CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-RVGW-688X-X595
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix dentry leak in cachefiles_open_file()
A dentry leak may be caused when a lookup cookie and a cull are concurrent:
P1 | P2
cachefiles_lookup_cookie cachefiles_look_up_object lookup_one_positive_unlocked // get dentry cachefiles_cull inode->i_flags |= S_KERNEL_FILE; cachefiles_open_file cachefiles_mark_inode_in_use __cachefiles_mark_inode_in_use can_use = false if (!(inode->i_flags & S_KERNEL_FILE)) can_use = true return false return false // Returns an error but doesn't put dentry
After that the following WARNING will be triggered when the backend folder is umounted:
================================================================== BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda] WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70 CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25 RIP: 0010:umount_check+0x5d/0x70 Call Trace: d_walk+0xda/0x2b0 do_one_tree+0x20/0x40 shrink_dcache_for_umount+0x2c/0x90 generic_shutdown_super+0x20/0x160 kill_block_super+0x1a/0x40 ext4_kill_sb+0x22/0x40 deactivate_locked_super+0x35/0x80 cleanup_mnt+0x104/0x160 ==================================================================
Whether cachefiles_open_file() returns true or false, the reference count obtained by lookup_positive_unlocked() in cachefiles_look_up_object() should be released.
Therefore release that reference count in cachefiles_look_up_object() to fix the above issue and simplify the code.
{
"affected": [],
"aliases": [
"CVE-2024-49870"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix dentry leak in cachefiles_open_file()\n\nA dentry leak may be caused when a lookup cookie and a cull are concurrent:\n\n P1 | P2\n-----------------------------------------------------------\ncachefiles_lookup_cookie\n cachefiles_look_up_object\n lookup_one_positive_unlocked\n // get dentry\n cachefiles_cull\n inode-\u003ei_flags |= S_KERNEL_FILE;\n cachefiles_open_file\n cachefiles_mark_inode_in_use\n __cachefiles_mark_inode_in_use\n can_use = false\n if (!(inode-\u003ei_flags \u0026 S_KERNEL_FILE))\n can_use = true\n\t return false\n return false\n // Returns an error but doesn\u0027t put dentry\n\nAfter that the following WARNING will be triggered when the backend folder\nis umounted:\n\n==================================================================\nBUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda]\nWARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70\nCPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25\nRIP: 0010:umount_check+0x5d/0x70\nCall Trace:\n \u003cTASK\u003e\n d_walk+0xda/0x2b0\n do_one_tree+0x20/0x40\n shrink_dcache_for_umount+0x2c/0x90\n generic_shutdown_super+0x20/0x160\n kill_block_super+0x1a/0x40\n ext4_kill_sb+0x22/0x40\n deactivate_locked_super+0x35/0x80\n cleanup_mnt+0x104/0x160\n==================================================================\n\nWhether cachefiles_open_file() returns true or false, the reference count\nobtained by lookup_positive_unlocked() in cachefiles_look_up_object()\nshould be released.\n\nTherefore release that reference count in cachefiles_look_up_object() to\nfix the above issue and simplify the code.",
"id": "GHSA-rvgw-688x-x595",
"modified": "2025-11-04T00:31:40Z",
"published": "2024-10-21T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49870"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7fa2382f97421978514a419c93054eca69f5247b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c7d10fa7d7691558ff967668494672415f5fa151"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d32ff64c872d7e08e893c32ba6a2374583444410"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da6ef2dffe6056aad3435e6cf7c6471c2a62187c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e4a28489b310339b2b8187bec0a437709be551c1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVH3-5JFR-6P58
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 21:30In the Linux kernel, the following vulnerability has been resolved:
s390/zcrypt: Fix memory leak with CCA cards used as accelerator
Tests showed that there is a memory leak if CCA cards are used as accelerator for clear key RSA requests (ME and CRT). With the last rework for the memory allocation the AP messages are allocated by ap_init_apmsg() but for some reason on two places (ME and CRT) the older allocation was still in place. So the first allocation simple was never freed.
{
"affected": [],
"aliases": [
"CVE-2026-31746"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: Fix memory leak with CCA cards used as accelerator\n\nTests showed that there is a memory leak if CCA cards are used as\naccelerator for clear key RSA requests (ME and CRT). With the last\nrework for the memory allocation the AP messages are allocated by\nap_init_apmsg() but for some reason on two places (ME and CRT) the\nolder allocation was still in place. So the first allocation simple\nwas never freed.",
"id": "GHSA-rvh3-5jfr-6p58",
"modified": "2026-05-07T21:30:23Z",
"published": "2026-05-01T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31746"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/586222c37d4027dbf60a604fbe820184fee7c1c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ace37bfec3822033e59fff390f2ff99fc96ebe4f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c8d46f17c2fc7d25c18e60c008928aecab26184d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVP4-JQJ8-P5FQ
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-09-03 00:00Memory leak in RTPS protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file.
{
"affected": [],
"aliases": [
"CVE-2020-26420"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-11T19:15:00Z",
"severity": "MODERATE"
},
"details": "Memory leak in RTPS protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file.",
"id": "GHSA-rvp4-jqj8-p5fq",
"modified": "2022-09-03T00:00:23Z",
"published": "2022-05-24T17:36:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26420"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26420.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/16994"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M75HYXU36SP6GHIDPHNZGJKEO6TX4C4Y"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YHWDZPWQJMLK64VFDWJC5SEGPNH6Y72Z"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-12"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2020-18.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RVQ4-9F28-MRWC
Vulnerability from github – Published: 2024-06-08 15:31 – Updated: 2024-07-17 18:31In the Linux kernel, the following vulnerability has been resolved:
KEYS: trusted: Fix memory leak in tpm2_key_encode()
'scratch' is never freed. Fix this by calling kfree() in the success, and in the error case.
{
"affected": [],
"aliases": [
"CVE-2024-36967"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-08T13:15:58Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: Fix memory leak in tpm2_key_encode()\n\n\u0027scratch\u0027 is never freed. Fix this by calling kfree() in the success, and\nin the error case.",
"id": "GHSA-rvq4-9f28-mrwc",
"modified": "2024-07-17T18:31:00Z",
"published": "2024-06-08T15:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36967"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/189c768932d435045b1fae12bf63e53866f06a28"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e6914fa8e7798bcf3ce4a5b96ea4ac1d5571cdf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d91238b590bd883c86ba7707c5c9096469c08b7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf26a92f560eed5d6ddc3d441cc645950cbabc56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e62835264d0352be6086975f18fdfed2b5520b13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffcaa2172cc1a85ddb8b783de96d38ca8855e248"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RW2H-4WG3-5F47
Vulnerability from github – Published: 2023-01-05 15:30 – Updated: 2023-01-11 21:30GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.
{
"affected": [],
"aliases": [
"CVE-2022-46489"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-05T15:15:00Z",
"severity": "MODERATE"
},
"details": "GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to contain a memory leak via the gf_isom_box_parse_ex function at box_funcs.c.",
"id": "GHSA-rw2h-4wg3-5f47",
"modified": "2023-01-11T21:30:40Z",
"published": "2023-01-05T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46489"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/2328"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RW87-JQJ5-Q35F
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31In VMware ESXi (6.7 before ESXi670-201908101-SG, 6.5 before ESXi650-202007101-SG), Workstation (15.x before 15.1.0), Fusion (11.x before 11.1.0), the VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.
{
"affected": [],
"aliases": [
"CVE-2020-3995"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-20T17:15:00Z",
"severity": "MODERATE"
},
"details": "In VMware ESXi (6.7 before ESXi670-201908101-SG, 6.5 before ESXi650-202007101-SG), Workstation (15.x before 15.1.0), Fusion (11.x before 11.1.0), the VMCI host drivers used by VMware hypervisors contain a memory leak vulnerability. A malicious actor with access to a virtual machine may be able to trigger a memory leak issue resulting in memory resource exhaustion on the hypervisor if the attack is sustained for extended periods of time.",
"id": "GHSA-rw87-jqj5-q35f",
"modified": "2022-05-24T17:31:50Z",
"published": "2022-05-24T17:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3995"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2020-0023.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RWC9-H9MH-XFWQ
Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-17 21:31In the Linux kernel, the following vulnerability has been resolved:
of: unittest: Fix memory leak in unittest_data_add()
In unittest_data_add(), if of_resolve_phandles() fails, the allocated unittest_data is not freed, leading to a memory leak.
Fix this by using scope-based cleanup helper __free(kfree) for automatic resource cleanup. This ensures unittest_data is automatically freed when it goes out of scope in error paths.
For the success path, use retain_and_null_ptr() to transfer ownership of the memory to the device tree and prevent double freeing.
{
"affected": [],
"aliases": [
"CVE-2026-23137"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-14T16:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: Fix memory leak in unittest_data_add()\n\nIn unittest_data_add(), if of_resolve_phandles() fails, the allocated\nunittest_data is not freed, leading to a memory leak.\n\nFix this by using scope-based cleanup helper __free(kfree) for automatic\nresource cleanup. This ensures unittest_data is automatically freed when\nit goes out of scope in error paths.\n\nFor the success path, use retain_and_null_ptr() to transfer ownership\nof the memory to the device tree and prevent double freeing.",
"id": "GHSA-rwc9-h9mh-xfwq",
"modified": "2026-03-17T21:31:41Z",
"published": "2026-02-14T18:30:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23137"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/235a1eb8d2dcc49a6cf0a5ee1aa85544a5d0054b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f09b0f705bd7197863b90256ef533a6414d1db2c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RWHM-C36W-484H
Vulnerability from github – Published: 2026-07-06 15:30 – Updated: 2026-07-09 15:32A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service
{
"affected": [],
"aliases": [
"CVE-2026-13698"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T15:16:35Z",
"severity": "MODERATE"
},
"details": "A memory leak in OpenVPN version 2.5.0 through 2.5.11, 2.6.0 through 2.6.20 and 2.7_alpha1 through 2.7.4 allows remote attackers with a valid tls-crypt-v2 client key to potentially cause a denial of service",
"id": "GHSA-rwhm-c36w-484h",
"modified": "2026-07-09T15:32:19Z",
"published": "2026-07-06T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13698"
},
{
"type": "WEB",
"url": "https://community.openvpn.net/Security%20Announcements/CVE-2026-13698"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RWHV-4JCG-G276
Vulnerability from github – Published: 2024-11-09 12:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: Fix memory leak in management tx
In the current logic, memory is allocated for storing the MSDU context during management packet TX but this memory is not being freed during management TX completion. Similar leaks are seen in the management TX cleanup logic.
Kmemleak reports this problem as below,
unreferenced object 0xffffff80b64ed250 (size 16): comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s) hex dump (first 16 bytes): 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t...... backtrace: [] __kmem_cache_alloc_node+0x1e4/0x2d8 [] kmalloc_trace+0x48/0x110 [] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core] [] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core] [] process_scheduled_works+0x1ac/0x400 [] worker_thread+0x208/0x328 [] kthread+0x100/0x1c0 [] ret_from_fork+0x10/0x20
Free the memory during completion and cleanup to fix the leak.
Protect the mgmt_pending_tx idr_remove() operation in ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to other instances.
Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
{
"affected": [],
"aliases": [
"CVE-2024-50236"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-09T11:15:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: Fix memory leak in management tx\n\nIn the current logic, memory is allocated for storing the MSDU context\nduring management packet TX but this memory is not being freed during\nmanagement TX completion. Similar leaks are seen in the management TX\ncleanup logic.\n\nKmemleak reports this problem as below,\n\nunreferenced object 0xffffff80b64ed250 (size 16):\n comm \"kworker/u16:7\", pid 148, jiffies 4294687130 (age 714.199s)\n hex dump (first 16 bytes):\n 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t......\n backtrace:\n [\u003cffffffe6e7b245dc\u003e] __kmem_cache_alloc_node+0x1e4/0x2d8\n [\u003cffffffe6e7adde88\u003e] kmalloc_trace+0x48/0x110\n [\u003cffffffe6bbd765fc\u003e] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core]\n [\u003cffffffe6bbd3eed4\u003e] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core]\n [\u003cffffffe6e78d5974\u003e] process_scheduled_works+0x1ac/0x400\n [\u003cffffffe6e78d60b8\u003e] worker_thread+0x208/0x328\n [\u003cffffffe6e78dc890\u003e] kthread+0x100/0x1c0\n [\u003cffffffe6e78166c0\u003e] ret_from_fork+0x10/0x20\n\nFree the memory during completion and cleanup to fix the leak.\n\nProtect the mgmt_pending_tx idr_remove() operation in\nath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar-\u003edata_lock similar to\nother instances.\n\nTested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1",
"id": "GHSA-rwhv-4jcg-g276",
"modified": "2025-11-04T00:31:59Z",
"published": "2024-11-09T12:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50236"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f6f1e26ac6d2b38e2198a71f81f0ade14d6b07b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4112450da7d67b59ccedc2208bae622db17dbcb8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f5a939759c79e7385946c85e62feca51a18d816"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6cc23898e6ba47e976050d3c080b4d2c1add3748"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6fc9af3df6ca7f3c94774d20f62dc7b49616026d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/705be2dc45c7f852e211e16bc41a916fab741983"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e15d84b3bba187aa372dff7c58ce1fd5cb48a076"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eff818238bedb9c2484c251ec46f9f160911cdc0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RWQ6-CRJG-9CPW
Vulnerability from github – Published: 2024-09-05 16:44 – Updated: 2024-09-09 14:05When a canister method is called via ic_cdk::call*, a new Future CallFuture is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called CallFutureState. A bug in the polling implementation of the CallFuture allows multiple references to be held for this internal state and not all references were dropped before the Future is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister's heap and thus causing a memory leak.
Impact
Canisters built in Rust with ic_cdk and ic_cdk_timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker.
Motoko based canisters are not affected by the bug.
Patches
The patch has been backported to all minor versions between >= 0.8.0, <= 0.15.0. The patched versions available are 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1 and their previous versions have been yanked.
Workarounds
There are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of ic_cdk to avoid running out of Wasm heap memory.
[!NOTE]
Upgrading the canisters (without updatingic_cdk) also frees the leaked memory but it's only a temporary solution.
References
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "ic_cdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "ic_cdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "0.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "ic_cdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.0"
},
{
"fixed": "0.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 0.11.5"
},
"package": {
"ecosystem": "crates.io",
"name": "ic_cdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "0.11.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "ic_cdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.0"
},
{
"fixed": "0.12.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 0.13.4"
},
"package": {
"ecosystem": "crates.io",
"name": "ic_cdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "0.13.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "ic_cdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.14.0"
},
{
"fixed": "0.14.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "ic_cdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.15.0"
},
{
"fixed": "0.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-7884"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-05T16:44:27Z",
"nvd_published_at": "2024-09-05T13:15:11Z",
"severity": "HIGH"
},
"details": "When a canister method is called via `ic_cdk::call*`, a new Future `CallFuture` is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called `CallFutureState`. A bug in the polling implementation of the `CallFuture` allows multiple references to be held for this internal state and not all references were dropped before the `Future` is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister\u0027s heap and thus causing a memory leak. \n\n### Impact\nCanisters built in Rust with `ic_cdk` and `ic_cdk_timers` are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. **In the worst case, this could lead to heap memory exhaustion triggered by an attacker.**\n\nMotoko based canisters are not affected by the bug.\n\n### Patches\nThe patch has been backported to all minor versions between `\u003e= 0.8.0, \u003c= 0.15.0`. The patched versions available are `0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1` and their previous versions have been yanked. \n\n### Workarounds\nThere are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of `ic_cdk` to avoid running out of Wasm heap memory. \n\n\u003e [!NOTE] \n\u003e Upgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it\u0027s only a temporary solution.\n\n### References\n- [dfinity/cdk-rs/pull/509](https://github.com/dfinity/cdk-rs/pull/509)\n- [ic_cdk docs](https://docs.rs/ic-cdk/latest/ic_cdk/)\n- [Internet Computer Specification](https://internetcomputer.org/docs/current/references/ic-interface-spec)",
"id": "GHSA-rwq6-crjg-9cpw",
"modified": "2024-09-09T14:05:39Z",
"published": "2024-09-05T16:44:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dfinity/cdk-rs/security/advisories/GHSA-rwq6-crjg-9cpw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7884"
},
{
"type": "WEB",
"url": "https://github.com/dfinity/cdk-rs/pull/509"
},
{
"type": "WEB",
"url": "https://github.com/dfinity/cdk-rs/commit/bd17d57a7b8ca59665fea5fad6143ca02724d03b"
},
{
"type": "WEB",
"url": "https://docs.rs/ic-cdk/latest/ic_cdk"
},
{
"type": "PACKAGE",
"url": "https://github.com/dfinity/cdk-rs"
},
{
"type": "WEB",
"url": "https://internetcomputer.org/docs/current/references/ic-interface-spec"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0372.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ic-cdk has a memory leak when calling a canister method via `ic_cdk::call`"
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.