Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-MR3G-8VQM-6MHQ

Vulnerability from github – Published: 2024-07-16 15:30 – Updated: 2024-07-23 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mISDN: Fix memory leak in dsp_pipeline_build()

dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL.

Found by Linux Driver Verification project (linuxtesting.org) with SVACE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-16T13:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: Fix memory leak in dsp_pipeline_build()\n\ndsp_pipeline_build() allocates dup pointer by kstrdup(cfg),\nbut then it updates dup variable by strsep(\u0026dup, \"|\").\nAs a result when it calls kfree(dup), the dup variable contains NULL.\n\nFound by Linux Driver Verification project (linuxtesting.org) with SVACE.",
  "id": "GHSA-mr3g-8vqm-6mhq",
  "modified": "2024-07-23T15:31:08Z",
  "published": "2024-07-16T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48863"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/640445d6fc059d4514ffea79eb4196299e0e2d0f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7777b1f795af1bb43867375d8a776080111aae1b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3d5fcc6cf2ecbba5a269631092570aa285a24cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6a502c2299941c8326d029cfc8a3bc8a4607ad5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR4J-H79V-VCP9

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: strparser: fix skb_head leak in strp_abort_strp()

When the stream parser is aborted, for example after a message assembly timeout, it can still hold a reference to a partially assembled message in strp->skb_head.

That skb is not released in strp_abort_strp(), which leaks the partially assembled message and can be triggered repeatedly to exhaust memory.

Fix this by freeing strp->skb_head and resetting the parser state in the abort path. Leave strp_stop() unchanged so final cleanup still happens in strp_done() after the work and timer have been synchronized.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:32Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: strparser: fix skb_head leak in strp_abort_strp()\n\nWhen the stream parser is aborted, for example after a message assembly timeout,\nit can still hold a reference to a partially assembled message in\nstrp-\u003eskb_head.\n\nThat skb is not released in strp_abort_strp(), which leaks the partially\nassembled message and can be triggered repeatedly to exhaust memory.\n\nFix this by freeing strp-\u003eskb_head and resetting the parser state in the\nabort path. Leave strp_stop() unchanged so final cleanup still happens in\nstrp_done() after the work and timer have been synchronized.",
  "id": "GHSA-mr4j-h79v-vcp9",
  "modified": "2026-06-01T18:31:35Z",
  "published": "2026-05-27T15:33:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46102"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/19ca9475f18f991735f98a22e735c43e95e6298d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5327dad2ffe9c1b49881dd6d51ff3c6893847568"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/56082f442023db9be1a5a29d4ee361de4017c0b7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a470ed71c906cc8cbad0d74c9942216698911f8b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2e57695ec9ff9d42f23de70f3805199153d007b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6668ce0e78d23eabecef9a6bc4f0f739cb28ad3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9ae00490d474757c0f9c65073de83e6bb1e5a00"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe72340daaf1af588be88056faf98965f39e6032"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR75-899X-QCXQ

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2023-10-27 13:16
VLAI
Summary
Missing permission checks in Jenkins Chaos Monkey Plugin
Details

Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to generate load and to generate memory leaks.

Jenkins Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and to generate memory leaks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:chaos-monkey"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-16T22:21:13Z",
    "nvd_published_at": "2020-12-03T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.\n\nThis allows attackers with Overall/Read permission to generate load and to generate memory leaks.\n\nJenkins Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and to generate memory leaks.",
  "id": "GHSA-mr75-899x-qcxq",
  "modified": "2023-10-27T13:16:47Z",
  "published": "2022-05-24T17:35:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2322"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/chaos-monkey-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20(1)"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing permission checks in Jenkins Chaos Monkey Plugin"
}

GHSA-MRHJ-7G92-RQ8J

Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-04 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()

In rpi_firmware_probe(), if mbox_request_channel() fails, the 'fw' will not be freed through rpi_firmware_delete(), fix this leak by calling kfree() in the error path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T16:15:37Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()\n\nIn rpi_firmware_probe(), if mbox_request_channel() fails, the \u0027fw\u0027 will\nnot be freed through rpi_firmware_delete(), fix this leak by calling\nkfree() in the error path.",
  "id": "GHSA-mrhj-7g92-rq8j",
  "modified": "2026-02-04T18:30:20Z",
  "published": "2025-10-07T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50537"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62ac943eb2a9d655e431b9bc98ff6d7bd51a0e49"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6757dd2193fe18c5c5fe3050e7f2ff9dcbd1ff34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/71d2abab374f707ab8ac8dcef191fd2b3b67b8bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b51161696e803fd5f9ad55b20a64c2df313f95c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b308fdedef095aac14569f810d46edf773ea7d1e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d34742245e4366579f9a80f8cfe4a63248e838e0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRM7-VH23-G98V

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-23 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix memleak in io_init_wq_offload()

I got memory leak report when doing fuzz test:

BUG: memory leak unreferenced object 0xffff888107310a80 (size 96): comm "syz-executor.6", pid 4610, jiffies 4295140240 (age 20.135s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... backtrace: [<000000001974933b>] kmalloc include/linux/slab.h:591 [inline] [<000000001974933b>] kzalloc include/linux/slab.h:721 [inline] [<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline] [<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955 [<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016 [<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline] [<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline] [<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline] [<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301 [<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae

CPU0 CPU1 io_uring_enter io_uring_enter io_uring_add_tctx_node io_uring_add_tctx_node __io_uring_add_tctx_node __io_uring_add_tctx_node io_uring_alloc_task_context io_uring_alloc_task_context io_init_wq_offload io_init_wq_offload hash = kzalloc hash = kzalloc ctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked

When calling io_uring_enter() in parallel, the 'hash_map' will be leaked, add uring_lock to protect 'hash_map'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memleak in io_init_wq_offload()\n\nI got memory leak report when doing fuzz test:\n\nBUG: memory leak\nunreferenced object 0xffff888107310a80 (size 96):\ncomm \"syz-executor.6\", pid 4610, jiffies 4295140240 (age 20.135s)\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\nbacktrace:\n[\u003c000000001974933b\u003e] kmalloc include/linux/slab.h:591 [inline]\n[\u003c000000001974933b\u003e] kzalloc include/linux/slab.h:721 [inline]\n[\u003c000000001974933b\u003e] io_init_wq_offload fs/io_uring.c:7920 [inline]\n[\u003c000000001974933b\u003e] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955\n[\u003c0000000039d0800d\u003e] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016\n[\u003c000000008482e78c\u003e] io_uring_add_tctx_node fs/io_uring.c:9052 [inline]\n[\u003c000000008482e78c\u003e] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline]\n[\u003c000000008482e78c\u003e] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline]\n[\u003c000000008482e78c\u003e] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301\n[\u003c00000000b875f18f\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[\u003c00000000b875f18f\u003e] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n[\u003c000000006b0a8484\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nCPU0                          CPU1\nio_uring_enter                io_uring_enter\nio_uring_add_tctx_node        io_uring_add_tctx_node\n__io_uring_add_tctx_node      __io_uring_add_tctx_node\nio_uring_alloc_task_context   io_uring_alloc_task_context\nio_init_wq_offload            io_init_wq_offload\nhash = kzalloc                hash = kzalloc\nctx-\u003ehash_map = hash          ctx-\u003ehash_map = hash \u003c- one of the hash is leaked\n\nWhen calling io_uring_enter() in parallel, the \u0027hash_map\u0027 will be leaked,\nadd uring_lock to protect \u0027hash_map\u0027.",
  "id": "GHSA-mrm7-vh23-g98v",
  "modified": "2024-12-23T18:30:47Z",
  "published": "2024-05-21T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47292"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRV3-46FP-R6HH

Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-06 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups

v3d_rewrite_csd_job_wg_counts_from_indirect() maps both the indirect buffer and the workgroup buffer and is expected to release them before returning. When any of the workgroup counts read from the buffer is zero, the function bailed out early and skipped the cleanup, leaking the vaddr mappings of both BOs.

Jump to the cleanup path instead of returning directly, so the mappings are always dropped.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T09:16:31Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups\n\nv3d_rewrite_csd_job_wg_counts_from_indirect() maps both the indirect\nbuffer and the workgroup buffer and is expected to release them before\nreturning. When any of the workgroup counts read from the buffer is zero,\nthe function bailed out early and skipped the cleanup, leaking the vaddr\nmappings of both BOs.\n\nJump to the cleanup path instead of returning directly, so the mappings\nare always dropped.",
  "id": "GHSA-mrv3-46fp-r6hh",
  "modified": "2026-07-06T15:30:41Z",
  "published": "2026-06-25T09:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53140"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b59d0946913a0df7d1a033013e259e9b6a76546"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60ebeb23eaf3d7fd2e0551fe304309305e31d424"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/90b629269088a9fe24a02c032be9f08357f47873"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae7676952790f421c40918e2586a2c9f12a682b6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRWQ-3CQ2-5J36

Vulnerability from github – Published: 2025-03-27 15:31 – Updated: 2025-10-29 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix vport QoS cleanup on error

When enabling vport QoS fails, the scheduling node was never freed, causing a leak.

Add the missing free and reset the vport scheduling node pointer to NULL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T15:15:56Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix vport QoS cleanup on error\n\nWhen enabling vport QoS fails, the scheduling node was never freed,\ncausing a leak.\n\nAdd the missing free and reset the vport scheduling node pointer to\nNULL.",
  "id": "GHSA-mrwq-3cq2-5j36",
  "modified": "2025-10-29T18:30:27Z",
  "published": "2025-03-27T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21882"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f3528f7d2f98b70e19a6bb7b130fc82c079ac54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fead368502bce0e10bea7c0d2895b2fa0c6c10aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MV9F-845W-2CGM

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-04-29 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

phy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init()

Use clk_disable_unprepare() in the error path of mtk_phy_init() to fix some resource leaks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init()\n\nUse clk_disable_unprepare() in the error path of mtk_phy_init() to fix\nsome resource leaks.",
  "id": "GHSA-mv9f-845w-2cgm",
  "modified": "2025-04-29T21:31:34Z",
  "published": "2024-05-21T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47234"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6472955af5e88b5489b6d78316082ad56ea3e489"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a17907946232d01aa2ec109da5f93b8d31dd425"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aaac9a1bd370338ce372669eb9a6059d16b929aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVJ3-QRQH-CJVR

Vulnerability from github – Published: 2023-07-05 21:33 – Updated: 2023-07-18 19:15
VLAI
Summary
CometBFT PeerState JSON serialization deadlock
Details

Impact

An internal modification to the way struct PeerState is serialized to JSON introduced a deadlock when new function MarshallJSON is called. This function can be called from two places:

  1. Via logs
    • Setting the consensus logging module to "debug" level (should not happen in production), and
    • Setting the log output format to JSON
  2. Via RPC dump_consensus_state

Case 1 above, which should not be hit in production, will eventually hit the deadlock in most goroutines, effectively halting the node.

In case 2, only the data structures related to the first peer will be deadlocked, together with the thread(s) dealing with the RPC request(s). This means that only one of the channels of communication to the node's peers will be blocked. Eventually the peer will timeout and excluded from the list (typically after 2 minutes). The goroutines involved in the deadlock will not be garbage collected, but they will not interfere with the system after the peer is excluded.

The theoretical worst case for case 2, is a network with only two validator nodes. In this case, each of the nodes only has one PeerState struct. If dump_consensus_state is called in either node (or both), the chain will halt until the peer connections time out, after which the nodes will reconnect (with different PeerState structs) and the chain will progress again. Then, the same process can be repeated.

As the number of nodes in a network increases, and thus, the number of peer struct each node maintains, the possibility of reproducing the perturbation visible with 2 nodes decreases. Only the first PeerState struct will deadlock, and not the others (RPC dump_consensus_state accesses them in a for loop, so the deadlock at the first iteration causes the rest of the iterations of that "for" loop to never be reached).

This regression was introduced in versions v0.34.28 and v0.37.1, and will be fixed in v0.34.29 and v0.37.2.

Patches

The PR containing the fix is here, and the corresponding issue is here

Workarounds

For case 1 (hitting the deadlock via logs) * either don't set the log output to "json", leave at "plain", * or don't set the consensus logging module to "debug", leave it at "info" or higher.

For case 2 (hitting the deadlock via RPC dump_consensus_state) * do not expose dump_consensus_state RPC endpoint to the public internet (e.g., via rules in your nginx setup)

References

  • Issue that introduced the deadlock
  • Issue reporting the bug via logs
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cometbft/cometbft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.34.28"
            },
            {
              "fixed": "0.34.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.34.28"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cometbft/cometbft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.37.1"
            },
            {
              "fixed": "0.37.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.37.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-05T21:33:48Z",
    "nvd_published_at": "2023-07-03T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAn internal modification to the way struct `PeerState` is serialized to JSON introduced a deadlock when new function MarshallJSON is called. This function can be called from two places:\n\n1. Via logs\n    * Setting the `consensus` logging module to \"debug\" level (should not happen in production), and\n    * Setting the log output format to JSON\n2. Via RPC `dump_consensus_state` \n\nCase 1 above, which should not be hit in production, will eventually hit the deadlock in most goroutines, effectively halting the node.\n\nIn case 2, only the data structures related to the first peer will be deadlocked, together with the thread(s) dealing with the RPC request(s). This means that only one of the channels of communication to the node\u0027s peers will be blocked. Eventually the peer will timeout and excluded from the list (typically after 2 minutes). The goroutines involved in the deadlock will not be garbage collected, but they will not interfere with the system after the peer is excluded.\n\nThe theoretical worst case for case 2, is a network with only two validator nodes. In this case, each of the nodes only has one `PeerState` struct. If `dump_consensus_state` is called in either node (or both), the chain will halt until the peer connections time out, after which the nodes will reconnect (with different `PeerState` structs) and the chain will progress again. Then, the same process can be repeated.\n\nAs the number of nodes in a network increases, and thus, the number of peer struct each node maintains, the possibility of reproducing the perturbation visible with 2 nodes decreases. Only the first `PeerState` struct will deadlock, and not the others (RPC `dump_consensus_state` accesses them in a for loop, so the deadlock at the first iteration causes the rest of the iterations of that \"for\" loop to never be reached).\n\nThis regression was introduced in versions `v0.34.28` and `v0.37.1`, and will be fixed in `v0.34.29` and `v0.37.2`.\n\n### Patches\nThe PR containing the fix is [here](https://github.com/cometbft/cometbft/pull/865), and the corresponding issue is [here](https://github.com/cometbft/cometbft/pull/863)\n\n### Workarounds\nFor case 1 (hitting the deadlock via logs)\n* either don\u0027t set the log output to \"json\", leave at \"plain\",\n* or don\u0027t set the consensus logging module to \"debug\", leave it at \"info\" or higher.\n\nFor case 2 (hitting the deadlock via RPC `dump_consensus_state`)\n* do not expose `dump_consensus_state` RPC endpoint to the public internet (e.g., via rules in your nginx setup)\n\n### References\n\n* [Issue](https://github.com/cometbft/cometbft/pull/863) that introduced the deadlock\n* [Issue](https://github.com/cometbft/cometbft/pull/524) reporting the bug via logs\n",
  "id": "GHSA-mvj3-qrqh-cjvr",
  "modified": "2023-07-18T19:15:58Z",
  "published": "2023-07-05T21:33:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-mvj3-qrqh-cjvr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/pull/524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/pull/863"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/pull/865"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cometbft/cometbft"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CometBFT PeerState JSON serialization deadlock"
}

GHSA-MVP8-C5HJ-59C5

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2023-01-18 00:30
VLAI
Details

An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-15916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the Linux kernel before 5.0.1. There is a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service.",
  "id": "GHSA-mvp8-c5hj-59c5",
  "modified": "2023-01-18T00:30:20Z",
  "published": "2022-05-24T16:55:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15916"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3309"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3517"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0740"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191004-0001"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K57418558?utm_source=f5support\u0026amp;utm_medium=RSS"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.