Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9813 vulnerabilities reference this CWE, most recent first.

GHSA-WMCQ-CCC7-7X62

Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-24 18:30
VLAI
Details

Memory corruption while processing config_dev IOCTL when camera kernel driver drops its reference to CPU buffers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-24T16:15:36Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption while processing config_dev IOCTL when camera kernel driver drops its reference to CPU buffers.",
  "id": "GHSA-wmcq-ccc7-7x62",
  "modified": "2025-09-24T18:30:30Z",
  "published": "2025-09-24T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27037"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMG8-34JG-V3F5

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the SeedValue Generic Object parameter provided to the signatureSetSeedValue function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6329.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.1.0.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the SeedValue Generic Object parameter provided to the signatureSetSeedValue function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6329.",
  "id": "GHSA-wmg8-34jg-v3f5",
  "modified": "2022-05-13T01:34:33Z",
  "published": "2022-05-13T01:34:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14309"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-769"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMH3-2439-2HPR

Vulnerability from github – Published: 2022-06-22 00:00 – Updated: 2022-06-30 00:00
VLAI
Details

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_string_offset at src/njs_string.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-21T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_string_offset at src/njs_string.c.",
  "id": "GHSA-wmh3-2439-2hpr",
  "modified": "2022-06-30T00:00:42Z",
  "published": "2022-06-22T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nginx/njs/issues/482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nginx/njs/commit/eafe4c7a326b163612f10861392622b5da5b1792"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMH6-7XP9-5GH8

Vulnerability from github – Published: 2023-11-29 12:30 – Updated: 2023-12-01 21:30
VLAI
Details

Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-29T12:15:07Z",
    "severity": "HIGH"
  },
  "details": "Use after free in libavif in Google Chrome prior to 119.0.6045.199 allowed a remote attacker to potentially exploit heap corruption via a crafted avif file. (Chromium security severity: High)",
  "id": "GHSA-wmh6-7xp9-5gh8",
  "modified": "2023-12-01T21:30:29Z",
  "published": "2023-11-29T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6350"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1501766"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T7ABNYMOI4ZHVCSPCNP7HQTOLGF53A2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7XQNYZZA3X2LBJF57ZHKXWOMJKNLZYR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJROPNKWW65R34J4IYGTJ7A3OBPUL4IQ"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-34"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5569"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMH9-52HX-XJ2C

Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-10 00:00
VLAI
Details

A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-01T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().",
  "id": "GHSA-wmh9-52hx-xj2c",
  "modified": "2022-09-10T00:00:31Z",
  "published": "2022-09-02T00:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27784"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e8d5f92b8d30bb4ade76494490c3c065e12411b1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMJJ-79P2-75M6

Vulnerability from github – Published: 2025-03-11 12:30 – Updated: 2025-03-11 12:30
VLAI
Details

A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualization V2412 (All versions < V2412.0002), Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted WRL files. An attacker could leverage this vulnerability to execute code in the context of the current process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T10:15:17Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions \u003c V14.3.0.13), Teamcenter Visualization V2312 (All versions \u003c V2312.0009), Teamcenter Visualization V2406 (All versions \u003c V2406.0007), Teamcenter Visualization V2412 (All versions \u003c V2412.0002), Tecnomatix Plant Simulation V2302 (All versions \u003c V2302.0021), Tecnomatix Plant Simulation V2404 (All versions \u003c V2404.0010). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted WRL files.\nAn attacker could leverage this vulnerability to execute code in the context of the current process.",
  "id": "GHSA-wmjj-79p2-75m6",
  "modified": "2025-03-11T12:30:59Z",
  "published": "2025-03-11T12:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23402"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-050438.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WMMR-M98C-G94F

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

veth: Fix use after free in XDP_REDIRECT

Commit 718a18a0c8a6 ("veth: Rework veth_xdp_rcv_skb in order to accept non-linear skb") introduced a bug where it tried to use pskb_expand_head() if the headroom was less than XDP_PACKET_HEADROOM. This however uses kmalloc to expand the head, which will later allow consume_skb() to free the skb while is it still in use by AF_XDP.

Previously if the headroom was less than XDP_PACKET_HEADROOM we continued on to allocate a new skb from pages so this restores that behavior.

BUG: KASAN: use-after-free in __xsk_rcv+0x18d/0x2c0 Read of size 78 at addr ffff888976250154 by task napi/iconduit-g/148640

CPU: 5 PID: 148640 Comm: napi/iconduit-g Kdump: loaded Tainted: G O 6.1.4-cloudflare-kasan-2023.1.2 #1 Hardware name: Quanta Computer Inc. QuantaPlex T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018 Call Trace: dump_stack_lvl+0x34/0x48 print_report+0x170/0x473 ? __xsk_rcv+0x18d/0x2c0 kasan_report+0xad/0x130 ? __xsk_rcv+0x18d/0x2c0 kasan_check_range+0x149/0x1a0 memcpy+0x20/0x60 __xsk_rcv+0x18d/0x2c0 __xsk_map_redirect+0x1f3/0x490 ? veth_xdp_rcv_skb+0x89c/0x1ba0 [veth] xdp_do_redirect+0x5ca/0xd60 veth_xdp_rcv_skb+0x935/0x1ba0 [veth] ? __netif_receive_skb_list_core+0x671/0x920 ? veth_xdp+0x670/0x670 [veth] veth_xdp_rcv+0x304/0xa20 [veth] ? do_xdp_generic+0x150/0x150 ? veth_xdp_rcv_one+0xde0/0xde0 [veth] ? _raw_spin_lock_bh+0xe0/0xe0 ? newidle_balance+0x887/0xe30 ? __perf_event_task_sched_in+0xdb/0x800 veth_poll+0x139/0x571 [veth] ? veth_xdp_rcv+0xa20/0xa20 [veth] ? _raw_spin_unlock+0x39/0x70 ? finish_task_switch.isra.0+0x17e/0x7d0 ? __switch_to+0x5cf/0x1070 ? __schedule+0x95b/0x2640 ? io_schedule_timeout+0x160/0x160 __napi_poll+0xa1/0x440 napi_threaded_poll+0x3d1/0x460 ? __napi_poll+0x440/0x440 ? __kthread_parkme+0xc6/0x1f0 ? __napi_poll+0x440/0x440 kthread+0x2a2/0x340 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30

Freed by task 148640: kasan_save_stack+0x23/0x50 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 _kasanslab_free+0x169/0x1d0 slab_free_freelist_hook+0xd2/0x190 kmem_cache_free+0x1a1/0x2f0 skb_release_data+0x449/0x600 consume_skb+0x9f/0x1c0 veth_xdp_rcv_skb+0x89c/0x1ba0 [veth] veth_xdp_rcv+0x304/0xa20 [veth] veth_poll+0x139/0x571 [veth] __napi_poll+0xa1/0x440 napi_threaded_poll+0x3d1/0x460 kthread+0x2a2/0x340 ret_from_fork+0x22/0x30

The buggy address belongs to the object at ffff888976250000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 340 bytes inside of 2048-byte region [ffff888976250000, ffff888976250800)

The buggy address belongs to the physical page: page:00000000ae18262a refcount:2 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x976250 head:00000000ae18262a order:3 compound_mapcount:0 compound_pincount:0 flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff) raw: 002ffff800010200 0000000000000000 dead000000000122 ffff88810004cf00 raw: 0000000000000000 0000000080080008 00000002ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888976250000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888976250080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffff888976250100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888976250180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888976250200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:29Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: Fix use after free in XDP_REDIRECT\n\nCommit 718a18a0c8a6 (\"veth: Rework veth_xdp_rcv_skb in order\nto accept non-linear skb\") introduced a bug where it tried to\nuse pskb_expand_head() if the headroom was less than\nXDP_PACKET_HEADROOM.  This however uses kmalloc to expand the head,\nwhich will later allow consume_skb() to free the skb while is it still\nin use by AF_XDP.\n\nPreviously if the headroom was less than XDP_PACKET_HEADROOM we\ncontinued on to allocate a new skb from pages so this restores that\nbehavior.\n\nBUG: KASAN: use-after-free in __xsk_rcv+0x18d/0x2c0\nRead of size 78 at addr ffff888976250154 by task napi/iconduit-g/148640\n\nCPU: 5 PID: 148640 Comm: napi/iconduit-g Kdump: loaded Tainted: G           O       6.1.4-cloudflare-kasan-2023.1.2 #1\nHardware name: Quanta Computer Inc. QuantaPlex T41S-2U/S2S-MB, BIOS S2S_3B10.03 06/21/2018\nCall Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x34/0x48\n  print_report+0x170/0x473\n  ? __xsk_rcv+0x18d/0x2c0\n  kasan_report+0xad/0x130\n  ? __xsk_rcv+0x18d/0x2c0\n  kasan_check_range+0x149/0x1a0\n  memcpy+0x20/0x60\n  __xsk_rcv+0x18d/0x2c0\n  __xsk_map_redirect+0x1f3/0x490\n  ? veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]\n  xdp_do_redirect+0x5ca/0xd60\n  veth_xdp_rcv_skb+0x935/0x1ba0 [veth]\n  ? __netif_receive_skb_list_core+0x671/0x920\n  ? veth_xdp+0x670/0x670 [veth]\n  veth_xdp_rcv+0x304/0xa20 [veth]\n  ? do_xdp_generic+0x150/0x150\n  ? veth_xdp_rcv_one+0xde0/0xde0 [veth]\n  ? _raw_spin_lock_bh+0xe0/0xe0\n  ? newidle_balance+0x887/0xe30\n  ? __perf_event_task_sched_in+0xdb/0x800\n  veth_poll+0x139/0x571 [veth]\n  ? veth_xdp_rcv+0xa20/0xa20 [veth]\n  ? _raw_spin_unlock+0x39/0x70\n  ? finish_task_switch.isra.0+0x17e/0x7d0\n  ? __switch_to+0x5cf/0x1070\n  ? __schedule+0x95b/0x2640\n  ? io_schedule_timeout+0x160/0x160\n  __napi_poll+0xa1/0x440\n  napi_threaded_poll+0x3d1/0x460\n  ? __napi_poll+0x440/0x440\n  ? __kthread_parkme+0xc6/0x1f0\n  ? __napi_poll+0x440/0x440\n  kthread+0x2a2/0x340\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x22/0x30\n  \u003c/TASK\u003e\n\nFreed by task 148640:\n  kasan_save_stack+0x23/0x50\n  kasan_set_track+0x21/0x30\n  kasan_save_free_info+0x2a/0x40\n  ____kasan_slab_free+0x169/0x1d0\n  slab_free_freelist_hook+0xd2/0x190\n  __kmem_cache_free+0x1a1/0x2f0\n  skb_release_data+0x449/0x600\n  consume_skb+0x9f/0x1c0\n  veth_xdp_rcv_skb+0x89c/0x1ba0 [veth]\n  veth_xdp_rcv+0x304/0xa20 [veth]\n  veth_poll+0x139/0x571 [veth]\n  __napi_poll+0xa1/0x440\n  napi_threaded_poll+0x3d1/0x460\n  kthread+0x2a2/0x340\n  ret_from_fork+0x22/0x30\n\nThe buggy address belongs to the object at ffff888976250000\n  which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 340 bytes inside of\n  2048-byte region [ffff888976250000, ffff888976250800)\n\nThe buggy address belongs to the physical page:\npage:00000000ae18262a refcount:2 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x976250\nhead:00000000ae18262a order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)\nraw: 002ffff800010200 0000000000000000 dead000000000122 ffff88810004cf00\nraw: 0000000000000000 0000000080080008 00000002ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n  ffff888976250000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff888976250080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003e ffff888976250100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                                                  ^\n  ffff888976250180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff888976250200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb",
  "id": "GHSA-wmmr-m98c-g94f",
  "modified": "2025-11-10T18:30:29Z",
  "published": "2025-05-02T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53107"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6e755b56896df48b0fae0db275e148f8d8aa7d6f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/717d20710596b5b26595ede454d1105fa176f4a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c10131803e45269ddc6c817f19ed649110f3cae"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMPX-6WWP-CVC6

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: 6fire: Release resources at card release

The current 6fire code tries to release the resources right after the call of usb6fire_chip_abort(). But at this moment, the card object might be still in use (as we're calling snd_card_free_when_closed()).

For avoid potential UAFs, move the release of resources to the card's private_free instead of the manual call of usb6fire_chip_destroy() at the USB disconnect callback.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:32Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: 6fire: Release resources at card release\n\nThe current 6fire code tries to release the resources right after the\ncall of usb6fire_chip_abort().  But at this moment, the card object\nmight be still in use (as we\u0027re calling snd_card_free_when_closed()).\n\nFor avoid potential UAFs, move the release of resources to the card\u0027s\nprivate_free instead of the manual call of usb6fire_chip_destroy() at\nthe USB disconnect callback.",
  "id": "GHSA-wmpx-6wwp-cvc6",
  "modified": "2025-11-03T21:31:50Z",
  "published": "2024-12-27T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53239"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0df7f4b5cc10f5adf98be0845372e9eef7bb5b09"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/273eec23467dfbfbd0e4c10302579ba441fb1e13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57860a80f03f9dc69a34a5c37b0941ad032a0a8c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/74357d0b5cd3ef544752bc9f21cbeee4902fae6c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0810c3d6dd2d29a9b92604d682eacd2902ce947"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b754e831a94f82f2593af806741392903f359168"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b889a7d68d7e76b8795b754a75c91a2d561d5e8c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea8cc56db659cf0ae57073e32a4735ead7bd7ee3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f2d06d4e129e2508e356136f99bb20a332ff1a00"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMWW-V28Q-953G

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: use timestamp to check for set element timeout

Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area.

Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished.

.lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:12:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue.",
  "id": "GHSA-wmww-v28q-953g",
  "modified": "2026-05-12T12:31:45Z",
  "published": "2024-05-14T15:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27397"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d40e8cb1d1f56a994cdd2e015af622fdca9ed4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b17de2a71e56c10335b565cc7ad238e6d984379"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7fa2e2960fff8322ce2ded57b5f8e9cbc450b967"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b45176b869673417ace338b87cf9cdb66e2eeb01"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eaf1a29ea5d7dba8e84e9e9f3b3f47d0cd540bfe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8dfda798650241c1692058713ca4fef8e429061"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMX6-799C-66VC

Vulnerability from github – Published: 2023-08-28 21:31 – Updated: 2024-04-04 07:14
VLAI
Details

GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a heap-use-after-free via the gf_bs_align function at bitstream.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39562"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-28T19:15:07Z",
    "severity": "MODERATE"
  },
  "details": "GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a heap-use-after-free via the gf_bs_align function at bitstream.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.",
  "id": "GHSA-wmx6-799c-66vc",
  "modified": "2024-04-04T07:14:42Z",
  "published": "2023-08-28T21:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39562"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/2537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChanStormstout/Pocs/blob/master/gpac_POC/id%3A000000%2Csig%3A06%2Csrc%3A003771%2Ctime%3A328254%2Cexecs%3A120473%2Cop%3Ahavoc%2Crep%3A8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.