CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-XG7J-75JQ-GM7F
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2022-05-13 01:09An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.
{
"affected": [],
"aliases": [
"CVE-2019-10125"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-27T06:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.",
"id": "GHSA-xg7j-75jq-gm7f",
"modified": "2022-05-13T01:09:55Z",
"published": "2022-05-13T01:09:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10125"
},
{
"type": "WEB",
"url": "https://patchwork.kernel.org/patch/10828359"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190411-0003"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K29215970"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107655"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG7P-G635-VRG9
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05An issue was discovered in JerryScript 2.4.0. There is a heap-use-after-free in ecma_bytecode_ref in ecma-helpers.c file.
{
"affected": [],
"aliases": [
"CVE-2021-26199"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-10T23:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in JerryScript 2.4.0. There is a heap-use-after-free in ecma_bytecode_ref in ecma-helpers.c file.",
"id": "GHSA-xg7p-g635-vrg9",
"modified": "2022-05-24T19:05:12Z",
"published": "2022-05-24T19:05:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26199"
},
{
"type": "WEB",
"url": "https://github.com/jerryscript-project/jerryscript/issues/4056"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XG88-J2C7-G852
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
greybus: raw: fix use-after-free if write is called after disconnect
If a user writes to the chardev after disconnect has been called, the kernel panics with the following trace (with CONFIG_INIT_ON_FREE_DEFAULT_ON=y):
BUG: kernel NULL pointer dereference, address: 0000000000000218
...
Call Trace:
<TASK>
gb_operation_create_common+0x61/0x180
gb_operation_create_flags+0x28/0xa0
gb_operation_sync_timeout+0x6f/0x100
raw_write+0x7b/0xc7 [gb_raw]
vfs_write+0xcf/0x420
? task_mm_cid_work+0x136/0x220
ksys_write+0x63/0xe0
do_syscall_64+0xa4/0x290
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Disconnect calls gb_connection_destroy, which ends up freeing the connection object. When gb_operation_sync is called in the write file operations, its gets a freed connection as parameter and the kernel panics.
The gb_connection_destroy cannot be moved out of the disconnect function, as the Greybus subsystem expect all connections belonging to a bundle to be destroyed when disconnect returns.
To prevent this bug, use a rw lock to synchronize access between write and disconnect. This guarantees that the write function doesn't try to use a disconnected connection.
{
"affected": [],
"aliases": [
"CVE-2026-53024"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:13Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: raw: fix use-after-free if write is called after disconnect\n\nIf a user writes to the chardev after disconnect has been called, the\nkernel panics with the following trace (with\nCONFIG_INIT_ON_FREE_DEFAULT_ON=y):\n\n BUG: kernel NULL pointer dereference, address: 0000000000000218\n ...\n Call Trace:\n \u003cTASK\u003e\n gb_operation_create_common+0x61/0x180\n gb_operation_create_flags+0x28/0xa0\n gb_operation_sync_timeout+0x6f/0x100\n raw_write+0x7b/0xc7 [gb_raw]\n vfs_write+0xcf/0x420\n ? task_mm_cid_work+0x136/0x220\n ksys_write+0x63/0xe0\n do_syscall_64+0xa4/0x290\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nDisconnect calls gb_connection_destroy, which ends up freeing the\nconnection object. When gb_operation_sync is called in the write file\noperations, its gets a freed connection as parameter and the kernel\npanics.\n\nThe gb_connection_destroy cannot be moved out of the disconnect\nfunction, as the Greybus subsystem expect all connections belonging to a\nbundle to be destroyed when disconnect returns.\n\nTo prevent this bug, use a rw lock to synchronize access between write\nand disconnect. This guarantees that the write function doesn\u0027t try\nto use a disconnected connection.",
"id": "GHSA-xg88-j2c7-g852",
"modified": "2026-06-28T09:31:39Z",
"published": "2026-06-24T18:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53024"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48d6c32bc049abd114e8f0836c0e7d7cbfba7827"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84265cbd96b97058ef67e3f8be3933667a000835"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGF8-98PJ-CM5C
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2025-11-04 18:30An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.
{
"affected": [],
"aliases": [
"CVE-2021-43400"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-04T23:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.",
"id": "GHSA-xgf8-98pj-cm5c",
"modified": "2025-11-04T18:30:35Z",
"published": "2022-05-24T19:19:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43400"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XGMF-QCP6-M7MC
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
{
"affected": [],
"aliases": [
"CVE-2019-8224"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-17T21:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .",
"id": "GHSA-xgmf-qcp6-m7mc",
"modified": "2022-05-24T16:59:26Z",
"published": "2022-05-24T16:59:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8224"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-49.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XGQ2-HC7C-VJ94
Vulnerability from github – Published: 2024-05-08 00:31 – Updated: 2024-05-08 00:31Foxit PDF Editor Ink Annotation Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14363.
{
"affected": [],
"aliases": [
"CVE-2021-34961"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T23:15:10Z",
"severity": "HIGH"
},
"details": "Foxit PDF Editor Ink Annotation Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14363.",
"id": "GHSA-xgq2-hc7c-vj94",
"modified": "2024-05-08T00:31:14Z",
"published": "2024-05-08T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34961"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1192"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGR2-4F4Q-M3P9
Vulnerability from github – Published: 2023-11-14 15:30 – Updated: 2024-08-27 15:32A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
The function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times.
We recommend upgrading past commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630.
{
"affected": [],
"aliases": [
"CVE-2023-6111"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T14:15:29Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability in the Linux kernel\u0027s netfilter: nf_tables component can be exploited to achieve local privilege escalation.\n\nThe function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times.\n\nWe recommend upgrading past commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630.\n\n",
"id": "GHSA-xgr2-4f4q-m3p9",
"modified": "2024-08-27T15:32:42Z",
"published": "2023-11-14T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6111"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93995bf4af2c5a99e2a87f0cd5ce547d31eb7630"
},
{
"type": "WEB",
"url": "https://kernel.dance/93995bf4af2c5a99e2a87f0cd5ce547d31eb7630"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OXWBKK7RTQOGGDLQGCZFS753VLGS2GD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S55P23EYAWDHXZPJEVTGIRZZRICYI3Z"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IG6IF3FUY7LVZJMFRPANAU4L4PSJ3ESQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YQ7JVDEDZV5SNHG5EW7RHKK2ZN56HSGB"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH27-567V-J74R
Vulnerability from github – Published: 2023-04-12 21:30 – Updated: 2024-04-04 03:25A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.
{
"affected": [],
"aliases": [
"CVE-2023-1990"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T20:15:00Z",
"severity": "MODERATE"
},
"details": "A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow an attacker to crash the system due to a race problem.",
"id": "GHSA-xh27-567v-j74r",
"modified": "2024-04-04T03:25:42Z",
"published": "2023-04-12T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1990"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20230312160837.2040857-1-zyytlz.wz%40163.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20230312160837.2040857-1-zyytlz.wz@163.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH2P-5693-W8R8
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17Use after free in Performance Manager in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-37962"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-08T22:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Performance Manager in Google Chrome prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-xh2p-5693-w8r8",
"modified": "2022-05-24T19:17:07Z",
"published": "2022-05-24T19:17:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37962"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_21.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1231933"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5046"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XH36-8Q3W-G243
Vulnerability from github – Published: 2024-01-21 12:30 – Updated: 2025-11-04 21:31A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.
{
"affected": [],
"aliases": [
"CVE-2023-6531"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-21T10:15:07Z",
"severity": "HIGH"
},
"details": "A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector\u0027s deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.",
"id": "GHSA-xh36-8q3w-g243",
"modified": "2025-11-04T21:31:04Z",
"published": "2024-01-21T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6531"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2394"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-6531"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253034"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/c716c88321939156909cfa1bd8b0faaf1c804103.1701868795.git.asml.silence@gmail.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176533/Linux-Broken-Unix-GC-Interaction-Use-After-Free.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.