CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-Q4R2-VPW8-HWG5
Vulnerability from github – Published: 2022-05-14 01:49 – Updated: 2025-04-20 03:49The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.
{
"affected": [],
"aliases": [
"CVE-2017-8824"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-05T09:29:00Z",
"severity": "HIGH"
},
"details": "The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.",
"id": "GHSA-q4r2-vpw8-hwg5",
"modified": "2025-04-20T03:49:24Z",
"published": "2022-05-14T01:49:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8824"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43234"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4082"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4073"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3583-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3583-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3582-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3582-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3581-3"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3581-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3581-1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html"
},
{
"type": "WEB",
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3822"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1216"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1170"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1130"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0676"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0399"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html"
},
{
"type": "WEB",
"url": "http://lists.openwall.net/netdev/2017/12/04/224"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/12/05/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q536-2443-Q2HP
Vulnerability from github – Published: 2024-04-03 18:30 – Updated: 2024-04-03 18:30Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of Doc objects in AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22637.
{
"affected": [],
"aliases": [
"CVE-2024-30331"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T17:15:57Z",
"severity": "HIGH"
},
"details": "Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Doc objects in AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22637.",
"id": "GHSA-q536-2443-q2hp",
"modified": "2024-04-03T18:30:43Z",
"published": "2024-04-03T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30331"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-308"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q53P-QM4C-C2WJ
Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2026-05-12 12:32In the Linux kernel, the following vulnerability has been resolved:
netem: fix return value if duplicate enqueue fails
There is a bug in netem_enqueue() introduced by commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec") that can lead to a use-after-free.
This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR.
There are two ways for the bug happen:
- If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped.
In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc.
The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.
{
"affected": [],
"aliases": [
"CVE-2024-45016"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T16:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: fix return value if duplicate enqueue fails\n\nThere is a bug in netem_enqueue() introduced by\ncommit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\")\nthat can lead to a use-after-free.\n\nThis commit made netem_enqueue() always return NET_XMIT_SUCCESS\nwhen a packet is duplicated, which can cause the parent qdisc\u0027s q.qlen\nto be mistakenly incremented. When this happens qlen_notify() may be\nskipped on the parent during destruction, leaving a dangling pointer\nfor some classful qdiscs like DRR.\n\nThere are two ways for the bug happen:\n\n- If the duplicated packet is dropped by rootq-\u003eenqueue() and then\n the original packet is also dropped.\n- If rootq-\u003eenqueue() sends the duplicated packet to a different qdisc\n and the original packet is dropped.\n\nIn both cases NET_XMIT_SUCCESS is returned even though no packets\nare enqueued at the netem qdisc.\n\nThe fix is to defer the enqueue of the duplicate packet until after\nthe original packet has been guaranteed to return NET_XMIT_SUCCESS.",
"id": "GHSA-q53p-qm4c-c2wj",
"modified": "2026-05-12T12:32:07Z",
"published": "2024-09-11T18:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45016"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0486d31dd8198e22b63a4730244b38fffce6d469"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52d99a69f3d556c6426048c9d481b912205919d8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/577d6c0619467fe90f7e8e57e45cb5bd9d936014"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/759e3e8c4a6a6b4e52ebc4547123a457f0ce90d4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c07ff8592d57ed258afee5a5e04991a48dbaf382"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c414000da1c2ea1ba9a5e5bb1a4ba774e51e202d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e5bb2988a310667abed66c7d3ffa28880cf0f883"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q55H-C4PR-GCMG
Vulnerability from github – Published: 2022-05-12 00:00 – Updated: 2022-05-12 00:00Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability in the processing of annotations that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-27797"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T18:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability in the processing of annotations that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-q55h-c4pr-gcmg",
"modified": "2022-05-12T00:00:41Z",
"published": "2022-05-12T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27797"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-16.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q568-5559-56W7
Vulnerability from github – Published: 2026-04-09 00:31 – Updated: 2026-04-13 15:31Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-5872"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T22:16:26Z",
"severity": "HIGH"
},
"details": "Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-q568-5559-56w7",
"modified": "2026-04-13T15:31:10Z",
"published": "2026-04-09T00:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5872"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/496281816"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q56J-8X89-GVGG
Vulnerability from github – Published: 2023-03-29 18:30 – Updated: 2024-10-21 18:30libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).
{
"affected": [],
"aliases": [
"CVE-2022-48434"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T17:15:00Z",
"severity": "HIGH"
},
"details": "libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).",
"id": "GHSA-q56j-8x89-gvgg",
"modified": "2024-10-21T18:30:45Z",
"published": "2023-03-29T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48434"
},
{
"type": "WEB",
"url": "https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KOMB6WRUC55VWV25IKJTV22KARBUGWGQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQHNSWXFUN3VJ3AO2AEJUK3BURSGM5G2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOMB6WRUC55VWV25IKJTV22KARBUGWGQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQHNSWXFUN3VJ3AO2AEJUK3BURSGM5G2"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=35356201"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202312-14"
},
{
"type": "WEB",
"url": "https://wrv.github.io/h26forge.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q59G-53FJ-P9FQ
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, iCloud for Windows 7.20, macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2020-9926"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-02T18:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, iCloud for Windows 7.20, macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution.",
"id": "GHSA-q59g-53fj-p9fq",
"modified": "2022-05-24T17:46:14Z",
"published": "2022-05-24T17:46:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9926"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT211288"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT211289"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT211290"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT211291"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT211295"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q5F8-GRF8-9FF4
Vulnerability from github – Published: 2022-05-14 01:52 – Updated: 2025-11-25 18:32A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox < 62, Firefox ESR < 60.2, and Thunderbird < 60.2.1.
{
"affected": [],
"aliases": [
"CVE-2018-12377"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-18T13:29:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability can occur when refresh driver timers are refreshed in some circumstances during shutdown when the timer is deleted while still in use. This results in a potentially exploitable crash. This vulnerability affects Firefox \u003c 62, Firefox ESR \u003c 60.2, and Thunderbird \u003c 60.2.1.",
"id": "GHSA-q5f8-grf8-9ff4",
"modified": "2025-11-25T18:32:14Z",
"published": "2022-05-14T01:52:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12377"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2692"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2693"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3403"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3458"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1470260"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00011.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201810-01"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201811-13"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3761-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3793-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4287"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4327"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-21"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-25"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105280"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041610"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5GC-8MMJ-M6HH
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-24 21:30In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Make dma-fences compliant with the safe access rules
Xe can free some of the data pointed to by the dma-fences it exports. Most notably the timeline name can get freed if userspace closes the associated submit queue. At the same time the fence could have been exported to a third party (for example a sync_fence fd) which will then cause an use- after-free on subsequent access.
To make this safe we need to make the driver compliant with the newly documented dma-fence rules. Driver has to ensure a RCU grace period between signalling a fence and freeing any data pointed to by said fence.
For the timeline name we simply make the queue be freed via kfree_rcu and for the shared lock associated with multiple queues we add a RCU grace period before freeing the per GT structure holding the lock.
{
"affected": [],
"aliases": [
"CVE-2025-38703"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:39Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Make dma-fences compliant with the safe access rules\n\nXe can free some of the data pointed to by the dma-fences it exports. Most\nnotably the timeline name can get freed if userspace closes the associated\nsubmit queue. At the same time the fence could have been exported to a\nthird party (for example a sync_fence fd) which will then cause an use-\nafter-free on subsequent access.\n\nTo make this safe we need to make the driver compliant with the newly\ndocumented dma-fence rules. Driver has to ensure a RCU grace period\nbetween signalling a fence and freeing any data pointed to by said fence.\n\nFor the timeline name we simply make the queue be freed via kfree_rcu and\nfor the shared lock associated with multiple queues we add a RCU grace\nperiod before freeing the per GT structure holding the lock.",
"id": "GHSA-q5gc-8mmj-m6hh",
"modified": "2025-11-24T21:30:56Z",
"published": "2025-09-05T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38703"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/683b0e397dad9f26a42dcacf6f7f545a77ce6c06"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6bd90e700b4285e6a7541e00f969cab0d696adde"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b17fcce70733c211cb5dabf54f4f9491920b1d92"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba37807d08bae67de6139346a85650cab5f6145a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5GX-QJ4H-GHFH
Vulnerability from github – Published: 2025-09-08 15:37 – Updated: 2025-09-08 21:30Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r41p0 through r49p4, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0.
{
"affected": [],
"aliases": [
"CVE-2025-3212"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-08T13:15:33Z",
"severity": "MODERATE"
},
"details": "Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r41p0 through r49p4, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0.",
"id": "GHSA-q5gx-qj4h-ghfh",
"modified": "2025-09-08T21:30:59Z",
"published": "2025-09-08T15:37:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3212"
},
{
"type": "WEB",
"url": "https://developer.arm.com/documentation/110627/latest"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.