Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9805 vulnerabilities reference this CWE, most recent first.

GHSA-X9JM-9GQG-5G65

Vulnerability from github – Published: 2025-10-11 09:30 – Updated: 2025-10-16 15:30
VLAI
Details

Use After Free (UAF) vulnerability in the office service. Successful exploitation of this vulnerability may affect service confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-11T09:15:33Z",
    "severity": "HIGH"
  },
  "details": "Use After Free (UAF) vulnerability in the office service.\u00a0Successful exploitation of this vulnerability may affect service confidentiality.",
  "id": "GHSA-x9jm-9gqg-5g65",
  "modified": "2025-10-16T15:30:27Z",
  "published": "2025-10-11T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58287"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2025/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9PW-HH7V-WJPF

Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-01-29 00:01
VLAI
Details

HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the component H5AC_unpin_entry.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-21T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the component H5AC_unpin_entry.",
  "id": "GHSA-x9pw-hh7v-wjpf",
  "modified": "2022-01-29T00:01:10Z",
  "published": "2022-01-22T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46242"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HDFGroup/hdf5/issues/1329"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X9QX-846H-75G8

Vulnerability from github – Published: 2022-05-14 01:18 – Updated: 2025-04-12 13:02
VLAI
Details

The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-4582 and CVE-2016-4653.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-1863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-07-22T02:59:00Z",
    "severity": "HIGH"
  },
  "details": "The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-4582 and CVE-2016-4653.",
  "id": "GHSA-x9qx-846h-75g8",
  "modified": "2025-04-12T13:02:43Z",
  "published": "2022-05-14T01:18:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1863"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT206902"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT206903"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT206904"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT206905"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/40652"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91828"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036344"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9RV-39RR-F53C

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

An issue was discovered in GNU Hurd before 0.9 20210404-9. libports accepts fake notification messages from any client on any port, which can lead to port use-after-free. This can be exploited for local privilege escalation to get full root access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-07T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in GNU Hurd before 0.9 20210404-9. libports accepts fake notification messages from any client on any port, which can lead to port use-after-free. This can be exploited for local privilege escalation to get full root access.",
  "id": "GHSA-x9rv-39rr-f53c",
  "modified": "2022-05-24T19:19:56Z",
  "published": "2022-05-24T19:19:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43412"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/bug-hurd/2021-05/msg00079.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/bug-hurd@gnu.org/msg32116.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X9VG-QJPV-3C38

Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30
VLAI
Details

Memory corruption when memory mapped in a VBO is not unmapped by the GPU SMMU.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-05T15:15:47Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption when memory mapped in a VBO is not unmapped by the GPU SMMU.",
  "id": "GHSA-x9vg-qjpv-3c38",
  "modified": "2024-08-05T15:30:53Z",
  "published": "2024-08-05T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23381"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9VM-7P3C-2C8Q

Vulnerability from github – Published: 2022-05-14 03:27 – Updated: 2025-04-20 03:31
VLAI
Details

In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-7479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-12T00:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "In all versions of PHP 7, during the unserialization process, resizing the \u0027properties\u0027 hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.",
  "id": "GHSA-x9vm-7p3c-2c8q",
  "modified": "2025-04-20T03:31:00Z",
  "published": "2022-05-14T03:27:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7479"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1296"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=73092"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20180112-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=LDcaPstAuPk"
    },
    {
      "type": "WEB",
      "url": "http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7"
    },
    {
      "type": "WEB",
      "url": "http://blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95151"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037659"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9WP-3948-XG4X

Vulnerability from github – Published: 2024-07-16 12:30 – Updated: 2024-08-07 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task

Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion().

In this case, the following are the two steps in handling those I/O completions:

  • Call complete() to inform the upper layer handler of completion of the I/O.

  • Release driver resources associated with the sas_task in pm8001_ccb_task_free() call.

When complete() is called, the upper layer may free the sas_task. As such, we should not touch the associated sas_task afterwards, but we do so in the pm8001_ccb_task_free() call.

Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-16T12:15:03Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task\n\nCurrently a use-after-free may occur if a sas_task is aborted by the upper\nlayer before we handle the I/O completion in mpi_ssp_completion() or\nmpi_sata_completion().\n\nIn this case, the following are the two steps in handling those I/O\ncompletions:\n\n - Call complete() to inform the upper layer handler of completion of\n   the I/O.\n\n - Release driver resources associated with the sas_task in\n   pm8001_ccb_task_free() call.\n\nWhen complete() is called, the upper layer may free the sas_task. As such,\nwe should not touch the associated sas_task afterwards, but we do so in the\npm8001_ccb_task_free() call.\n\nFix by swapping the complete() and pm8001_ccb_task_free() calls ordering.",
  "id": "GHSA-x9wp-3948-xg4x",
  "modified": "2024-08-07T21:31:43Z",
  "published": "2024-07-16T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48792"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9X2-8G6V-P8FW

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12
VLAI
Details

An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) devices (Exynos and Qualcomm chipsets) software. A race condition causes a Use-After-Free. The Samsung ID is SVE-2019-15067 (September 2019).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-24T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) devices (Exynos and Qualcomm chipsets) software. A race condition causes a Use-After-Free. The Samsung ID is SVE-2019-15067 (September 2019).",
  "id": "GHSA-x9x2-8g6v-p8fw",
  "modified": "2022-05-24T17:12:23Z",
  "published": "2022-05-24T17:12:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20568"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X9XC-63HG-VCFQ

Vulnerability from github – Published: 2024-04-05 15:00 – Updated: 2025-04-01 22:59
VLAI
Summary
cassandra-rs's non-idiomatic use of iterators leads to use after free
Details

Impact

Code that attempts to use an item (e.g., a row) returned by an iterator after the iterator has advanced to the next item will be accessing freed memory and experience undefined behaviour. Code that uses the item and then advances the iterator is unaffected. This problem has always existed.

This is a use-after-free bug, so it's rated high severity. If your code uses a pre-3.0.0 version of cassandra-rs, and uses an item returned by a cassandra-rs iterator after calling next() on that iterator, then it is vulnerable. However, such code will almost always fail immediately - so we believe it is unlikely that any code using this pattern would have reached production. For peace of mind, we recommend you upgrade anyway.

Patches

The problem has been fixed in version 3.0.0. Users should upgrade to ensure their code cannot use the problematic pattern.

Workarounds

Ensure all usage fits the expected pattern. For example, use get_first_row() rather than an iterator, or completely process an item before advancing the iterator with next().

References

None.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "cassandra-cpp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-05T15:00:55Z",
    "nvd_published_at": "2024-02-29T01:44:19Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nCode that attempts to use an item (e.g., a row) returned by an iterator after the iterator has advanced to the next item will be accessing freed memory and experience undefined behaviour. Code that uses the item and then advances the iterator is unaffected. This problem has always existed.\n\nThis is a use-after-free bug, so it\u0027s rated high severity. If your code uses a pre-3.0.0 version of cassandra-rs, and uses an item returned by a cassandra-rs iterator after calling `next()` on that iterator, then it is vulnerable. However, such code will almost always fail immediately - so we believe it is unlikely that any code using this pattern would have reached production. For peace of mind, we recommend you upgrade anyway.\n\n### Patches\nThe problem has been fixed in version 3.0.0. Users should upgrade to ensure their code cannot use the problematic pattern.\n\n### Workarounds\nEnsure all usage fits the expected pattern. For example, use `get_first_row()` rather than an iterator, or completely process an item before advancing the iterator with `next()`.\n\n### References\nNone.",
  "id": "GHSA-x9xc-63hg-vcfq",
  "modified": "2025-04-01T22:59:42Z",
  "published": "2024-04-05T15:00:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Metaswitch/cassandra-rs/security/advisories/GHSA-x9xc-63hg-vcfq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27284"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Metaswitch/cassandra-rs/commit/ae054dc8044eac9c2c7ae2b1ab154b53ca7f8df7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Metaswitch/cassandra-rs"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "cassandra-rs\u0027s non-idiomatic use of iterators leads to use after free"
}

GHSA-X9XH-3FFC-HR3F

Vulnerability from github – Published: 2022-05-24 16:43 – Updated: 2024-04-04 00:02
VLAI
Details

In removeInterfaceAddress of NetworkController.cpp, there is a possible use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-119496789.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-2030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-19T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In removeInterfaceAddress of NetworkController.cpp, there is a possible use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-119496789.",
  "id": "GHSA-x9xh-3ffc-hr3f",
  "modified": "2024-04-04T00:02:03Z",
  "published": "2022-05-24T16:43:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2030"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2019-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.