CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-RFGG-VCCR-M46M
Vulnerability from github – Published: 2021-08-25 20:45 – Updated: 2021-08-19 21:20An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, clone can have a memory-safety issue upon a panic.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "sized-chunks"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25794"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:20:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, clone can have a memory-safety issue upon a panic.",
"id": "GHSA-rfgg-vccr-m46m",
"modified": "2021-08-19T21:20:37Z",
"published": "2021-08-25T20:45:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25794"
},
{
"type": "WEB",
"url": "https://github.com/bodil/sized-chunks/issues/11"
},
{
"type": "PACKAGE",
"url": "https://github.com/bodil/sized-chunks"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0041.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Missing release of memory in sized-chunks"
}
GHSA-RFGP-826J-VP9F
Vulnerability from github – Published: 2023-10-13 00:30 – Updated: 2024-02-21 21:30A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).
PTX3000, PTX5000, QFX10000, PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs do not support certain flow-routes. Once a flow-route is received over an established BGP session and an attempt is made to install the resulting filter into the PFE, FPC heap memory is leaked. The FPC heap memory can be monitored using the CLI command "show chassis fpc".
The following syslog messages can be observed if the respective filter derived from a flow-route cannot be installed.
expr_dfw_sfm_range_add:661 SFM packet-length Unable to get a sfm entry for updating the hw expr_dfw_hw_sfm_add:750 Unable to add the filter secondarymatch to the hardware expr_dfw_base_hw_add:52 Failed to add h/w sfm data. expr_dfw_base_hw_create:114 Failed to add h/w data. expr_dfw_base_pfe_inst_create:241 Failed to create base inst for sfilter 0 on PFE 0 for flowspec_default_inet expr_dfw_flt_inst_change:1368 Failed to create flowspec_default_inet on PFE 0 expr_dfw_hw_pgm_fnum:465 dfw_pfe_inst_old not found for pfe_index 0! expr_dfw_bp_pgm_flt_num:548 Failed to pgm bind-point in hw: generic failure expr_dfw_bp_topo_handler:1102 Failed to program fnum. expr_dfw_entry_process_change:679 Failed to change instance for filter flowspec_default_inet. This issue affects Juniper Networks Junos OS:
on PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs:
- All versions prior to 20.4R3-S5;
- 21.1 versions prior to 21.1R3-S4;
- 21.2 versions prior to 21.2R3-S2;
- 21.3 versions prior to 21.3R3;
- 21.4 versions prior to 21.4R2-S2, 21.4R3;
- 22.1 versions prior to 22.1R1-S2, 22.1R2.
on PTX3000, PTX5000, QFX10000:
- All versions prior to 20.4R3-S8;
- 21.1 version 21.1R1 and later versions;
- 21.2 versions prior to 21.2R3-S6;
- 21.3 versions prior to 21.3R3-S5;
- 21.4 versions prior to 21.4R3-S4;
- 22.1 versions prior to 22.1R3-S3
- 22.2 versions prior to 22.2R3-S1
- 22.3 versions prior to 22.3R2-S2, 22.3R3
- 22.4 versions prior to 22.4R2.
{
"affected": [],
"aliases": [
"CVE-2023-22392"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-12T23:15:10Z",
"severity": "MODERATE"
},
"details": "\nA Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).\n\nPTX3000, PTX5000, QFX10000, PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs do not support certain flow-routes. Once a flow-route is received over an established BGP session and an attempt is made to install the resulting filter into the PFE, FPC heap memory is leaked. The FPC heap memory can be monitored using the CLI command \"show chassis fpc\".\n\nThe following syslog messages can be observed if the respective filter derived from a flow-route cannot be installed.\n\nexpr_dfw_sfm_range_add:661 SFM packet-length Unable to get a sfm entry for updating the hw\nexpr_dfw_hw_sfm_add:750 Unable to add the filter secondarymatch to the hardware\nexpr_dfw_base_hw_add:52 Failed to add h/w sfm data.\nexpr_dfw_base_hw_create:114 Failed to add h/w data.\nexpr_dfw_base_pfe_inst_create:241 Failed to create base inst for sfilter 0 on PFE 0 for __flowspec_default_inet__\nexpr_dfw_flt_inst_change:1368 Failed to create __flowspec_default_inet__ on PFE 0\nexpr_dfw_hw_pgm_fnum:465 dfw_pfe_inst_old not found for pfe_index 0!\nexpr_dfw_bp_pgm_flt_num:548 Failed to pgm bind-point in hw: generic failure\nexpr_dfw_bp_topo_handler:1102 Failed to program fnum.\nexpr_dfw_entry_process_change:679 Failed to change instance for filter __flowspec_default_inet__.\nThis issue affects Juniper Networks Junos OS:\n\non PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs:\n\n\n\n * All versions prior to 20.4R3-S5;\n * 21.1 versions prior to 21.1R3-S4;\n * 21.2 versions prior to 21.2R3-S2;\n * 21.3 versions prior to 21.3R3;\n * 21.4 versions prior to 21.4R2-S2, 21.4R3;\n * 22.1 versions prior to 22.1R1-S2, 22.1R2.\n\n\n\n\non PTX3000, PTX5000, QFX10000:\n\n\n\n * All versions prior to 20.4R3-S8;\n * 21.1 version 21.1R1 and later versions;\n * 21.2 versions prior to 21.2R3-S6;\n * 21.3 versions prior to 21.3R3-S5;\n * 21.4 versions prior to 21.4R3-S4;\n * 22.1 versions prior to 22.1R3-S3\n * 22.2 versions prior to 22.2R3-S1\n * 22.3 versions prior to 22.3R2-S2, 22.3R3\n * 22.4 versions prior to 22.4R2.\n\n\n\n\n\n\n",
"id": "GHSA-rfgp-826j-vp9f",
"modified": "2024-02-21T21:30:23Z",
"published": "2023-10-13T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22392"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA70188"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA73530"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RFV7-274M-VPHW
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-11 21:31In the Linux kernel, the following vulnerability has been resolved:
media: cx25821: Fix a resource leak in cx25821_dev_setup()
Add release_mem_region() if ioremap() fails to release the memory region obtained by cx25821_get_resources().
{
"affected": [],
"aliases": [
"CVE-2026-43183"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:36Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx25821: Fix a resource leak in cx25821_dev_setup()\n\nAdd release_mem_region() if ioremap() fails to release the memory\nregion obtained by cx25821_get_resources().",
"id": "GHSA-rfv7-274m-vphw",
"modified": "2026-05-11T21:31:30Z",
"published": "2026-05-06T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43183"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/071bfc6e723aabbbf08f0d439fb913cd01eb8de2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4010e596d23cda6de65acb14f7fd4ce8289f1d49"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/68cd8ac994cac38a305200f638b30e13c690753b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/80ce3797dc99dae4ce8b939626b891c9eb85139f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f1c926248bde95a77ca104ab525467470607836"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7210170b10e2d17f7a4f6b9d39cc092442db860"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e220ec4c4596d634685b8a08d79ad876a720b466"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7759eb6738ee9fc296f6ab1705c6809947976f3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RFV9-HGHG-CHFQ
Vulnerability from github – Published: 2025-04-14 18:31 – Updated: 2025-04-14 18:31In the Linux kernel, the following vulnerability has been resolved:
jffs2: fix memory leak in jffs2_do_mount_fs
If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error, we can observe the following kmemleak report:
unreferenced object 0xffff88811b25a640 (size 64): comm "mount", pid 691, jiffies 4294957728 (age 71.952s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmem_cache_alloc_trace+0x584/0x880 [] jffs2_sum_init+0x86/0x130 [] jffs2_do_mount_fs+0x798/0xac0 [] jffs2_do_fill_super+0x383/0xc30 [] jffs2_fill_super+0x2ea/0x4c0 [...] unreferenced object 0xffff88812c760000 (size 65536): comm "mount", pid 691, jiffies 4294957728 (age 71.952s) hex dump (first 32 bytes): bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ backtrace: [] __kmalloc+0x6b9/0x910 [] jffs2_sum_init+0xd7/0x130 [] jffs2_do_mount_fs+0x798/0xac0 [] jffs2_do_fill_super+0x383/0xc30 [] jffs2_fill_super+0x2ea/0x4c0 [...]
This is because the resources allocated in jffs2_sum_init() are not released. Call jffs2_sum_exit() to release these resources to solve the problem.
{
"affected": [],
"aliases": [
"CVE-2022-49277"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix memory leak in jffs2_do_mount_fs\n\nIf jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,\nwe can observe the following kmemleak report:\n\n--------------------------------------------\nunreferenced object 0xffff88811b25a640 (size 64):\n comm \"mount\", pid 691, jiffies 4294957728 (age 71.952s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffffa493be24\u003e] kmem_cache_alloc_trace+0x584/0x880\n [\u003cffffffffa5423a06\u003e] jffs2_sum_init+0x86/0x130\n [\u003cffffffffa5400e58\u003e] jffs2_do_mount_fs+0x798/0xac0\n [\u003cffffffffa540acf3\u003e] jffs2_do_fill_super+0x383/0xc30\n [\u003cffffffffa540c00a\u003e] jffs2_fill_super+0x2ea/0x4c0\n [...]\nunreferenced object 0xffff88812c760000 (size 65536):\n comm \"mount\", pid 691, jiffies 4294957728 (age 71.952s)\n hex dump (first 32 bytes):\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................\n backtrace:\n [\u003cffffffffa493a449\u003e] __kmalloc+0x6b9/0x910\n [\u003cffffffffa5423a57\u003e] jffs2_sum_init+0xd7/0x130\n [\u003cffffffffa5400e58\u003e] jffs2_do_mount_fs+0x798/0xac0\n [\u003cffffffffa540acf3\u003e] jffs2_do_fill_super+0x383/0xc30\n [\u003cffffffffa540c00a\u003e] jffs2_fill_super+0x2ea/0x4c0\n [...]\n--------------------------------------------\n\nThis is because the resources allocated in jffs2_sum_init() are not\nreleased. Call jffs2_sum_exit() to release these resources to solve\nthe problem.",
"id": "GHSA-rfv9-hghg-chfq",
"modified": "2025-04-14T18:31:48Z",
"published": "2025-04-14T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49277"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0978e9af4559a171ac7a74a1b3ef21804b0a0fa9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a9d8184458562e6bf2f40d0e677fc85e2dd3834"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4392e8aeebc5a4f8073620bccba7de1b1f6d7c88"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f34310d1376ca5b2ed798258def2c2ab3cc6699"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/607d3aab7349f18e0d9dba4100d09d16fe27caca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a0f6610c7daedd2eace430beeb08a8b7ac80699"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c94128470e6fe53d9bd9d16d2d3271813f9d37af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d051cef784de4d54835f6b6836d98a8f6935772c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dbe0d0521eaa6a3d235517319266c539bb5c5112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG5G-MJFH-W75Q
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.
{
"affected": [],
"aliases": [
"CVE-2019-19073"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-18T06:15:00Z",
"severity": "HIGH"
},
"details": "Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10.",
"id": "GHSA-rg5g-mjfh-w75q",
"modified": "2022-05-24T17:01:32Z",
"published": "2022-05-24T17:01:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19073"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/853acf7caf10b828102d92d05b5c101666a6142b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20191205-0001"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4526-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4527-1"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00029.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RG79-R2V5-RJW5
Vulnerability from github – Published: 2023-06-02 12:30 – Updated: 2024-04-04 04:28mp4v2 v2.1.3 was discovered to contain a memory leak when a method calling MP4File::ReadBytes() had allocated memory but did not catch exceptions thrown by ReadBytes()
{
"affected": [],
"aliases": [
"CVE-2023-33717"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T12:15:09Z",
"severity": "MODERATE"
},
"details": "mp4v2 v2.1.3 was discovered to contain a memory leak when a method calling MP4File::ReadBytes() had allocated memory but did not catch exceptions thrown by ReadBytes()",
"id": "GHSA-rg79-r2v5-rjw5",
"modified": "2024-04-04T04:28:52Z",
"published": "2023-06-02T12:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33717"
},
{
"type": "WEB",
"url": "https://github.com/enzo1982/mp4v2/issues/37"
},
{
"type": "WEB",
"url": "https://github.com/enzo1982/mp4v2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RGRC-QMJ6-X9MF
Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2025-02-14 18:30Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.
{
"affected": [],
"aliases": [
"CVE-2024-26462"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T01:44:18Z",
"severity": "MODERATE"
},
"details": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.",
"id": "GHSA-rgrc-qmj6-x9mf",
"modified": "2025-02-14T18:30:44Z",
"published": "2024-02-29T03:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462"
},
{
"type": "WEB",
"url": "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240415-0012"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RGVR-PR7C-X97V
Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
ax25: Remove broken autobind
Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak:
================================================================ unreferenced object 0xffff8880253cd680 (size 96): backtrace: __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43) kmemdup_noprof (mm/util.c:136) ax25_rt_autobind (net/ax25/ax25_route.c:428) ax25_connect (net/ax25/af_ax25.c:1282) __sys_connect_file (net/socket.c:2045) __sys_connect (net/socket.c:2064) __x64_sys_connect (net/socket.c:2067) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) ================================================================
When socket is bound, refcounts must be incremented the way it is done in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of autobind, the refcounts are not incremented.
This bug leads to the following issue reported by Syzkaller:
================================================================ ax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de ------------[ cut here ]------------ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 ... Call Trace: __refcount_dec include/linux/refcount.h:336 [inline] refcount_dec include/linux/refcount.h:351 [inline] ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236 netdev_tracker_free include/linux/netdevice.h:4302 [inline] netdev_put include/linux/netdevice.h:4319 [inline] ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080 __sock_release net/socket.c:647 [inline] sock_close+0xbc/0x240 net/socket.c:1398 __fput+0x3e9/0x9f0 fs/file_table.c:464 __do_sys_close fs/open.c:1580 [inline] __se_sys_close fs/open.c:1565 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1565 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... ================================================================
Considering the issues above and the comments left in the code that say: "check if we can remove this feature. It is broken."; "autobinding in this may or may not work"; - it is better to completely remove this feature than to fix it because it is broken and leads to various kinds of memory bugs.
Now calling connect() without first binding socket will result in an error (-EINVAL). Userspace software that relies on the autobind feature might get broken. However, this feature does not seem widely used with this specific driver as it was not reliable at any point of time, and it is already broken anyway. E.g. ax25-tools and ax25-apps packages for popular distributions do not use the autobind feature for AF_AX25.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
{
"affected": [],
"aliases": [
"CVE-2025-22109"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T15:16:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Remove broken autobind\n\nBinding AX25 socket by using the autobind feature leads to memory leaks\nin ax25_connect() and also refcount leaks in ax25_release(). Memory\nleak was detected with kmemleak:\n\n================================================================\nunreferenced object 0xffff8880253cd680 (size 96):\nbacktrace:\n__kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43)\nkmemdup_noprof (mm/util.c:136)\nax25_rt_autobind (net/ax25/ax25_route.c:428)\nax25_connect (net/ax25/af_ax25.c:1282)\n__sys_connect_file (net/socket.c:2045)\n__sys_connect (net/socket.c:2064)\n__x64_sys_connect (net/socket.c:2067)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n================================================================\n\nWhen socket is bound, refcounts must be incremented the way it is done\nin ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of\nautobind, the refcounts are not incremented.\n\nThis bug leads to the following issue reported by Syzkaller:\n\n================================================================\nax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de\n------------[ cut here ]------------\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31\nModules linked in:\nCPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31\n...\nCall Trace:\n \u003cTASK\u003e\n __refcount_dec include/linux/refcount.h:336 [inline]\n refcount_dec include/linux/refcount.h:351 [inline]\n ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236\n netdev_tracker_free include/linux/netdevice.h:4302 [inline]\n netdev_put include/linux/netdevice.h:4319 [inline]\n ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080\n __sock_release net/socket.c:647 [inline]\n sock_close+0xbc/0x240 net/socket.c:1398\n __fput+0x3e9/0x9f0 fs/file_table.c:464\n __do_sys_close fs/open.c:1580 [inline]\n __se_sys_close fs/open.c:1565 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1565\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n ...\n \u003c/TASK\u003e\n================================================================\n\nConsidering the issues above and the comments left in the code that say:\n\"check if we can remove this feature. It is broken.\"; \"autobinding in this\nmay or may not work\"; - it is better to completely remove this feature than\nto fix it because it is broken and leads to various kinds of memory bugs.\n\nNow calling connect() without first binding socket will result in an\nerror (-EINVAL). Userspace software that relies on the autobind feature\nmight get broken. However, this feature does not seem widely used with\nthis specific driver as it was not reliable at any point of time, and it\nis already broken anyway. E.g. ax25-tools and ax25-apps packages for\npopular distributions do not use the autobind feature for AF_AX25.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.",
"id": "GHSA-rgvr-pr7c-x97v",
"modified": "2025-11-03T21:33:38Z",
"published": "2025-04-16T15:34:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22109"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f6efbabceb6b2914ee9bafb86d9a51feae9cce8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/61203fdd3e35519db9a98b6ff8983c620ffc4696"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RH3C-7XC7-JJWJ
Vulnerability from github – Published: 2024-04-12 15:37 – Updated: 2025-04-10 21:30A Missing Release of Memory after Effective Lifetime vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an administratively adjacent attacker which is able to successfully establish IPsec tunnels to cause a Denial of Service (DoS).
If specific values for the IPsec parameters local-ip, remote-ip, remote ike-id, and traffic selectors are sent from the peer, a memory leak occurs during every IPsec SA rekey which is carried out with a specific message sequence. This will eventually result in an iked process crash and restart.
The iked process memory consumption can be checked using the below command: user@host> show system processes extensive | grep iked PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 56903 root 31 0 4016M 2543M CPU0 0 2:10 10.50% iked
This issue affects Juniper Networks Junos OS: * All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S4; * 22.1 versions earlier than 22.1R3-S3; * 22.2 versions earlier than 22.2R3-S2; * 22.3 versions earlier than 22.3R3; * 22.4 versions earlier than 22.4R3; * 23.2 versions earlier than 23.2R1-S2, 23.2R2.
{
"affected": [],
"aliases": [
"CVE-2024-21609"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-12T15:15:23Z",
"severity": "MODERATE"
},
"details": "A Missing Release of Memory after Effective Lifetime vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an administratively adjacent attacker which is able to successfully establish IPsec tunnels to cause a Denial of Service (DoS).\n\nIf specific values for the IPsec parameters local-ip, remote-ip, remote ike-id, and traffic selectors are sent from the peer, a memory leak occurs during every IPsec SA rekey which is carried out with a specific message sequence. This will eventually result in an iked process crash and restart.\n\nThe iked process memory consumption can be checked using the below command:\n\u00a0 user@host\u003e show system processes extensive | grep iked\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 PID USERNAME \u00a0 PRI NICE \u00a0 SIZE \u00a0 RES \u00a0 STATE \u00a0 C TIME WCPU COMMAND\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 56903 root \u00a0 \u00a0 \u00a0 31 \u00a0 0 \u00a0 \u00a0 4016M 2543M CPU0 \u00a0 0 2:10 10.50% iked\n\nThis issue affects Juniper Networks Junos OS:\n * All versions earlier than 20.4R3-S9;\n * 21.2 versions earlier than 21.2R3-S7;\n * 21.3 versions earlier than 21.3R3-S5;\n * 21.4 versions earlier than 21.4R3-S4;\n * 22.1 versions earlier than 22.1R3-S3;\n * 22.2 versions earlier than 22.2R3-S2;\n * 22.3 versions earlier than 22.3R3;\n * 22.4 versions earlier than 22.4R3;\n * 23.2 versions earlier than 23.2R1-S2, 23.2R2.",
"id": "GHSA-rh3c-7xc7-jjwj",
"modified": "2025-04-10T21:30:48Z",
"published": "2024-04-12T15:37:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21609"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
},
{
"type": "WEB",
"url": "http://supportportal.juniper.net/JSA75750"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RHP4-4FF3-M4C6
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2023-05-27 06:30Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2021-33366"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-13T19:15:00Z",
"severity": "MODERATE"
},
"details": "Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.",
"id": "GHSA-rhp4-4ff3-m4c6",
"modified": "2023-05-27T06:30:36Z",
"published": "2022-05-24T19:14:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33366"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/1785"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/0a85029d694f992f3631e2f249e4999daee15cbf"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.