",
"id": "GHSA-pxv4-rwxf-m755",
"modified": "2026-06-25T21:31:20Z",
"published": "2026-05-27T15:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45885"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2841bbb5a35c4449c0a0458e8e476b2a62f95147"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ce2334be155bd8bad6377e99984246ce4dbd08c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3ff75cba1c98349a23a8f9333981deba1972cc11"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/642f33e34b969eedec334738fd5df95d2dc42742"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c549dd3de4b3f6e726d1b8386d40ccf7d3abdbe4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cbb9b07f88a9ef6518934c41eb3e8cf840d657d5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e261be6f18929f2397cd54cd583a2df624c129c1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q226-3PH8-PX6R
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11054"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:09Z",
"severity": "HIGH"
},
"details": "Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-q226-3ph8-px6r",
"modified": "2026-06-05T03:31:33Z",
"published": "2026-06-05T00:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11054"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/498845284"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q23H-296P-M22R
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24213.
{
"affected": [],
"aliases": [
"CVE-2024-8818"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T21:15:20Z",
"severity": "HIGH"
},
"details": "PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24213.",
"id": "GHSA-q23h-296p-m22r",
"modified": "2024-11-22T21:32:19Z",
"published": "2024-11-22T21:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8818"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1241"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q248-6JPV-6WJH
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02An exploitable use-after-free vulnerability exists in the JavaScript engine Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If a browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-3850"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-23T15:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable use-after-free vulnerability exists in the JavaScript engine Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If a browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
"id": "GHSA-q248-6jpv-6wjh",
"modified": "2022-05-13T01:02:06Z",
"published": "2022-05-13T01:02:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3850"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0532"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103942"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040733"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q25H-FM3C-JGP6
Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2022-05-14 03:54The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.
{
"affected": [],
"aliases": [
"CVE-2016-9576"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-28T07:59:00Z",
"severity": "HIGH"
},
"details": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.",
"id": "GHSA-q25h-fm3c-jgp6",
"modified": "2022-05-14T03:54:59Z",
"published": "2022-05-14T03:54:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9576"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/a0ac402cfcdc904f9772e1762b3fda112dcc56a0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0817"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1842"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2077"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2669"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-9576"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1403145"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a0ac402cfcdc904f9772e1762b3fda112dcc56a0"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00040.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00041.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00057.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00062.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00072.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00075.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00081.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00088.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00091.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0817.html"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.14"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/08/19"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94821"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q25W-PV7X-X34V
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-13 18:31In the Linux kernel, the following vulnerability has been resolved:
virtio-blk: Avoid use-after-free on suspend/resume
hctx->user_data is set to vq in virtblk_init_hctx(). However, vq is freed on suspend and reallocated on resume. So, hctx->user_data is invalid after resume, and it will cause use-after-free accessing which will result in the kernel crash something like below:
[ 22.428391] Call Trace: [ 22.428899] [ 22.429339] virtqueue_add_split+0x3eb/0x620 [ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0 [ 22.430789] ? kvm_clock_get_cycles+0x14/0x30 [ 22.431496] virtqueue_add_sgs+0xad/0xd0 [ 22.432108] virtblk_add_req+0xe8/0x150 [ 22.432692] virtio_queue_rqs+0xeb/0x210 [ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280 [ 22.434059] __blk_flush_plug+0xe1/0x140 [ 22.434853] blk_finish_plug+0x20/0x40 [ 22.435512] read_pages+0x20a/0x2e0 [ 22.436063] ? folio_add_lru+0x62/0xa0 [ 22.436652] page_cache_ra_unbounded+0x112/0x160 [ 22.437365] filemap_get_pages+0xe1/0x5b0 [ 22.437964] ? context_to_sid+0x70/0x100 [ 22.438580] ? sidtab_context_to_sid+0x32/0x400 [ 22.439979] filemap_read+0xcd/0x3d0 [ 22.440917] xfs_file_buffered_read+0x4a/0xc0 [ 22.441984] xfs_file_read_iter+0x65/0xd0 [ 22.442970] __kernel_read+0x160/0x2e0 [ 22.443921] bprm_execve+0x21b/0x640 [ 22.444809] do_execveat_common.isra.0+0x1a8/0x220 [ 22.446008] __x64_sys_execve+0x2d/0x40 [ 22.446920] do_syscall_64+0x37/0x90 [ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd
This patch fixes this issue by getting vq from vblk, and removes virtblk_init_hctx().
{
"affected": [],
"aliases": [
"CVE-2022-50064"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:35Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: Avoid use-after-free on suspend/resume\n\nhctx-\u003euser_data is set to vq in virtblk_init_hctx(). However, vq is\nfreed on suspend and reallocated on resume. So, hctx-\u003euser_data is\ninvalid after resume, and it will cause use-after-free accessing which\nwill result in the kernel crash something like below:\n\n[ 22.428391] Call Trace:\n[ 22.428899] \u003cTASK\u003e\n[ 22.429339] virtqueue_add_split+0x3eb/0x620\n[ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0\n[ 22.430789] ? kvm_clock_get_cycles+0x14/0x30\n[ 22.431496] virtqueue_add_sgs+0xad/0xd0\n[ 22.432108] virtblk_add_req+0xe8/0x150\n[ 22.432692] virtio_queue_rqs+0xeb/0x210\n[ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280\n[ 22.434059] __blk_flush_plug+0xe1/0x140\n[ 22.434853] blk_finish_plug+0x20/0x40\n[ 22.435512] read_pages+0x20a/0x2e0\n[ 22.436063] ? folio_add_lru+0x62/0xa0\n[ 22.436652] page_cache_ra_unbounded+0x112/0x160\n[ 22.437365] filemap_get_pages+0xe1/0x5b0\n[ 22.437964] ? context_to_sid+0x70/0x100\n[ 22.438580] ? sidtab_context_to_sid+0x32/0x400\n[ 22.439979] filemap_read+0xcd/0x3d0\n[ 22.440917] xfs_file_buffered_read+0x4a/0xc0\n[ 22.441984] xfs_file_read_iter+0x65/0xd0\n[ 22.442970] __kernel_read+0x160/0x2e0\n[ 22.443921] bprm_execve+0x21b/0x640\n[ 22.444809] do_execveat_common.isra.0+0x1a8/0x220\n[ 22.446008] __x64_sys_execve+0x2d/0x40\n[ 22.446920] do_syscall_64+0x37/0x90\n[ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes this issue by getting vq from vblk, and removes\nvirtblk_init_hctx().",
"id": "GHSA-q25w-pv7x-x34v",
"modified": "2025-11-13T18:31:01Z",
"published": "2025-06-18T12:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50064"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2b54e14535bc34bf649372060d518ec9f2b893b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d12ec10292877751ee4463b11a63bd850bc09b5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.