Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9807 vulnerabilities reference this CWE, most recent first.

GHSA-XVXW-65R3-5RCF

Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-15 21:30
VLAI
Details

Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages.

Physical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T22:16:50Z",
    "severity": "HIGH"
  },
  "details": "Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages.\n\n\n\nPhysical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource.",
  "id": "GHSA-xvxw-65r3-5rcf",
  "modified": "2026-06-15T21:30:32Z",
  "published": "2026-06-13T00:34:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41158"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVXX-VRH7-XH3V

Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2025-04-20 03:36
VLAI
Details

A use after free in ANGLE in Google Chrome prior to 57.0.2987.98 for Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-24T23:59:00Z",
    "severity": "HIGH"
  },
  "details": "A use after free in ANGLE in Google Chrome prior to 57.0.2987.98 for Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.",
  "id": "GHSA-xvxx-vrh7-xh3v",
  "modified": "2025-04-20T03:36:50Z",
  "published": "2022-05-14T03:19:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5031"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1328762"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/682020"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201704-02"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2017-14"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3810"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96767"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98326"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XW54-M5G5-FQCG

Vulnerability from github – Published: 2025-09-16 18:31 – Updated: 2025-12-02 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix use-after-free

Fix potential use-after-free in l2cap_le_command_rej.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T17:15:36Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free\n\nFix potential use-after-free in l2cap_le_command_rej.",
  "id": "GHSA-xw54-m5g5-fqcg",
  "modified": "2025-12-02T00:31:10Z",
  "published": "2025-09-16T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53305"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/149daab45922ab1ac7f0cbeacab7251a46bf5e63"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a40c56e8bff3e424724d78a9a6b3272dd8a371d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/255be68150291440657b2cdb09420b69441af3d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/548a6b64b3c0688f01119a6fcccceb41f8c984e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e76bab1b7afa580cd76362540fc37551ada4359b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f752a0b334bb95fe9b42ecb511e0864e2768046f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe49aa73cca6608714477b74bfc6874b9db979df"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XW76-QW2J-V4FP

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-28 00:00
VLAI
Details

Use after free in shell in Google Chrome on ChromeOS prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in shell in Google Chrome on ChromeOS prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-xw76-qw2j-v4fp",
  "modified": "2022-07-28T00:00:48Z",
  "published": "2022-07-26T00:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1311"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1310717"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XW77-7RCC-VW8Q

Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-14 21:30
VLAI
Details

Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T20:17:20Z",
    "severity": "HIGH"
  },
  "details": "Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-xw77-7rcc-vw8q",
  "modified": "2026-05-14T21:30:47Z",
  "published": "2026-05-14T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8581"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/497292072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWF4-4P9V-22FP

Vulnerability from github – Published: 2025-08-11 06:30 – Updated: 2025-08-11 06:30
VLAI
Details

in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through use after free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-11T04:15:33Z",
    "severity": "HIGH"
  },
  "details": "in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through use after free.",
  "id": "GHSA-xwf4-4p9v-22fp",
  "modified": "2025-08-11T06:30:30Z",
  "published": "2025-08-11T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24298"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-07.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWQP-VX4G-WQCC

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 12:31
VLAI
Details

Use after free in XML in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T23:16:52Z",
    "severity": "HIGH"
  },
  "details": "Use after free in XML in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-xwqp-vx4g-wqcc",
  "modified": "2026-05-29T12:31:24Z",
  "published": "2026-05-29T00:38:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9947"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/503627446"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWRF-HHX9-VMHV

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-09-23 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests

The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice.

   CPU 1                                  CPU 2

rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1

         process_one_req(): for #1
                      addr_handler():
                        RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND
                        mutex_unlock(&id_priv->handler_mutex);
                        [.. handler still running ..]

rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list

rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel()

                      // process_one_req() self removes it
              spin_lock_bh(&lock);
                       cancel_delayed_work(&req->work);
                   if (!list_empty(&req->list)) == true

  ! rdma_addr_cancel() returns after process_on_req #1 is done

kfree(id_priv)

         process_one_req(): for #2
                      addr_handler():
                    mutex_lock(&id_priv->handler_mutex);
                        !! Use after free on id_priv

rdma_addr_cancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the req_list can have two reqs for the same "handle" but rdma_addr_cancel() only cancels the first one.

The second req remains active beyond rdma_destroy_id() and will use-after-free id_priv once it inevitably triggers.

Fix this by remembering if the id_priv has called rdma_resolve_ip() and always cancel before calling it again. This ensures the req_list never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:24Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests\n\nThe FSM can run in a circle allowing rdma_resolve_ip() to be called twice\non the same id_priv. While this cannot happen without going through the\nwork, it violates the invariant that the same address resolution\nbackground request cannot be active twice.\n\n       CPU 1                                  CPU 2\n\nrdma_resolve_addr():\n  RDMA_CM_IDLE -\u003e RDMA_CM_ADDR_QUERY\n  rdma_resolve_ip(addr_handler)  #1\n\n\t\t\t process_one_req(): for #1\n                          addr_handler():\n                            RDMA_CM_ADDR_QUERY -\u003e RDMA_CM_ADDR_BOUND\n                            mutex_unlock(\u0026id_priv-\u003ehandler_mutex);\n                            [.. handler still running ..]\n\nrdma_resolve_addr():\n  RDMA_CM_ADDR_BOUND -\u003e RDMA_CM_ADDR_QUERY\n  rdma_resolve_ip(addr_handler)\n    !! two requests are now on the req_list\n\nrdma_destroy_id():\n destroy_id_handler_unlock():\n  _destroy_id():\n   cma_cancel_operation():\n    rdma_addr_cancel()\n\n                          // process_one_req() self removes it\n\t\t          spin_lock_bh(\u0026lock);\n                           cancel_delayed_work(\u0026req-\u003ework);\n\t                   if (!list_empty(\u0026req-\u003elist)) == true\n\n      ! rdma_addr_cancel() returns after process_on_req #1 is done\n\n   kfree(id_priv)\n\n\t\t\t process_one_req(): for #2\n                          addr_handler():\n\t                    mutex_lock(\u0026id_priv-\u003ehandler_mutex);\n                            !! Use after free on id_priv\n\nrdma_addr_cancel() expects there to be one req on the list and only\ncancels the first one. The self-removal behavior of the work only happens\nafter the handler has returned. This yields a situations where the\nreq_list can have two reqs for the same \"handle\" but rdma_addr_cancel()\nonly cancels the first one.\n\nThe second req remains active beyond rdma_destroy_id() and will\nuse-after-free id_priv once it inevitably triggers.\n\nFix this by remembering if the id_priv has called rdma_resolve_ip() and\nalways cancel before calling it again. This ensures the req_list never\ngets more than one item in it and doesn\u0027t cost anything in the normal flow\nthat never uses this strange error path.",
  "id": "GHSA-xwrf-hhx9-vmhv",
  "modified": "2025-09-23T21:30:53Z",
  "published": "2024-05-21T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47391"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03d884671572af8bcfbc9e63944c1021efce7589"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/305d568b72f17f674155a2a8275f865f207b3808"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a085fa9b7d644a234465091e038c1911e1a4f2a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWVH-FXHH-3QRR

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-01-14 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: sched: flower: protect fl_walk() with rcu

Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep.

KASAN trace:

[ 352.773640] ================================================================== [ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987

[ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 352.781022] Call Trace: [ 352.781573] dump_stack_lvl+0x46/0x5a [ 352.782332] print_address_description.constprop.0+0x1f/0x140 [ 352.783400] ? fl_walk+0x159/0x240 [cls_flower] [ 352.784292] ? fl_walk+0x159/0x240 [cls_flower] [ 352.785138] kasan_report.cold+0x83/0xdf [ 352.785851] ? fl_walk+0x159/0x240 [cls_flower] [ 352.786587] kasan_check_range+0x145/0x1a0 [ 352.787337] fl_walk+0x159/0x240 [cls_flower] [ 352.788163] ? fl_put+0x10/0x10 [cls_flower] [ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.790102] tcf_chain_dump+0x231/0x450 [ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170 [ 352.791833] ? __might_sleep+0x2e/0xc0 [ 352.792594] ? tfilter_notify+0x170/0x170 [ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.794477] tc_dump_tfilter+0x385/0x4b0 [ 352.795262] ? tc_new_tfilter+0x1180/0x1180 [ 352.796103] ? __mod_node_page_state+0x1f/0xc0 [ 352.796974] ? __build_skb_around+0x10e/0x130 [ 352.797826] netlink_dump+0x2c0/0x560 [ 352.798563] ? netlink_getsockopt+0x430/0x430 [ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.800542] __netlink_dump_start+0x356/0x440 [ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550 [ 352.802190] ? tc_new_tfilter+0x1180/0x1180 [ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.803668] ? tc_new_tfilter+0x1180/0x1180 [ 352.804344] ? _copy_from_iter_nocache+0x800/0x800 [ 352.805202] ? kasan_set_track+0x1c/0x30 [ 352.805900] netlink_rcv_skb+0xc6/0x1f0 [ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0 [ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.808324] ? netlink_ack+0x4d0/0x4d0 [ 352.809086] ? netlink_deliver_tap+0x62/0x3d0 [ 352.809951] netlink_unicast+0x353/0x480 [ 352.810744] ? netlink_attachskb+0x430/0x430 [ 352.811586] ? __alloc_skb+0xd7/0x200 [ 352.812349] netlink_sendmsg+0x396/0x680 [ 352.813132] ? netlink_unicast+0x480/0x480 [ 352.813952] ? __import_iovec+0x192/0x210 [ 352.814759] ? netlink_unicast+0x480/0x480 [ 352.815580] sock_sendmsg+0x6c/0x80 [ 352.816299] _syssendmsg+0x3a5/0x3c0 [ 352.817096] ? kernel_sendmsg+0x30/0x30 [ 352.817873] ? ia32_sys_recvmmsg+0x150/0x150 [ 352.818753] syssendmsg+0xd8/0x140 [ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110 [ 352.820402] ? _sys_recvmsg+0xf4/0x1a0 [ 352.821110] ? __copy_msghdr_from_user+0x260/0x260 [ 352.821934] ? _raw_spin_lock+0x81/0xd0 [ 352.822680] ? __handle_mm_fault+0xef3/0x1b20 [ 352.823549] ? rb_insert_color+0x2a/0x270 [ 352.824373] ? copy_page_range+0x16b0/0x16b0 [ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0 [ 352.826190] ? __fget_light+0xd9/0xf0 [ 352.826941] __sys_sendmsg+0xb3/0x130 [ 352.827613] ? __sys_sendmsg_sock+0x20/0x20 [ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0 [ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60 [ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160 [ 352.830845] do_syscall_64+0x35/0x80 [ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:25Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: flower: protect fl_walk() with rcu\n\nPatch that refactored fl_walk() to use idr_for_each_entry_continue_ul()\nalso removed rcu protection of individual filters which causes following\nuse-after-free when filter is deleted concurrently. Fix fl_walk() to obtain\nrcu read lock while iterating and taking the filter reference and temporary\nrelease the lock while calling arg-\u003efn() callback that can sleep.\n\nKASAN trace:\n\n[  352.773640] ==================================================================\n[  352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower]\n[  352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987\n\n[  352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2\n[  352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[  352.781022] Call Trace:\n[  352.781573]  dump_stack_lvl+0x46/0x5a\n[  352.782332]  print_address_description.constprop.0+0x1f/0x140\n[  352.783400]  ? fl_walk+0x159/0x240 [cls_flower]\n[  352.784292]  ? fl_walk+0x159/0x240 [cls_flower]\n[  352.785138]  kasan_report.cold+0x83/0xdf\n[  352.785851]  ? fl_walk+0x159/0x240 [cls_flower]\n[  352.786587]  kasan_check_range+0x145/0x1a0\n[  352.787337]  fl_walk+0x159/0x240 [cls_flower]\n[  352.788163]  ? fl_put+0x10/0x10 [cls_flower]\n[  352.789007]  ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[  352.790102]  tcf_chain_dump+0x231/0x450\n[  352.790878]  ? tcf_chain_tp_delete_empty+0x170/0x170\n[  352.791833]  ? __might_sleep+0x2e/0xc0\n[  352.792594]  ? tfilter_notify+0x170/0x170\n[  352.793400]  ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[  352.794477]  tc_dump_tfilter+0x385/0x4b0\n[  352.795262]  ? tc_new_tfilter+0x1180/0x1180\n[  352.796103]  ? __mod_node_page_state+0x1f/0xc0\n[  352.796974]  ? __build_skb_around+0x10e/0x130\n[  352.797826]  netlink_dump+0x2c0/0x560\n[  352.798563]  ? netlink_getsockopt+0x430/0x430\n[  352.799433]  ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[  352.800542]  __netlink_dump_start+0x356/0x440\n[  352.801397]  rtnetlink_rcv_msg+0x3ff/0x550\n[  352.802190]  ? tc_new_tfilter+0x1180/0x1180\n[  352.802872]  ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[  352.803668]  ? tc_new_tfilter+0x1180/0x1180\n[  352.804344]  ? _copy_from_iter_nocache+0x800/0x800\n[  352.805202]  ? kasan_set_track+0x1c/0x30\n[  352.805900]  netlink_rcv_skb+0xc6/0x1f0\n[  352.806587]  ? rht_deferred_worker+0x6b0/0x6b0\n[  352.807455]  ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[  352.808324]  ? netlink_ack+0x4d0/0x4d0\n[  352.809086]  ? netlink_deliver_tap+0x62/0x3d0\n[  352.809951]  netlink_unicast+0x353/0x480\n[  352.810744]  ? netlink_attachskb+0x430/0x430\n[  352.811586]  ? __alloc_skb+0xd7/0x200\n[  352.812349]  netlink_sendmsg+0x396/0x680\n[  352.813132]  ? netlink_unicast+0x480/0x480\n[  352.813952]  ? __import_iovec+0x192/0x210\n[  352.814759]  ? netlink_unicast+0x480/0x480\n[  352.815580]  sock_sendmsg+0x6c/0x80\n[  352.816299]  ____sys_sendmsg+0x3a5/0x3c0\n[  352.817096]  ? kernel_sendmsg+0x30/0x30\n[  352.817873]  ? __ia32_sys_recvmmsg+0x150/0x150\n[  352.818753]  ___sys_sendmsg+0xd8/0x140\n[  352.819518]  ? sendmsg_copy_msghdr+0x110/0x110\n[  352.820402]  ? ___sys_recvmsg+0xf4/0x1a0\n[  352.821110]  ? __copy_msghdr_from_user+0x260/0x260\n[  352.821934]  ? _raw_spin_lock+0x81/0xd0\n[  352.822680]  ? __handle_mm_fault+0xef3/0x1b20\n[  352.823549]  ? rb_insert_color+0x2a/0x270\n[  352.824373]  ? copy_page_range+0x16b0/0x16b0\n[  352.825209]  ? perf_event_update_userpage+0x2d0/0x2d0\n[  352.826190]  ? __fget_light+0xd9/0xf0\n[  352.826941]  __sys_sendmsg+0xb3/0x130\n[  352.827613]  ? __sys_sendmsg_sock+0x20/0x20\n[  352.828377]  ? do_user_addr_fault+0x2c5/0x8a0\n[  352.829184]  ? fpregs_assert_state_consistent+0x52/0x60\n[  352.830001]  ? exit_to_user_mode_prepare+0x32/0x160\n[  352.830845]  do_syscall_64+0x35/0x80\n[  352.831445]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[  352.832331] RIP: 0033:0x7f7bee973c17\n[ \n---truncated---",
  "id": "GHSA-xwvh-fxhh-3qrr",
  "modified": "2025-01-14T18:31:49Z",
  "published": "2024-05-21T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47402"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/694b0cee7f8546b69a80996a29cb3cf4149c0453"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d0d520c19e7ea19ed38dc5797b12397b6ccf9f88"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5ef190693a7d76c5c192d108e8dec48307b46ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dab4677bdbffa5c8270e79e34e51c89efa0728a0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX49-HMRJ-2WM5

Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00
VLAI
Details

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, watchOS 9, macOS Monterey 12.6, tvOS 16. An app may be able to execute arbitrary code with kernel privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32914"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-01T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, watchOS 9, macOS Monterey 12.6, tvOS 16. An app may be able to execute arbitrary code with kernel privileges.",
  "id": "GHSA-xx49-hmrj-2wm5",
  "modified": "2022-11-02T19:00:28Z",
  "published": "2022-11-02T12:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32914"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213443"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213444"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213446"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213486"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213487"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.