CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-QH42-8MFG-RHVW
Vulnerability from github – Published: 2022-05-14 03:09 – Updated: 2024-10-21 15:32An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
{
"affected": [],
"aliases": [
"CVE-2017-5447"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "CRITICAL"
},
"details": "An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This vulnerability affects Thunderbird \u003c 52.1, Firefox ESR \u003c 45.9, Firefox ESR \u003c 52.1, and Firefox \u003c 53.",
"id": "GHSA-qh42-8mfg-rhvw",
"modified": "2024-10-21T15:32:20Z",
"published": "2022-05-14T03:09:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5447"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1104"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1106"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1201"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1343552"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3831"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/42071"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-10"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-11"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-12"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-13"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97940"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038320"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH4M-69PJ-9VC2
Vulnerability from github – Published: 2026-06-19 12:30 – Updated: 2026-06-19 12:30A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).
{
"affected": [],
"aliases": [
"CVE-2026-12706"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T12:16:27Z",
"severity": "MODERATE"
},
"details": "A use-after-free vulnerability was found in FFmpeg\u0027s RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).",
"id": "GHSA-qh4m-69pj-9vc2",
"modified": "2026-06-19T12:30:29Z",
"published": "2026-06-19T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12706"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-12706"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2490710"
},
{
"type": "WEB",
"url": "https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/TTRIJZA7UL6KJTEDMMBGZPLLJERJ3EFX"
},
{
"type": "WEB",
"url": "https://patchwork.ffmpeg.org/project/ffmpeg/patch/177766314111.63.10674887811034989327@29965ddac10e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH4W-V3W8-H422
Vulnerability from github – Published: 2024-05-19 12:30 – Updated: 2024-12-30 21:30In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Fix oops when HEVC init fails
The stateless HEVC decoder saves the instance pointer in the context regardless if the initialization worked or not. This caused a use after free, when the pointer is freed in case of a failure in the deinit function. Only store the instance pointer when the initialization was successful, to solve this issue.
Hardware name: Acer Tomato (rev3 - 4) board (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] sp : ffff80008750bc20 x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000 x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000 x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80 x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488 x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00 x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000 Call trace: vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec] vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec] vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec] vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec] vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec] mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec] fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec] v4l2_release+0x7c/0x100 __fput+0x80/0x2d8 __fput_sync+0x58/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0x48/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0xd8 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x1a8/0x1b0 Code: d503201f f9401660 b900127f b900227f (f9400400)
{
"affected": [],
"aliases": [
"CVE-2024-35921"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-19T11:15:48Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix oops when HEVC init fails\n\nThe stateless HEVC decoder saves the instance pointer in the context\nregardless if the initialization worked or not. This caused a use after\nfree, when the pointer is freed in case of a failure in the deinit\nfunction.\nOnly store the instance pointer when the initialization was successful,\nto solve this issue.\n\n Hardware name: Acer Tomato (rev3 - 4) board (DT)\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n sp : ffff80008750bc20\n x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000\n x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a\n x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000\n x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80\n x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488\n x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00\n x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000\n Call trace:\n vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec]\n vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec]\n vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]\n mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]\n fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec]\n v4l2_release+0x7c/0x100\n __fput+0x80/0x2d8\n __fput_sync+0x58/0x70\n __arm64_sys_close+0x40/0x90\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x38/0xd8\n el0t_64_sync_handler+0xc0/0xc8\n el0t_64_sync+0x1a8/0x1b0\n Code: d503201f f9401660 b900127f b900227f (f9400400)",
"id": "GHSA-qh4w-v3w8-h422",
"modified": "2024-12-30T21:30:45Z",
"published": "2024-05-19T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35921"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH5Q-22FW-6QQ9
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-21 00:00Memory corruption in kernel due to use after free issue in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
{
"affected": [],
"aliases": [
"CVE-2022-22092"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T06:15:00Z",
"severity": "HIGH"
},
"details": "Memory corruption in kernel due to use after free issue in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile",
"id": "GHSA-qh5q-22fw-6qq9",
"modified": "2022-09-21T00:00:51Z",
"published": "2022-09-17T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22092"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/september-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH5V-7QX3-M7XX
Vulnerability from github – Published: 2024-05-06 15:30 – Updated: 2024-05-06 15:30Memory corruption when multiple listeners are being registered with the same file descriptor.
{
"affected": [],
"aliases": [
"CVE-2023-43521"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-06T15:15:19Z",
"severity": "MODERATE"
},
"details": "Memory corruption when multiple listeners are being registered with the same file descriptor.",
"id": "GHSA-qh5v-7qx3-m7xx",
"modified": "2024-05-06T15:30:38Z",
"published": "2024-05-06T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43521"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH5W-3VPM-WQGV
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Use after free in TabGroups in Google Chrome prior to 91.0.4472.77 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30525"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-07T20:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in TabGroups in Google Chrome prior to 91.0.4472.77 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-qh5w-3vpm-wqgv",
"modified": "2022-05-24T19:04:12Z",
"published": "2022-05-24T19:04:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30525"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1197888"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QH6F-G265-FMXF
Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
net: sched: use RCU read-side critical section in taprio_dump()
Fix possible use-after-free in 'taprio_dump()' by adding RCU read-side critical section there. Never seen on x86 but found on a KASAN-enabled arm64 system when investigating https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:
[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0 [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024 [T15862] Call trace: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] tc_fill_qdisc+0x540/0x1020 [T15862] qdisc_notify.isra.0+0x330/0x3a0 [T15862] tc_modify_qdisc+0x7b8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] _syssendmsg+0x6c0/0x840 [T15862] _sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Allocated by task 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] _syssendmsg+0x6c0/0x840 [T15862] _sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Freed by task 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20
{
"affected": [],
"aliases": [
"CVE-2024-50126"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-05T18:15:15Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: use RCU read-side critical section in taprio_dump()\n\nFix possible use-after-free in \u0027taprio_dump()\u0027 by adding RCU\nread-side critical section there. Never seen on x86 but\nfound on a KASAN-enabled arm64 system when investigating\nhttps://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:\n\n[T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0\n[T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862\n[T15862]\n[T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2\n[T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024\n[T15862] Call trace:\n[T15862] dump_backtrace+0x20c/0x220\n[T15862] show_stack+0x2c/0x40\n[T15862] dump_stack_lvl+0xf8/0x174\n[T15862] print_report+0x170/0x4d8\n[T15862] kasan_report+0xb8/0x1d4\n[T15862] __asan_report_load4_noabort+0x20/0x2c\n[T15862] taprio_dump+0xa0c/0xbb0\n[T15862] tc_fill_qdisc+0x540/0x1020\n[T15862] qdisc_notify.isra.0+0x330/0x3a0\n[T15862] tc_modify_qdisc+0x7b8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Allocated by task 15857:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_alloc_info+0x40/0x60\n[T15862] __kasan_kmalloc+0xd4/0xe0\n[T15862] __kmalloc_cache_noprof+0x194/0x334\n[T15862] taprio_change+0x45c/0x2fe0\n[T15862] tc_modify_qdisc+0x6a8/0x1838\n[T15862] rtnetlink_rcv_msg+0x3c8/0xc20\n[T15862] netlink_rcv_skb+0x1f8/0x3d4\n[T15862] rtnetlink_rcv+0x28/0x40\n[T15862] netlink_unicast+0x51c/0x790\n[T15862] netlink_sendmsg+0x79c/0xc20\n[T15862] __sock_sendmsg+0xe0/0x1a0\n[T15862] ____sys_sendmsg+0x6c0/0x840\n[T15862] ___sys_sendmsg+0x1ac/0x1f0\n[T15862] __sys_sendmsg+0x110/0x1d0\n[T15862] __arm64_sys_sendmsg+0x74/0xb0\n[T15862] invoke_syscall+0x88/0x2e0\n[T15862] el0_svc_common.constprop.0+0xe4/0x2a0\n[T15862] do_el0_svc+0x44/0x60\n[T15862] el0_svc+0x50/0x184\n[T15862] el0t_64_sync_handler+0x120/0x12c\n[T15862] el0t_64_sync+0x190/0x194\n[T15862]\n[T15862] Freed by task 6192:\n[T15862] kasan_save_stack+0x3c/0x70\n[T15862] kasan_save_track+0x20/0x3c\n[T15862] kasan_save_free_info+0x4c/0x80\n[T15862] poison_slab_object+0x110/0x160\n[T15862] __kasan_slab_free+0x3c/0x74\n[T15862] kfree+0x134/0x3c0\n[T15862] taprio_free_sched_cb+0x18c/0x220\n[T15862] rcu_core+0x920/0x1b7c\n[T15862] rcu_core_si+0x10/0x1c\n[T15862] handle_softirqs+0x2e8/0xd64\n[T15862] __do_softirq+0x14/0x20",
"id": "GHSA-qh6f-g265-fmxf",
"modified": "2025-11-04T00:31:55Z",
"published": "2024-11-05T18:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50126"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b911fa9e92ee586e36479ad57b88f20471acaca1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH76-9567-4H37
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-11-25 18:32In the Linux kernel, the following vulnerability has been resolved:
drm/meson: remove drm bridges at aggregate driver unbind time
drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init were not manually removed at module unload time, which caused dangling references to freed memory to remain linked in the global bridge_list.
When loading the driver modules back in, the same functions would again call drm_bridge_add, and when traversing the global bridge_list, would end up peeking into freed memory.
Once again KASAN revealed the problem:
[ +0.000095] ============================================================= [ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120 [ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483
[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 [ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT) [ +0.000008] Call trace: [ +0.000006] dump_backtrace+0x1ec/0x280 [ +0.000012] show_stack+0x24/0x80 [ +0.000008] dump_stack_lvl+0x98/0xd4 [ +0.000011] print_address_description.constprop.0+0x80/0x520 [ +0.000011] print_report+0x128/0x260 [ +0.000008] kasan_report+0xb8/0xfc [ +0.000008] __asan_report_load8_noabort+0x3c/0x50 [ +0.000009] __list_add_valid+0x9c/0x120 [ +0.000009] drm_bridge_add+0x6c/0x104 [drm] [ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi] [ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi] [ +0.000014] component_bind+0x174/0x520 [ +0.000012] component_bind_all+0x1a8/0x38c [ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm] [ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm] [ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390 [ +0.000010] component_master_add_with_match+0x1c8/0x284 [ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm] [ +0.000026] platform_probe+0xd0/0x220 [ +0.000009] really_probe+0x3ac/0xa80 [ +0.000009] __driver_probe_device+0x1f8/0x400 [ +0.000009] driver_probe_device+0x68/0x1b0 [ +0.000009] __driver_attach+0x20c/0x480 [ +0.000008] bus_for_each_dev+0x114/0x1b0 [ +0.000009] driver_attach+0x48/0x64 [ +0.000008] bus_add_driver+0x390/0x564 [ +0.000009] driver_register+0x1a8/0x3e4 [ +0.000009] __platform_driver_register+0x6c/0x94 [ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm] [ +0.000027] do_one_initcall+0xc4/0x2b0 [ +0.000011] do_init_module+0x154/0x570 [ +0.000011] load_module+0x1a78/0x1ea4 [ +0.000008] __do_sys_init_module+0x184/0x1cc [ +0.000009] __arm64_sys_init_module+0x78/0xb0 [ +0.000009] invoke_syscall+0x74/0x260 [ +0.000009] el0_svc_common.constprop.0+0xcc/0x260 [ +0.000008] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000012] el0t_64_sync_handler+0x11c/0x150 [ +0.000008] el0t_64_sync+0x18c/0x190
[ +0.000016] Allocated by task 879: [ +0.000008] kasan_save_stack+0x2c/0x5c [ +0.000011] __kasan_kmalloc+0x90/0xd0 [ +0.000007] __kmalloc+0x278/0x4a0 [ +0.000011] mpi_resize+0x13c/0x1d0 [ +0.000011] mpi_powm+0xd24/0x1570 [ +0.000009] rsa_enc+0x1a4/0x30c [ +0.000009] pkcs1pad_verify+0x3f0/0x580 [ +0.000009] public_key_verify_signature+0x7a8/0xba4 [ +0.000010] public_key_verify_signature_2+0x40/0x60 [ +0.000008] verify_signature+0xb4/0x114 [ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574 [ +0.000009] pkcs7_validate_trust+0xb8/0x15c [ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0 [ +0.000012] verify_pkcs7_signature+0x78/0xac [ +0.000007] mod_verify_sig+0x110/0x190 [ +0.000009] module_sig_check+0x114/0x1e0 [ +0.000009] load_module+0xa0/0x1ea4 [ +0.000008] __do_sys_init_module+0x184/0x1cc [ +0.000008] __arm64_sys_init_module+0x78/0xb0 [ +0.000008] invoke_syscall+0x74/0x260 [ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260 [ +0.000008] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000009] el0t_64_sync_handler+0x11c/0x150 [ +0.000009] el0t_64 ---truncated---
{
"affected": [],
"aliases": [
"CVE-2022-50256"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T14:15:36Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: remove drm bridges at aggregate driver unbind time\n\ndrm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init\nwere not manually removed at module unload time, which caused dangling\nreferences to freed memory to remain linked in the global bridge_list.\n\nWhen loading the driver modules back in, the same functions would again\ncall drm_bridge_add, and when traversing the global bridge_list, would\nend up peeking into freed memory.\n\nOnce again KASAN revealed the problem:\n\n[ +0.000095] =============================================================\n[ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120\n[ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483\n\n[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000006] dump_backtrace+0x1ec/0x280\n[ +0.000012] show_stack+0x24/0x80\n[ +0.000008] dump_stack_lvl+0x98/0xd4\n[ +0.000011] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000008] kasan_report+0xb8/0xfc\n[ +0.000008] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000009] __list_add_valid+0x9c/0x120\n[ +0.000009] drm_bridge_add+0x6c/0x104 [drm]\n[ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]\n[ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]\n[ +0.000014] component_bind+0x174/0x520\n[ +0.000012] component_bind_all+0x1a8/0x38c\n[ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm]\n[ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm]\n[ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390\n[ +0.000010] component_master_add_with_match+0x1c8/0x284\n[ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm]\n[ +0.000026] platform_probe+0xd0/0x220\n[ +0.000009] really_probe+0x3ac/0xa80\n[ +0.000009] __driver_probe_device+0x1f8/0x400\n[ +0.000009] driver_probe_device+0x68/0x1b0\n[ +0.000009] __driver_attach+0x20c/0x480\n[ +0.000008] bus_for_each_dev+0x114/0x1b0\n[ +0.000009] driver_attach+0x48/0x64\n[ +0.000008] bus_add_driver+0x390/0x564\n[ +0.000009] driver_register+0x1a8/0x3e4\n[ +0.000009] __platform_driver_register+0x6c/0x94\n[ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]\n[ +0.000027] do_one_initcall+0xc4/0x2b0\n[ +0.000011] do_init_module+0x154/0x570\n[ +0.000011] load_module+0x1a78/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000009] __arm64_sys_init_module+0x78/0xb0\n[ +0.000009] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000012] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000016] Allocated by task 879:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000011] __kasan_kmalloc+0x90/0xd0\n[ +0.000007] __kmalloc+0x278/0x4a0\n[ +0.000011] mpi_resize+0x13c/0x1d0\n[ +0.000011] mpi_powm+0xd24/0x1570\n[ +0.000009] rsa_enc+0x1a4/0x30c\n[ +0.000009] pkcs1pad_verify+0x3f0/0x580\n[ +0.000009] public_key_verify_signature+0x7a8/0xba4\n[ +0.000010] public_key_verify_signature_2+0x40/0x60\n[ +0.000008] verify_signature+0xb4/0x114\n[ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574\n[ +0.000009] pkcs7_validate_trust+0xb8/0x15c\n[ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0\n[ +0.000012] verify_pkcs7_signature+0x78/0xac\n[ +0.000007] mod_verify_sig+0x110/0x190\n[ +0.000009] module_sig_check+0x114/0x1e0\n[ +0.000009] load_module+0xa0/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000008] __arm64_sys_init_module+0x78/0xb0\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260\n[ +0.000008] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64\n---truncated---",
"id": "GHSA-qh76-9567-4h37",
"modified": "2025-11-25T18:32:21Z",
"published": "2025-09-15T15:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50256"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/09847723c12fc2753749cec3939a02ee92dac468"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de2b6ebe0cb7746b5b6b35d79e150d934392b958"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc1fd114dde3d2623ac37676df3d74ffeedb0da8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH8V-J89H-883X
Vulnerability from github – Published: 2026-07-02 00:31 – Updated: 2026-07-02 15:32Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-14394"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T23:16:47Z",
"severity": "HIGH"
},
"details": "Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-qh8v-j89h-883x",
"modified": "2026-07-02T15:32:05Z",
"published": "2026-07-02T00:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14394"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/511263221"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QH9Q-RJPP-HQC3
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 15:30A use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability affects Firefox < 107, Firefox ESR < 102.6, and Thunderbird < 102.6.
{
"affected": [],
"aliases": [
"CVE-2022-46882"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability affects Firefox \u003c 107, Firefox ESR \u003c 102.6, and Thunderbird \u003c 102.6.",
"id": "GHSA-qh9q-rjpp-hqc3",
"modified": "2025-04-15T15:30:39Z",
"published": "2022-12-22T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46882"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1789371"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-06"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-13"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-47"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-52"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.