CWE-825
AllowedExpired Pointer Dereference
Abstraction: Base · Status: Incomplete
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
105 vulnerabilities reference this CWE, most recent first.
GHSA-X9GX-8M8X-G5MG
Vulnerability from github – Published: 2026-06-16 15:33 – Updated: 2026-06-30 03:37Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.
{
"affected": [],
"aliases": [
"CVE-2026-12293"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T13:16:29Z",
"severity": "CRITICAL"
},
"details": "Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.",
"id": "GHSA-x9gx-8m8x-g5mg",
"modified": "2026-06-30T03:37:05Z",
"published": "2026-06-16T15:33:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12293"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-12293"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2039568"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489216"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12293.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-57"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-60"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X9Q5-M7GX-RF9W
Vulnerability from github – Published: 2024-09-13 18:31 – Updated: 2024-09-13 18:31An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2024-45105"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-13T18:15:05Z",
"severity": "MODERATE"
},
"details": "An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.",
"id": "GHSA-x9q5-m7gx-rf9w",
"modified": "2024-09-13T18:31:48Z",
"published": "2024-09-13T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45105"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-165524"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XH4V-QR89-3HJ3
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-06-30 03:35Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.
{
"affected": [],
"aliases": [
"CVE-2026-4729"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:08Z",
"severity": "CRITICAL"
},
"details": "Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 149.",
"id": "GHSA-xh4v-qr89-3hj3",
"modified": "2026-06-30T03:35:59Z",
"published": "2026-03-24T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4729"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-4729"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1944033%2C1997282%2C2009213%2C2011412%2C2021925%2C2022034"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450745"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4729.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHHC-R2PJ-8HH5
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset
In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail().
Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain.
Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.
{
"affected": [],
"aliases": [
"CVE-2026-52952"
],
"database_specific": {
"cwe_ids": [
"CWE-617",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:05Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset\n\nIn __iommu_group_set_domain_internal(), concurrent domain attachments are\nrejected when any device in the group is recovering. This is necessary to\nfence concurrent attachments to a multi-device group where devices might\nshare the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in\n__iommu_group_set_domain_nofail().\n\nOther IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such\nas __iommu_group_set_core_domain and __iommu_release_dma_ownership, should\nnot be rejected, as the domain would be freed anyway in these nofail paths\nwhile group-\u003edomain is still pointing to it. So pci_dev_reset_iommu_done()\ncould trigger a UAF when re-attaching group-\u003edomain.\n\nHonor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through\nthe group-\u003erecovery_cnt fence, so as to update the group-\u003edomain pointer.\nInstead add a gdev-\u003eblocked check in the device iteration loop, to prevent\nany concurrent per-device detachment.",
"id": "GHSA-xhhc-r2pj-8hh5",
"modified": "2026-06-30T03:37:11Z",
"published": "2026-06-24T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52952"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-52952"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492422"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5474e6e17a262db45c60575c73f70210f5c7001f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8fc289e809f3eb7e36cadc4684ab6fad747a5a93"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52952.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRMP-X8VM-QCMH
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: remove station if connection prep fails
If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes.
This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.
{
"affected": [],
"aliases": [
"CVE-2026-46125"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: remove station if connection prep fails\n\nIf connection preparation fails for MLO connections, then the\ninterface is completely reset to non-MLD. In this case, we must\nnot keep the station since it\u0027s related to the link of the vif\nbeing removed. Delete an existing station. Any \"new_sta\" is\nalready being removed, so that doesn\u0027t need changes.\n\nThis fixes a use-after-free/double-free in debugfs if that\u0027s\nenabled, because a vif going from MLD (and to MLD, but that\u0027s\nnot relevant here) recreates its entire debugfs.",
"id": "GHSA-xrmp-x8vm-qcmh",
"modified": "2026-06-30T03:36:51Z",
"published": "2026-05-28T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46125"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46125.json"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18fed0a209500bfea5c4c08609ec93855e4e500b"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482608"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-46125"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27288"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26428"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.