Common Weakness Enumeration

CWE-825

Allowed

Expired Pointer Dereference

Abstraction: Base · Status: Incomplete

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

105 vulnerabilities reference this CWE, most recent first.

GHSA-X9GX-8M8X-G5MG

Vulnerability from github – Published: 2026-06-16 15:33 – Updated: 2026-06-30 03:37
VLAI
Details

Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T13:16:29Z",
    "severity": "CRITICAL"
  },
  "details": "Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.",
  "id": "GHSA-x9gx-8m8x-g5mg",
  "modified": "2026-06-30T03:37:05Z",
  "published": "2026-06-16T15:33:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12293"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-12293"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2039568"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489216"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12293.json"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-57"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-60"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9Q5-M7GX-RF9W

Vulnerability from github – Published: 2024-09-13 18:31 – Updated: 2024-09-13 18:31
VLAI
Details

An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-13T18:15:05Z",
    "severity": "MODERATE"
  },
  "details": "An internal product security audit discovered a UEFI SMM (System Management Mode) callout vulnerability in some ThinkSystem servers that could allow a local attacker with elevated privileges to execute arbitrary code.",
  "id": "GHSA-x9q5-m7gx-rf9w",
  "modified": "2024-09-13T18:31:48Z",
  "published": "2024-09-13T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45105"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-165524"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XH4V-QR89-3HJ3

Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-06-30 03:35
VLAI
Details

Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4729"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T13:16:08Z",
    "severity": "CRITICAL"
  },
  "details": "Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 149.",
  "id": "GHSA-xh4v-qr89-3hj3",
  "modified": "2026-06-30T03:35:59Z",
  "published": "2026-03-24T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4729"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4729"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1944033%2C1997282%2C2009213%2C2011412%2C2021925%2C2022034"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450745"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4729.json"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHHC-R2PJ-8HH5

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset

In __iommu_group_set_domain_internal(), concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments to a multi-device group where devices might share the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in __iommu_group_set_domain_nofail().

Other IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such as __iommu_group_set_core_domain and __iommu_release_dma_ownership, should not be rejected, as the domain would be freed anyway in these nofail paths while group->domain is still pointing to it. So pci_dev_reset_iommu_done() could trigger a UAF when re-attaching group->domain.

Honor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through the group->recovery_cnt fence, so as to update the group->domain pointer. Instead add a gdev->blocked check in the device iteration loop, to prevent any concurrent per-device detachment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-617",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset\n\nIn __iommu_group_set_domain_internal(), concurrent domain attachments are\nrejected when any device in the group is recovering. This is necessary to\nfence concurrent attachments to a multi-device group where devices might\nshare the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in\n__iommu_group_set_domain_nofail().\n\nOther IOMMU_SET_DOMAIN_MUST_SUCCEED callers in detach/teardown paths, such\nas __iommu_group_set_core_domain and __iommu_release_dma_ownership, should\nnot be rejected, as the domain would be freed anyway in these nofail paths\nwhile group-\u003edomain is still pointing to it. So pci_dev_reset_iommu_done()\ncould trigger a UAF when re-attaching group-\u003edomain.\n\nHonor the IOMMU_SET_DOMAIN_MUST_SUCCEED flag, allowing the callers through\nthe group-\u003erecovery_cnt fence, so as to update the group-\u003edomain pointer.\nInstead add a gdev-\u003eblocked check in the device iteration loop, to prevent\nany concurrent per-device detachment.",
  "id": "GHSA-xhhc-r2pj-8hh5",
  "modified": "2026-06-30T03:37:11Z",
  "published": "2026-06-24T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52952"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-52952"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492422"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5474e6e17a262db45c60575c73f70210f5c7001f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fc289e809f3eb7e36cadc4684ab6fad747a5a93"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52952.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRMP-X8VM-QCMH

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-30 03:36
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: remove station if connection prep fails

If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes.

This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: remove station if connection prep fails\n\nIf connection preparation fails for MLO connections, then the\ninterface is completely reset to non-MLD. In this case, we must\nnot keep the station since it\u0027s related to the link of the vif\nbeing removed. Delete an existing station. Any \"new_sta\" is\nalready being removed, so that doesn\u0027t need changes.\n\nThis fixes a use-after-free/double-free in debugfs if that\u0027s\nenabled, because a vif going from MLD (and to MLD, but that\u0027s\nnot relevant here) recreates its entire debugfs.",
  "id": "GHSA-xrmp-x8vm-qcmh",
  "modified": "2026-06-30T03:36:51Z",
  "published": "2026-05-28T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46125"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46125.json"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18fed0a209500bfea5c4c08609ec93855e4e500b"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482608"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-46125"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27789"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27735"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27731"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27708"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27288"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26563"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26515"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26462"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26428"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26427"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.