CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9813 vulnerabilities reference this CWE, most recent first.
GHSA-WQ5C-W7MQ-VQJV
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-50307"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:28Z",
"severity": "HIGH"
},
"details": "Use after free in Windows TCP/IP allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-wq5c-w7mq-vqjv",
"modified": "2026-07-14T18:32:15Z",
"published": "2026-07-14T18:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50307"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50307"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQ5V-H429-2627
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-50312"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:29Z",
"severity": "MODERATE"
},
"details": "Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-wq5v-h429-2627",
"modified": "2026-07-14T18:32:15Z",
"published": "2026-07-14T18:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50312"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50312"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQ6R-9RPH-J79C
Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-07 00:00Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.
{
"affected": [],
"aliases": [
"CVE-2022-28271"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-06T18:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.",
"id": "GHSA-wq6r-9rph-j79c",
"modified": "2022-05-07T00:00:35Z",
"published": "2022-05-07T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28271"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb22-20.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQ87-G3M8-CQ98
Vulnerability from github – Published: 2022-12-14 06:30 – Updated: 2023-11-25 12:30Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2022-4437"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-14T06:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-wq87-g3m8-cq98",
"modified": "2023-11-25T12:30:21Z",
"published": "2022-12-14T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4437"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop_13.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1394692"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-10"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQ8P-3Q98-GW6H
Vulnerability from github – Published: 2022-05-17 03:08 – Updated: 2022-05-17 03:08Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3054, CVE-2015-3055, CVE-2015-3059, and CVE-2015-3075.
{
"affected": [],
"aliases": [
"CVE-2015-3053"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-05-13T10:59:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3054, CVE-2015-3055, CVE-2015-3059, and CVE-2015-3075.",
"id": "GHSA-wq8p-3q98-gw6h",
"modified": "2022-05-17T03:08:07Z",
"published": "2022-05-17T03:08:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3053"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/reader/apsb15-10.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74602"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1032284"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-15-215"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WQ8W-P3F3-V5FM
Vulnerability from github – Published: 2024-04-02 21:30 – Updated: 2024-04-02 21:30Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22947.
{
"affected": [],
"aliases": [
"CVE-2024-30365"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T21:15:50Z",
"severity": "HIGH"
},
"details": "Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22947.",
"id": "GHSA-wq8w-p3f3-v5fm",
"modified": "2024-04-02T21:30:31Z",
"published": "2024-04-02T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30365"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-343"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQCR-WJ43-4GG7
Vulnerability from github – Published: 2025-02-27 03:33 – Updated: 2025-02-27 18:31In the Linux kernel, the following vulnerability has been resolved:
i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition
In dw_i3c_common_probe, &master->hj_work is bound with dw_i3c_hj_work. And dw_i3c_master_irq_handler can call dw_i3c_master_irq_handle_ibis function to start the work.
If we remove the module which will call dw_i3c_common_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| dw_i3c_hj_work
dw_i3c_common_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base
Fix it by ensuring that the work is canceled before proceeding with the cleanup in dw_i3c_common_remove.
{
"affected": [],
"aliases": [
"CVE-2024-57984"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T02:15:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition\n\nIn dw_i3c_common_probe, \u0026master-\u003ehj_work is bound with\ndw_i3c_hj_work. And dw_i3c_master_irq_handler can call\ndw_i3c_master_irq_handle_ibis function to start the work.\n\nIf we remove the module which will call dw_i3c_common_remove to\nmake cleanup, it will free master-\u003ebase through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | dw_i3c_hj_work\ndw_i3c_common_remove |\ni3c_master_unregister(\u0026master-\u003ebase) |\ndevice_unregister(\u0026master-\u003edev) |\ndevice_release |\n//free master-\u003ebase |\n | i3c_master_do_daa(\u0026master-\u003ebase)\n | //use master-\u003ebase\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in dw_i3c_common_remove.",
"id": "GHSA-wqcr-wj43-4gg7",
"modified": "2025-02-27T18:31:09Z",
"published": "2025-02-27T03:33:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57984"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60d2fb033a999bb644f8e8606ff4a1b82de36c6f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b0063098fcde17cd2894f2c96459b23388507ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b75439c945b94dd8a2b645355bdb56f948052601"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc84dd3c909a372c0d130f5f84c404717c17eed8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQF4-GCCR-FCX6
Vulnerability from github – Published: 2023-02-21 03:30 – Updated: 2025-03-14 21:31In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.
{
"affected": [],
"aliases": [
"CVE-2022-48340"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-21T02:15:00Z",
"severity": "HIGH"
},
"details": "In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.",
"id": "GHSA-wqf4-gccr-fcx6",
"modified": "2025-03-14T21:31:33Z",
"published": "2023-02-21T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48340"
},
{
"type": "WEB",
"url": "https://github.com/gluster/glusterfs/issues/3732"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UE6K2DXP4QZVKP32Z7BSYDSRBL4H7JSE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UE6K2DXP4QZVKP32Z7BSYDSRBL4H7JSE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQFP-WXF7-9VR7
Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 18:30In the Linux kernel, the following vulnerability has been resolved:
lwt: Fix return values of BPF xmit ops
BPF encap ops can return different types of positive values, such like NET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function skb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return values would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in ip(6)_finish_output2. When this happens, skbs that have been freed would continue to the neighbor subsystem, causing use-after-free bug and kernel crashes.
To fix the incorrect behavior, skb_do_redirect return values can be simply discarded, the same as tc-egress behavior. On the other hand, bpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU information. Thus convert its return values to avoid the conflict with LWTUNNEL_XMIT_CONTINUE.
{
"affected": [],
"aliases": [
"CVE-2023-53338"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T15:15:36Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlwt: Fix return values of BPF xmit ops\n\nBPF encap ops can return different types of positive values, such like\nNET_RX_DROP, NET_XMIT_CN, NETDEV_TX_BUSY, and so on, from function\nskb_do_redirect and bpf_lwt_xmit_reroute. At the xmit hook, such return\nvalues would be treated implicitly as LWTUNNEL_XMIT_CONTINUE in\nip(6)_finish_output2. When this happens, skbs that have been freed would\ncontinue to the neighbor subsystem, causing use-after-free bug and\nkernel crashes.\n\nTo fix the incorrect behavior, skb_do_redirect return values can be\nsimply discarded, the same as tc-egress behavior. On the other hand,\nbpf_lwt_xmit_reroute returns useful errors to local senders, e.g. PMTU\ninformation. Thus convert its return values to avoid the conflict with\nLWTUNNEL_XMIT_CONTINUE.",
"id": "GHSA-wqfp-wxf7-9vr7",
"modified": "2025-12-11T18:30:32Z",
"published": "2025-09-17T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53338"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/065d5f17096ec9161180e2c890afdff4dc6125f2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/29b22badb7a84b783e3a4fffca16f7768fb31205"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65583f9e070db7bece20710cfa2e3daeb0b831d9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67f8f2bae8e7ac72e09def2b667e44704c4d1ee1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a97f221651fcdc891166e9bc270e3d9bfa5a0080"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d68c17402442f5f494a2c3ebde5cb82f6aa9160a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3f647e4b642f9f6d32795a16f92c116c138d2af"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQGG-8638-F2VF
Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-02-27 21:32In the Linux kernel, the following vulnerability has been resolved:
HID: corsair-void: Add missing delayed work cancel for headset status
The cancel_delayed_work_sync() call was missed, causing a use-after-free in corsair_void_remove().
{
"affected": [],
"aliases": [
"CVE-2025-21797"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T03:15:20Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: corsair-void: Add missing delayed work cancel for headset status\n\nThe cancel_delayed_work_sync() call was missed, causing a use-after-free\nin corsair_void_remove().",
"id": "GHSA-wqgg-8638-f2vf",
"modified": "2025-02-27T21:32:15Z",
"published": "2025-02-27T03:34:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21797"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2dcb56a0a4da6946f6c18288da595c13e0d2af86"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48e487b002891eb0aeaec704c9bed51f028deff1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.