CWE-763
AllowedRelease of Invalid Pointer or Reference
Abstraction: Base · Status: Incomplete
The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
109 vulnerabilities reference this CWE, most recent first.
GHSA-968G-C3P8-6HVF
Vulnerability from github – Published: 2022-08-07 00:00 – Updated: 2022-08-12 00:01Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.
{
"affected": [],
"aliases": [
"CVE-2022-37451"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-06T18:15:00Z",
"severity": "HIGH"
},
"details": "Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.",
"id": "GHSA-968g-c3p8-6hvf",
"modified": "2022-08-12T00:01:27Z",
"published": "2022-08-07T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37451"
},
{
"type": "WEB",
"url": "https://github.com/Exim/exim/commit/51be321b27825c01829dffd90f11bfff256f7e42"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/762.html"
},
{
"type": "WEB",
"url": "https://github.com/Exim/exim/compare/exim-4.95...exim-4.96"
},
{
"type": "WEB",
"url": "https://github.com/Exim/exim/wiki/EximSecurity"
},
{
"type": "WEB",
"url": "https://github.com/ivd38/exim_invalid_free"
},
{
"type": "WEB",
"url": "https://lists.exim.org/lurker/message/20220625.141825.d6de6074.en.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LETR5CVDPFOFQHXCJP6NFLG52JZHQYDY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XSWDF4QEXD4TDWQLYQOWCHBJKTDQR4Z7"
},
{
"type": "WEB",
"url": "https://www.exim.org/static/doc/security"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2022/08/06/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-96HG-7P79-GGX2
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-07-15 03:32In the Linux kernel, the following vulnerability has been resolved:
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:
BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435
Workqueue: netns cleanup_net Call Trace: __hlist_del / hlist_del_rcu __xfrm_state_delete xfrm_state_delete xfrm_state_flush xfrm_state_fini ops_exit_list cleanup_net
The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.
__xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:
if (x->km.seq)
hlist_del_rcu(&x->byseq);
if (x->id.spi)
hlist_del_rcu(&x->byspi);
while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.
The defensive change here:
- Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst, bysrc, byseq and byspi so a second deletion is a no-op rather than a write through LIST_POISON pprev. The byseq/byspi nodes are already initialised in xfrm_state_alloc().
- Test hlist_unhashed() rather than the value predicate for byseq/byspi, so the unhash decision tracks list state rather than mutable scalar fields.
Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.
Reproduction:
- Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
- syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
- 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
- 9 unique signatures collected in ~9h, all within xfrm_state lifecycle
{
"affected": [],
"aliases": [
"CVE-2026-46116"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:27Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: defensively unhash xfrm_state lists in __xfrm_state_delete\n\nKASAN reproduces a slab-use-after-free in __xfrm_state_delete()\u0027s\nhlist_del_rcu calls under syzkaller load on linux-6.12.y stable\n(reproduced on 6.12.47, also reachable via the same code path on\ntorvalds/master and on the ipsec tree). Nine unique signatures cluster\nin the xfrm_state lifecycle, the load-bearing one being:\n\n BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]\n BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]\n BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c\n Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435\n\n Workqueue: netns cleanup_net\n Call Trace:\n __hlist_del / hlist_del_rcu\n __xfrm_state_delete\n xfrm_state_delete\n xfrm_state_flush\n xfrm_state_fini\n ops_exit_list\n cleanup_net\n\nThe other observed signatures hit the same slab object from\n__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB\nwrite variant of __xfrm_state_delete, all on the byseq/byspi\nhash chains.\n\n__xfrm_state_delete() guards its byseq and byspi unhashes with\nvalue-based predicates:\n\n\tif (x-\u003ekm.seq)\n\t\thlist_del_rcu(\u0026x-\u003ebyseq);\n\tif (x-\u003eid.spi)\n\t\thlist_del_rcu(\u0026x-\u003ebyspi);\n\nwhile everywhere else in the file (e.g. state_cache, state_cache_input)\nthe safer hlist_unhashed() check is used. xfrm_alloc_spi() sets\nx-\u003eid.spi = newspi inside xfrm_state_lock and then immediately inserts\ninto byspi, but a path that observes x-\u003eid.spi != 0 outside of\nxfrm_state_lock can still skip-or-hit the byspi unhash inconsistently\nwith whether x is actually on the list. The same holds for x-\u003ekm.seq\nversus byseq, and the bydst/bysrc unhashes have no predicate at all,\nso a second __xfrm_state_delete() on the same object writes through\nLIST_POISON pprev.\n\nThe defensive change here:\n\n - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,\n bysrc, byseq and byspi so a second deletion is a no-op rather\n than a write through LIST_POISON pprev. The byseq/byspi nodes\n are already initialised in xfrm_state_alloc().\n - Test hlist_unhashed() rather than the value predicate for\n byseq/byspi, so the unhash decision tracks list state rather than\n mutable scalar fields.\n\nEmpirical verification: applied this patch on top of v6.12.47, rebuilt,\nand re-ran the same syzkaller harness for 1h16m on a previously-crashy\nconfiguration that produced ~100 hits each of slab-use-after-free\nRead in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in\n__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at\n~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo\nconfirms the xfrm_state slab is actively allocated and freed during\nthe run (~143 KiB resident), so the fuzzer is still exercising those\ncode paths -- they just no longer crash.\n\nReproduction:\n\n - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV\n - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db\n - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal\n - 9 unique signatures collected in ~9h, all within xfrm_state\n lifecycle",
"id": "GHSA-96hg-7p79-ggx2",
"modified": "2026-07-15T03:32:35Z",
"published": "2026-05-28T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46116"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36018"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39179"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39180"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39371"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-46116"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482523"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14acf9652e5690de3c7486c6db5fb8dafd0a32a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26edb0a3c99f9d958c212be68b21f1221614dcf0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2c617848ae6e4f07a3e397f604208c293bbecacc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3943fcad7694a7d0b15aeabe7d3cc2a2eb8e92e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4980162de555cb838f1a189ce7d2cbf5d2e7b050"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a2e2d08fb070fab4947447171f1c4e3ca5a188e5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4a53add2fa8f1b5aa17d4c5686c320785fab182"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46116.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9MH7-9QXG-6FPQ
Vulnerability from github – Published: 2023-04-16 00:30 – Updated: 2024-04-04 03:29libdwarf before 20201017 has a one-byte out-of-bounds read because of an invalid pointer dereference via an invalid line table in a crafted object.
{
"affected": [],
"aliases": [
"CVE-2020-27545"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-16T00:15:00Z",
"severity": "MODERATE"
},
"details": "libdwarf before 20201017 has a one-byte out-of-bounds read because of an invalid pointer dereference via an invalid line table in a crafted object.",
"id": "GHSA-9mh7-9qxg-6fpq",
"modified": "2024-04-04T03:29:18Z",
"published": "2023-04-16T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27545"
},
{
"type": "WEB",
"url": "https://github.com/davea42/libdwarf-code/commit/95f634808c01f1c61bbec56ed2395af997f397ea"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025694"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/libdwarf"
},
{
"type": "WEB",
"url": "https://www.prevanders.net/dwarfbug.html#DW202010-001"
},
{
"type": "WEB",
"url": "http://web.archive.org/web/20190601140703/https://sourceforge.net/projects/libdwarf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9W2R-P3QJ-G3GM
Vulnerability from github – Published: 2024-02-06 06:30 – Updated: 2024-02-06 06:30Memory corruption while reading ACPI config through the user mode app.
{
"affected": [],
"aliases": [
"CVE-2023-43532"
],
"database_specific": {
"cwe_ids": [
"CWE-763",
"CWE-822"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T06:16:02Z",
"severity": "HIGH"
},
"details": "Memory corruption while reading ACPI config through the user mode app.",
"id": "GHSA-9w2r-p3qj-g3gm",
"modified": "2024-02-06T06:30:32Z",
"published": "2024-02-06T06:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43532"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8R3-59P8-GP8Q
Vulnerability from github – Published: 2025-09-23 15:31 – Updated: 2025-09-23 15:31In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix crash during module load unload test
During purex packet handling the driver was incorrectly freeing a pre-allocated structure. Fix this by skipping that entry.
System crashed with the following stack during a module unload test.
Call Trace: sbitmap_init_node+0x7f/0x1e0 sbitmap_queue_init_node+0x24/0x150 blk_mq_init_bitmaps+0x3d/0xa0 blk_mq_init_tags+0x68/0x90 blk_mq_alloc_map_and_rqs+0x44/0x120 blk_mq_alloc_set_map_and_rqs+0x63/0x150 blk_mq_alloc_tag_set+0x11b/0x230 scsi_add_host_with_dma.cold+0x3f/0x245 qla2x00_probe_one+0xd5a/0x1b80 [qla2xxx]
Call Trace with slub_debug and debug kernel: kasan_report_invalid_free+0x50/0x80 __kasan_slab_free+0x137/0x150 slab_free_freelist_hook+0xc6/0x190 kfree+0xe8/0x2e0 qla2x00_free_device+0x3bb/0x5d0 [qla2xxx] qla2x00_remove_one+0x668/0xcf0 [qla2xxx]
{
"affected": [],
"aliases": [
"CVE-2022-49160"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash during module load unload test\n\nDuring purex packet handling the driver was incorrectly freeing a\npre-allocated structure. Fix this by skipping that entry.\n\nSystem crashed with the following stack during a module unload test.\n\nCall Trace:\n\tsbitmap_init_node+0x7f/0x1e0\n\tsbitmap_queue_init_node+0x24/0x150\n\tblk_mq_init_bitmaps+0x3d/0xa0\n\tblk_mq_init_tags+0x68/0x90\n\tblk_mq_alloc_map_and_rqs+0x44/0x120\n\tblk_mq_alloc_set_map_and_rqs+0x63/0x150\n\tblk_mq_alloc_tag_set+0x11b/0x230\n\tscsi_add_host_with_dma.cold+0x3f/0x245\n\tqla2x00_probe_one+0xd5a/0x1b80 [qla2xxx]\n\nCall Trace with slub_debug and debug kernel:\n\tkasan_report_invalid_free+0x50/0x80\n\t__kasan_slab_free+0x137/0x150\n\tslab_free_freelist_hook+0xc6/0x190\n\tkfree+0xe8/0x2e0\n\tqla2x00_free_device+0x3bb/0x5d0 [qla2xxx]\n\tqla2x00_remove_one+0x668/0xcf0 [qla2xxx]",
"id": "GHSA-c8r3-59p8-gp8q",
"modified": "2025-09-23T15:31:07Z",
"published": "2025-09-23T15:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49160"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0972252450f90db56dd5415a20e2aec21a08d036"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/213e57b42537f1a2e5395caa9d7189854133ed12"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67f744f73eba870ab96411d0310e831a4adc3713"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b7eb92dac240ab3bc83e188d83a3df834b41eb2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CCPM-2WGC-2RP2
Vulnerability from github – Published: 2022-10-19 12:00 – Updated: 2022-10-22 12:00Information disclosure due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
{
"affected": [],
"aliases": [
"CVE-2022-25662"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-19T11:15:00Z",
"severity": "HIGH"
},
"details": "Information disclosure due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables",
"id": "GHSA-ccpm-2wgc-2rp2",
"modified": "2022-10-22T12:00:29Z",
"published": "2022-10-19T12:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25662"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4PH-WXVJ-8J8G
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
{
"affected": [],
"aliases": [
"CVE-2020-36224"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.",
"id": "GHSA-f4ph-wxvj-8j8g",
"modified": "2022-05-24T17:40:17Z",
"published": "2022-05-24T17:40:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36224"
},
{
"type": "WEB",
"url": "https://bugs.openldap.org/show_bug.cgi?id=9409"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/commit/554dff1927176579d652f2fe60c90e9abbad4c65"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/commit/5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/commit/c0b61a9486508e5202aa2e0cfb68c9813731b439"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/commit/d169e7958a3e0dc70f59c8374bf8a59833b7bdd8"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210226-0002"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212529"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212530"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212531"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4845"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/May/64"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/May/65"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/May/70"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F543-5X5H-5X35
Vulnerability from github – Published: 2023-01-09 09:30 – Updated: 2023-01-13 03:30Denial of service in MODEM due to improper pointer handling
{
"affected": [],
"aliases": [
"CVE-2022-25725"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-09T08:15:00Z",
"severity": "MODERATE"
},
"details": "Denial of service in MODEM due to improper pointer handling",
"id": "GHSA-f543-5x5h-5x35",
"modified": "2023-01-13T03:30:18Z",
"published": "2023-01-09T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25725"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/january-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F5CJ-6CMJ-4FH4
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29Mozilla developers reported memory safety bugs present in Firefox 80. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81.
{
"affected": [],
"aliases": [
"CVE-2020-15674"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-01T19:15:00Z",
"severity": "HIGH"
},
"details": "Mozilla developers reported memory safety bugs present in Firefox 80. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 81.",
"id": "GHSA-f5cj-6cmj-4fh4",
"modified": "2022-05-24T17:29:55Z",
"published": "2022-05-24T17:29:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15674"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1656063%2C1656064%2C1656067%2C1660293"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-42"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FH5C-QMVH-M75J
Vulnerability from github – Published: 2022-10-19 12:00 – Updated: 2022-10-22 12:00Memory corruption due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
{
"affected": [],
"aliases": [
"CVE-2022-25661"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-19T11:15:00Z",
"severity": "HIGH"
},
"details": "Memory corruption due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile",
"id": "GHSA-fh5c-qmvh-m75j",
"modified": "2022-10-22T12:00:28Z",
"published": "2022-10-19T12:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25661"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().
Mitigation
When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.
Mitigation MIT-4.6
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, glibc in Linux provides protection against free of invalid pointers.
Mitigation
Use a language that provides abstractions for memory allocation and deallocation.
No CAPEC attack patterns related to this CWE.