Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9813 vulnerabilities reference this CWE, most recent first.

GHSA-WQ5C-W7MQ-VQJV

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:28Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows TCP/IP allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-wq5c-w7mq-vqjv",
  "modified": "2026-07-14T18:32:15Z",
  "published": "2026-07-14T18:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50307"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50307"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ5V-H429-2627

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:29Z",
    "severity": "MODERATE"
  },
  "details": "Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-wq5v-h429-2627",
  "modified": "2026-07-14T18:32:15Z",
  "published": "2026-07-14T18:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50312"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50312"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ6R-9RPH-J79C

Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-07 00:00
VLAI
Details

Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.",
  "id": "GHSA-wq6r-9rph-j79c",
  "modified": "2022-05-07T00:00:35Z",
  "published": "2022-05-07T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28271"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/photoshop/apsb22-20.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ87-G3M8-CQ98

Vulnerability from github – Published: 2022-12-14 06:30 – Updated: 2023-11-25 12:30
VLAI
Details

Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-14T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-wq87-g3m8-cq98",
  "modified": "2023-11-25T12:30:21Z",
  "published": "2022-12-14T06:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4437"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop_13.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1394692"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-10"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202311-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQ8P-3Q98-GW6H

Vulnerability from github – Published: 2022-05-17 03:08 – Updated: 2022-05-17 03:08
VLAI
Details

Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3054, CVE-2015-3055, CVE-2015-3059, and CVE-2015-3075.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-3053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-05-13T10:59:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3054, CVE-2015-3055, CVE-2015-3059, and CVE-2015-3075.",
  "id": "GHSA-wq8p-3q98-gw6h",
  "modified": "2022-05-17T03:08:07Z",
  "published": "2022-05-17T03:08:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3053"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/reader/apsb15-10.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/74602"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1032284"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-15-215"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WQ8W-P3F3-V5FM

Vulnerability from github – Published: 2024-04-02 21:30 – Updated: 2024-04-02 21:30
VLAI
Details

Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22947.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T21:15:50Z",
    "severity": "HIGH"
  },
  "details": "Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22947.",
  "id": "GHSA-wq8w-p3f3-v5fm",
  "modified": "2024-04-02T21:30:31Z",
  "published": "2024-04-02T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30365"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-343"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQCR-WJ43-4GG7

Vulnerability from github – Published: 2025-02-27 03:33 – Updated: 2025-02-27 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition

In dw_i3c_common_probe, &master->hj_work is bound with dw_i3c_hj_work. And dw_i3c_master_irq_handler can call dw_i3c_master_irq_handle_ibis function to start the work.

If we remove the module which will call dw_i3c_common_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                                 | dw_i3c_hj_work

dw_i3c_common_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the cleanup in dw_i3c_common_remove.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:11Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition\n\nIn dw_i3c_common_probe, \u0026master-\u003ehj_work is bound with\ndw_i3c_hj_work. And dw_i3c_master_irq_handler can call\ndw_i3c_master_irq_handle_ibis function to start the work.\n\nIf we remove the module which will call dw_i3c_common_remove to\nmake cleanup, it will free master-\u003ebase through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0                                      CPU1\n\n                                     | dw_i3c_hj_work\ndw_i3c_common_remove                 |\ni3c_master_unregister(\u0026master-\u003ebase) |\ndevice_unregister(\u0026master-\u003edev)      |\ndevice_release                       |\n//free master-\u003ebase                  |\n                                     | i3c_master_do_daa(\u0026master-\u003ebase)\n                                     | //use master-\u003ebase\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in dw_i3c_common_remove.",
  "id": "GHSA-wqcr-wj43-4gg7",
  "modified": "2025-02-27T18:31:09Z",
  "published": "2025-02-27T03:33:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57984"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60d2fb033a999bb644f8e8606ff4a1b82de36c6f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b0063098fcde17cd2894f2c96459b23388507ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b75439c945b94dd8a2b645355bdb56f948052601"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc84dd3c909a372c0d130f5f84c404717c17eed8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQF4-GCCR-FCX6

Vulnerability from github – Published: 2023-02-21 03:30 – Updated: 2025-03-14 21:31
VLAI
Details

In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-21T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.",
  "id": "GHSA-wqf4-gccr-fcx6",
  "modified": "2025-03-14T21:31:33Z",
  "published": "2023-02-21T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48340"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gluster/glusterfs/issues/3732"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UE6K2DXP4QZVKP32Z7BSYDSRBL4H7JSE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UE6K2DXP4QZVKP32Z7BSYDSRBL4H7JSE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQFP-WXF7-9VR7

Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

lwt: Fix return values of BPF xmit ops

BPF encap ops can return different types of positive values, such like NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return values would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in ip(6)_finish_output2. When this happens, skbs that have been freed would continue to the neighbor subsystem, causing use-after-free bug and kernel crashes.

To fix the incorrect behavior, skb_do_redirect return values can be simply discarded, the same as tc-egress behavior. On the other hand, bpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU information. Thus convert its return values to avoid the conflict with LWTUNNEL_XMIT_CONTINUE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:36Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlwt: Fix return values of BPF xmit ops\n\nBPF encap ops can return different types of positive values, such like\nNET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function\nskb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return\nvalues would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in\nip(6)_finish_output2. When this happens, skbs that have been freed would\ncontinue to the neighbor subsystem, causing use-after-free bug and\nkernel crashes.\n\nTo fix the incorrect behavior, skb_do_redirect return values can be\nsimply discarded, the same as tc-egress behavior. On the other hand,\nbpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU\ninformation. Thus convert its return values to avoid the conflict with\nLWTUNNEL_XMIT_CONTINUE.",
  "id": "GHSA-wqfp-wxf7-9vr7",
  "modified": "2025-12-11T18:30:32Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53338"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/065d5f17096ec9161180e2c890afdff4dc6125f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29b22badb7a84b783e3a4fffca16f7768fb31205"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65583f9e070db7bece20710cfa2e3daeb0b831d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67f8f2bae8e7ac72e09def2b667e44704c4d1ee1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a97f221651fcdc891166e9bc270e3d9bfa5a0080"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d68c17402442f5f494a2c3ebde5cb82f6aa9160a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3f647e4b642f9f6d32795a16f92c116c138d2af"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQGG-8638-F2VF

Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-02-27 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: corsair-void: Add missing delayed work cancel for headset status

The cancel_delayed_work_sync() call was missed, causing a use-after-free in corsair_void_remove().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T03:15:20Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: corsair-void: Add missing delayed work cancel for headset status\n\nThe cancel_delayed_work_sync() call was missed, causing a use-after-free\nin corsair_void_remove().",
  "id": "GHSA-wqgg-8638-f2vf",
  "modified": "2025-02-27T21:32:15Z",
  "published": "2025-02-27T03:34:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21797"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2dcb56a0a4da6946f6c18288da595c13e0d2af86"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48e487b002891eb0aeaec704c9bed51f028deff1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.