CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-Q5J2-V8Q9-65C8
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2023-12-28 21:30Microsoft Word Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-38656"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-15T12:15:00Z",
"severity": "HIGH"
},
"details": "Microsoft Word Remote Code Execution Vulnerability",
"id": "GHSA-q5j2-v8q9-65c8",
"modified": "2023-12-28T21:30:30Z",
"published": "2022-05-24T19:14:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38656"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38656"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5MW-FX98-RV2Q
Vulnerability from github – Published: 2022-05-14 03:10 – Updated: 2025-11-25 18:32A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.
{
"affected": [],
"aliases": [
"CVE-2017-7802"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed. This vulnerability affects Thunderbird \u003c 52.3, Firefox ESR \u003c 52.3, and Firefox \u003c 55.",
"id": "GHSA-q5mw-fx98-rv2q",
"modified": "2025-11-25T18:32:09Z",
"published": "2022-05-14T03:10:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7802"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2534"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1378147"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201803-14"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3928"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3968"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-18"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-19"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-20"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100202"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039124"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5P3-272V-JQ48
Vulnerability from github – Published: 2022-01-14 00:01 – Updated: 2022-01-15 00:02This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14862.
{
"affected": [],
"aliases": [
"CVE-2021-34895"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-13T22:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14862.",
"id": "GHSA-q5p3-272v-jq48",
"modified": "2022-01-15T00:02:29Z",
"published": "2022-01-14T00:01:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34895"
},
{
"type": "WEB",
"url": "https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0004"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1484"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q5RF-FGXQ-R728
Vulnerability from github – Published: 2026-06-09 18:31 – Updated: 2026-06-09 18:31Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-48563"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:44Z",
"severity": "HIGH"
},
"details": "Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.",
"id": "GHSA-q5rf-fgxq-r728",
"modified": "2026-06-09T18:31:00Z",
"published": "2026-06-09T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48563"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48563"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q5V4-CR9J-2VF7
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the getField method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5382.
{
"affected": [],
"aliases": [
"CVE-2018-9945"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-17T15:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the getField method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5382.",
"id": "GHSA-q5v4-cr9j-2vf7",
"modified": "2022-05-13T01:31:39Z",
"published": "2022-05-13T01:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9945"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-18-329"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q628-R862-R4HW
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-19067.
{
"affected": [],
"aliases": [
"CVE-2023-44430"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:57Z",
"severity": "HIGH"
},
"details": "Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-19067.",
"id": "GHSA-q628-r862-r4hw",
"modified": "2024-05-03T03:31:04Z",
"published": "2024-05-03T03:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44430"
},
{
"type": "WEB",
"url": "https://www.bentley.com/advisories/be-2022-0019"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q63V-PVCJ-4QMH
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-59189"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:57Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.",
"id": "GHSA-q63v-pvcj-4qmh",
"modified": "2025-10-14T18:30:33Z",
"published": "2025-10-14T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59189"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59189"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q648-4769-6M83
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-05-17 18:30In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete
This fixes the condition checking so mgmt_pending_valid is executed whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd) would kfree(cmd) without unlinking it from the list first, leaving a dangling pointer. Any subsequent list traversal (e.g., mgmt_pending_foreach during __mgmt_power_off, or another mgmt_pending_valid call) would dereference freed memory.
{
"affected": [],
"aliases": [
"CVE-2026-31511"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:50Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete\n\nThis fixes the condition checking so mgmt_pending_valid is executed\nwhenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd)\nwould kfree(cmd) without unlinking it from the list first, leaving a\ndangling pointer. Any subsequent list traversal (e.g.,\nmgmt_pending_foreach during __mgmt_power_off, or another\nmgmt_pending_valid call) would dereference freed memory.",
"id": "GHSA-q648-4769-6m83",
"modified": "2026-05-17T18:30:26Z",
"published": "2026-04-22T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31511"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2074dfffad76981ca451cb7fc98703d04ac562fe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/340666172cf747de58c283d2eef1f335f050538b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a89c33deffb3cb7877a7ea2e50734cd12b064f2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f5fa4cd35f707344f65ce9e225b6528691dbbaa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bafec9325d4de26b6c49db75b5d5172de652aae0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q697-JX8Q-HVF2
Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-04-04 03:36In OnWakelockReleased of attribution_processor.cc, there is a use after free that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-254774758
{
"affected": [],
"aliases": [
"CVE-2023-21096"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T20:15:11Z",
"severity": "CRITICAL"
},
"details": "In OnWakelockReleased of attribution_processor.cc, there is a use after free that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-254774758",
"id": "GHSA-q697-jx8q-hvf2",
"modified": "2024-04-04T03:36:07Z",
"published": "2023-04-19T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21096"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-04-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q6CH-8CP2-XFHP
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-11-18 21:32In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using
Running IDXD workloads in a container with the /dev directory mounted can trigger a call trace or even a kernel panic when the parent process of the container is terminated.
This issue occurs because, under certain configurations, Docker does not properly propagate the mount replica back to the original mount point.
In this case, when the user driver detaches, the WQ is destroyed but it still calls destroy_workqueue() attempting to completes all pending work. It's necessary to check wq->wq and skip the drain if it no longer exists.
{
"affected": [],
"aliases": [
"CVE-2025-38369"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-25T13:15:25Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using\n\nRunning IDXD workloads in a container with the /dev directory mounted can\ntrigger a call trace or even a kernel panic when the parent process of the\ncontainer is terminated.\n\nThis issue occurs because, under certain configurations, Docker does not\nproperly propagate the mount replica back to the original mount point.\n\nIn this case, when the user driver detaches, the WQ is destroyed but it\nstill calls destroy_workqueue() attempting to completes all pending work.\nIt\u0027s necessary to check wq-\u003ewq and skip the drain if it no longer exists.",
"id": "GHSA-q6ch-8cp2-xfhp",
"modified": "2025-11-18T21:32:29Z",
"published": "2025-07-25T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38369"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/17502e7d7b7113346296f6758324798d536c31fd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98fd66c8ba77e3a7137575f610271014bc0e701f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aee7a7439f8c0884da87694a401930204a57128f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0051a3daa8b2cb318b03b2f9317c3e40855847a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.