CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-VMQH-6GHR-6C6P
Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix nfeeds state corruption on start_streaming failure
syzbot reported a memory leak in vidtv_psi_service_desc_init [1].
When vidtv_start_streaming() fails inside vidtv_start_feed(), the nfeeds counter is left incremented even though no feed was actually started. This corrupts the driver state: subsequent start_feed calls see nfeeds > 1 and skip starting the mux, while stop_feed calls eventually try to stop a non-existent stream.
This state corruption can also lead to memory leaks, since the mux and channel resources may be partially allocated during a failed start_streaming but never cleaned up, as the stop path finds dvb->streaming == false and returns early.
Fix by decrementing nfeeds back when start_streaming fails, keeping the counter in sync with the actual number of active feeds.
[1] BUG: memory leak unreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288 vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83 vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524 vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
{
"affected": [],
"aliases": [
"CVE-2026-31585"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T15:16:33Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix nfeeds state corruption on start_streaming failure\n\nsyzbot reported a memory leak in vidtv_psi_service_desc_init [1].\n\nWhen vidtv_start_streaming() fails inside vidtv_start_feed(), the\nnfeeds counter is left incremented even though no feed was actually\nstarted. This corrupts the driver state: subsequent start_feed calls\nsee nfeeds \u003e 1 and skip starting the mux, while stop_feed calls\neventually try to stop a non-existent stream.\n\nThis state corruption can also lead to memory leaks, since the mux\nand channel resources may be partially allocated during a failed\nstart_streaming but never cleaned up, as the stop path finds\ndvb-\u003estreaming == false and returns early.\n\nFix by decrementing nfeeds back when start_streaming fails, keeping\nthe counter in sync with the actual number of active feeds.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888145b50820 (size 32):\n comm \"syz.0.17\", pid 6068, jiffies 4294944486\n backtrace (crc 90a0c7d4):\n vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288\n vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83\n vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524\n vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239",
"id": "GHSA-vmqh-6ghr-6c6p",
"modified": "2026-06-01T18:31:25Z",
"published": "2026-04-24T15:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31585"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60f768d46df561e06d92ffcacc00909f37a0f23d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/80900b5424f3454256153ce386388df43b324f63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8cccb427e65d725fc0ba05e8900b4676eda268e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMV4-CP43-WHX4
Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-08-26 15:31In the Linux kernel, the following vulnerability has been resolved:
RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw
When running blktests nvme/rdma, the following kmemleak issue will appear.
kmemleak: Kernel memory leak detector initialized (mempool available:36041) kmemleak: Automatic memory scanning thread started kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
unreferenced object 0xffff88855da53400 (size 192): comm "rdma", pid 10630, jiffies 4296575922 hex dump (first 32 bytes): 37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7............... 10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.].... backtrace (crc 47f66721): [] kmalloc_trace+0x30d/0x3b0 [] alloc_gid_entry+0x47/0x380 [ib_core] [] add_modify_gid+0x166/0x930 [ib_core] [] ib_cache_update.part.0+0x6d8/0x910 [ib_core] [] ib_cache_setup_one+0x24a/0x350 [ib_core] [] ib_register_device+0x9e/0x3a0 [ib_core] [] 0xffffffffc2a3d389 [] nldev_newlink+0x2b8/0x520 [ib_core] [] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core] [] rdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core] [] netlink_unicast+0x445/0x710 [] netlink_sendmsg+0x761/0xc40 [] __sys_sendto+0x3a9/0x420 [] __x64_sys_sendto+0xdc/0x1b0 [] do_syscall_64+0x93/0x180 [] entry_SYSCALL_64_after_hwframe+0x71/0x79
The root cause: rdma_put_gid_attr is not called when sgid_attr is set to ERR_PTR(-ENODEV).
{
"affected": [],
"aliases": [
"CVE-2024-38539"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T14:15:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw\n\nWhen running blktests nvme/rdma, the following kmemleak issue will appear.\n\nkmemleak: Kernel memory leak detector initialized (mempool available:36041)\nkmemleak: Automatic memory scanning thread started\nkmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 8 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 17 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nkmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n\nunreferenced object 0xffff88855da53400 (size 192):\n comm \"rdma\", pid 10630, jiffies 4296575922\n hex dump (first 32 bytes):\n 37 00 00 00 00 00 00 00 c0 ff ff ff 1f 00 00 00 7...............\n 10 34 a5 5d 85 88 ff ff 10 34 a5 5d 85 88 ff ff .4.].....4.]....\n backtrace (crc 47f66721):\n [\u003cffffffff911251bd\u003e] kmalloc_trace+0x30d/0x3b0\n [\u003cffffffffc2640ff7\u003e] alloc_gid_entry+0x47/0x380 [ib_core]\n [\u003cffffffffc2642206\u003e] add_modify_gid+0x166/0x930 [ib_core]\n [\u003cffffffffc2643468\u003e] ib_cache_update.part.0+0x6d8/0x910 [ib_core]\n [\u003cffffffffc2644e1a\u003e] ib_cache_setup_one+0x24a/0x350 [ib_core]\n [\u003cffffffffc263949e\u003e] ib_register_device+0x9e/0x3a0 [ib_core]\n [\u003cffffffffc2a3d389\u003e] 0xffffffffc2a3d389\n [\u003cffffffffc2688cd8\u003e] nldev_newlink+0x2b8/0x520 [ib_core]\n [\u003cffffffffc2645fe3\u003e] rdma_nl_rcv_msg+0x2c3/0x520 [ib_core]\n [\u003cffffffffc264648c\u003e]\nrdma_nl_rcv_skb.constprop.0.isra.0+0x23c/0x3a0 [ib_core]\n [\u003cffffffff9270e7b5\u003e] netlink_unicast+0x445/0x710\n [\u003cffffffff9270f1f1\u003e] netlink_sendmsg+0x761/0xc40\n [\u003cffffffff9249db29\u003e] __sys_sendto+0x3a9/0x420\n [\u003cffffffff9249dc8c\u003e] __x64_sys_sendto+0xdc/0x1b0\n [\u003cffffffff92db0ad3\u003e] do_syscall_64+0x93/0x180\n [\u003cffffffff92e00126\u003e] entry_SYSCALL_64_after_hwframe+0x71/0x79\n\nThe root cause: rdma_put_gid_attr is not called when sgid_attr is set\nto ERR_PTR(-ENODEV).",
"id": "GHSA-vmv4-cp43-whx4",
"modified": "2024-08-26T15:31:13Z",
"published": "2024-06-19T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38539"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3eb127dc408bf7959a4920d04d16ce10e863686a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6564fc1818404254d1c9f7d75b403b4941516d26"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c0731832d3b7420cbadba6a7f334363bc8dfb15"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3a7fb93afd888793ef226e9665fbda98a95c48e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMWJ-88GQ-629H
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-08-06 00:00On Juniper Networks Junos OS platforms with link aggregation (lag) configured, executing any operation that fetches Aggregated Ethernet (AE) interface statistics, including but not limited to SNMP GET requests, causes a slow kernel memory leak. If all the available memory is consumed, the traffic will be impacted and a reboot might be required. The following log can be seen if this issue happens. /kernel: rt_pfe_veto: Memory over consumed. Op 1 err 12, rtsm_id 0:-1, msg type 72 /kernel: rt_pfe_veto: free kmem_map memory = (20770816) curproc = kmd An administrator can use the following CLI command to monitor the status of memory consumption (ifstat bucket): user@device > show system virtual-memory no-forwarding | match ifstat Type InUse MemUse HighUse Limit Requests Limit Limit Size(s) ifstat 2588977 162708K - 19633958 <<<< user@device > show system virtual-memory no-forwarding | match ifstat Type InUse MemUse HighUse Limit Requests Limit Limit Size(s) ifstat 3021629 189749K - 22914415 <<<< This issue does not affect the following platforms: Juniper Networks MX Series. Juniper Networks PTX1000-72Q, PTX3000, PTX5000, PTX10001, PTX10002-60C, PTX10003_160C, PTX10003_80C, PTX10003_81CD, PTX10004, PTX10008, PTX10016 Series. Juniper Networks EX9200 Series. Juniper Networks ACX710, ACX6360 Series. Juniper Networks NFX Series. This issue affects Juniper Networks Junos OS: 17.1 versions 17.1R3 and above prior to 17.3R3-S11; 17.4 versions prior to 17.4R3-S5; 18.2 versions prior to 18.2R3-S7, 18.2R3-S8; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S7, 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R1-S6; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R3-S1; 20.1 versions prior to 20.1R2, 20.1R3; 20.2 versions prior to 20.2R2-S2, 20.2R3; 20.3 versions prior to 20.3R1-S2, 20.3R2. This issue does not affect Juniper Networks Junos OS prior to 17.1R3.
{
"affected": [],
"aliases": [
"CVE-2021-0230"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T20:15:00Z",
"severity": "HIGH"
},
"details": "On Juniper Networks Junos OS platforms with link aggregation (lag) configured, executing any operation that fetches Aggregated Ethernet (AE) interface statistics, including but not limited to SNMP GET requests, causes a slow kernel memory leak. If all the available memory is consumed, the traffic will be impacted and a reboot might be required. The following log can be seen if this issue happens. /kernel: rt_pfe_veto: Memory over consumed. Op 1 err 12, rtsm_id 0:-1, msg type 72 /kernel: rt_pfe_veto: free kmem_map memory = (20770816) curproc = kmd An administrator can use the following CLI command to monitor the status of memory consumption (ifstat bucket): user@device \u003e show system virtual-memory no-forwarding | match ifstat Type InUse MemUse HighUse Limit Requests Limit Limit Size(s) ifstat 2588977 162708K - 19633958 \u003c\u003c\u003c\u003c user@device \u003e show system virtual-memory no-forwarding | match ifstat Type InUse MemUse HighUse Limit Requests Limit Limit Size(s) ifstat 3021629 189749K - 22914415 \u003c\u003c\u003c\u003c This issue does not affect the following platforms: Juniper Networks MX Series. Juniper Networks PTX1000-72Q, PTX3000, PTX5000, PTX10001, PTX10002-60C, PTX10003_160C, PTX10003_80C, PTX10003_81CD, PTX10004, PTX10008, PTX10016 Series. Juniper Networks EX9200 Series. Juniper Networks ACX710, ACX6360 Series. Juniper Networks NFX Series. This issue affects Juniper Networks Junos OS: 17.1 versions 17.1R3 and above prior to 17.3R3-S11; 17.4 versions prior to 17.4R3-S5; 18.2 versions prior to 18.2R3-S7, 18.2R3-S8; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S7, 18.4R3-S6; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R1-S6; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R3-S1; 20.1 versions prior to 20.1R2, 20.1R3; 20.2 versions prior to 20.2R2-S2, 20.2R3; 20.3 versions prior to 20.3R1-S2, 20.3R2. This issue does not affect Juniper Networks Junos OS prior to 17.1R3.",
"id": "GHSA-vmwj-88gq-629h",
"modified": "2022-08-06T00:00:42Z",
"published": "2022-05-24T17:48:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0230"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11125"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP4H-F4MH-8H7M
Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-23 18:30In the Linux kernel, the following vulnerability has been resolved:
memory: renesas-rpc-if: fix platform-device leak in error path
Make sure to free the flash platform device in the event that registration fails during probe.
{
"affected": [],
"aliases": [
"CVE-2022-49050"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:42Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: renesas-rpc-if: fix platform-device leak in error path\n\nMake sure to free the flash platform device in the event that\nregistration fails during probe.",
"id": "GHSA-vp4h-f4mh-8h7m",
"modified": "2025-09-23T18:30:20Z",
"published": "2025-09-23T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49050"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/05d1824a7fb43ab9adb1eb82404954af81d8c984"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/66b9b707ea4dcafca92b6261c6924652914e3b73"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b452dbf24d7d9a990d70118462925f6ee287d135"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c089ffc846c85f200db34ad208338f4f81a6d82d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP5V-47WJ-P5R2
Vulnerability from github – Published: 2025-03-06 18:31 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
wifi: rtlwifi: fix memory leaks and invalid access at probe error path
Deinitialize at reverse order when probe fails.
When init_sw_vars fails, rtl_deinit_core should not be called, specially now that it destroys the rtl_wq workqueue.
And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be leaked.
Remove pci_set_drvdata call as it will already be cleaned up by the core driver code and could lead to memory leaks too. cf. commit 8d450935ae7f ("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory").
{
"affected": [],
"aliases": [
"CVE-2024-58063"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T16:15:52Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: fix memory leaks and invalid access at probe error path\n\nDeinitialize at reverse order when probe fails.\n\nWhen init_sw_vars fails, rtl_deinit_core should not be called, specially\nnow that it destroys the rtl_wq workqueue.\n\nAnd call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be\nleaked.\n\nRemove pci_set_drvdata call as it will already be cleaned up by the core\ndriver code and could lead to memory leaks too. cf. commit 8d450935ae7f\n(\"wireless: rtlwifi: remove unnecessary pci_set_drvdata()\") and\ncommit 3d86b93064c7 (\"rtlwifi: Fix PCI probe error path orphaned memory\").",
"id": "GHSA-vp5v-47wj-p5r2",
"modified": "2026-05-12T15:30:50Z",
"published": "2025-03-06T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58063"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/32acebca0a51f5e372536bfdc0d7d332ab749013"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/455e0f40b5352186a9095f2135d5c89255e7c39a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/624cea89a0865a2bc3e00182a6b0f954a94328b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b76bab5c257463302c9e97f5d84d524457468eb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7ceefbfd8d447abc8aca8ab993a942803522c06"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP7P-JJ4C-CJ5H
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.
{
"affected": [],
"aliases": [
"CVE-2016-9913"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-29T22:59:00Z",
"severity": "MODERATE"
},
"details": "Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.",
"id": "GHSA-vp7p-jj4c-cj5h",
"modified": "2022-05-13T01:13:42Z",
"published": "2022-05-13T01:13:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9913"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-49"
},
{
"type": "WEB",
"url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=4774718e5c194026ba5ee7a28d9be49be3080e42"
},
{
"type": "WEB",
"url": "http://git.qemu.org/?p=qemu.git;a=commit;h=4774718e5c194026ba5ee7a28d9be49be3080e42"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/06/11"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/12/08/7"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94729"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPJJ-MFGJ-J3MJ
Vulnerability from github – Published: 2024-07-11 18:31 – Updated: 2024-07-12 15:31A Missing Release of Memory after Effective Lifetime vulnerability in the Periodic Packet Management Daemon (ppmd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a
Denial-of-Service (DoS).
When a BFD session configured with authentication flaps, ppmd memory can leak. Whether the leak happens depends on a race condition which is outside the attackers control. This issue only affects BFD operating in distributed aka delegated (which is the default behavior) or inline mode.
Whether the leak occurs can be monitored with the following CLI command:
show ppm request-queue
FPC Pending-request fpc0 2 request-total-pending: 2
where a continuously increasing number of pending requests is indicative of the leak.
This issue affects:
Junos OS:
- All versions before 21.2R3-S8,
- 21.4 versions before 21.4R3-S7,
- 22.1 versions before 22.1R3-S4,
- 22.2 versions before 22.2R3-S4,
- 22.3 versions before 22.3R3,
- 22.4 versions before 22.4R2-S2, 22.4R3,
- 23.1 versions before 23.1R2.
Junos OS Evolved: * All versions before 21.2R3-S8-EVO, * 21.4-EVO versions before 21.4R3-S7-EVO, * 22.2-EVO versions before 22.2R3-S4-EVO, * 22.3-EVO versions before 22.3R3-EVO, * 22.4-EVO versions before 22.4R3-EVO, * 23.2-EVO versions before 23.2R1-EVO.
{
"affected": [],
"aliases": [
"CVE-2024-39536"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-11T17:15:11Z",
"severity": "MODERATE"
},
"details": "A Missing Release of Memory after Effective Lifetime vulnerability in the Periodic Packet Management Daemon (ppmd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a \n\nDenial-of-Service (DoS).\n\n\nWhen a\u00a0BFD session configured with authentication flaps,\u00a0ppmd memory can leak. Whether the leak happens depends on a\u00a0race condition which is outside the attackers control. This issue only affects BFD operating in distributed aka delegated (which is the default behavior) or inline mode.\n\n\n\nWhether the leak occurs can be monitored with the following CLI command:\n\n\u003e show ppm request-queue\n\n\nFPC \u00a0 \u00a0 Pending-request\nfpc0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a02\nrequest-total-pending: 2\n\n\nwhere a continuously increasing number of pending requests is indicative of the leak.\u00a0\n\n\n\n\nThis issue affects:\n\nJunos OS:\n\n\n * All versions before 21.2R3-S8,\n * 21.4 versions before 21.4R3-S7,\n * 22.1 versions before 22.1R3-S4,\n * 22.2 versions before 22.2R3-S4,\u00a0\n * 22.3 versions before 22.3R3,\n * 22.4 versions before 22.4R2-S2, 22.4R3,\n * 23.1 versions before 23.1R2.\n\n\n\nJunos OS Evolved:\n * All versions before 21.2R3-S8-EVO,\n * 21.4-EVO versions before 21.4R3-S7-EVO,\n * 22.2-EVO versions before 22.2R3-S4-EVO,\n * 22.3-EVO versions before 22.3R3-EVO,\n * 22.4-EVO versions before 22.4R3-EVO,\n * 23.2-EVO versions before 23.2R1-EVO.",
"id": "GHSA-vpjj-mfgj-j3mj",
"modified": "2024-07-12T15:31:26Z",
"published": "2024-07-11T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39536"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA82996"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VPJP-GFPQ-57C9
Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise
Add validation in xe_vm_madvise_ioctl() to reject PAT indices with XE_COH_NONE coherency mode when applied to CPU cached memory.
Using coh_none with CPU cached buffers is a security issue. When the kernel clears pages before reallocation, the clear operation stays in CPU cache (dirty). GPU with coh_none can bypass CPU caches and read stale sensitive data directly from DRAM, potentially leaking data from previously freed pages of other processes.
This aligns with the existing validation in vm_bind path (xe_vm_bind_ioctl_validate_bo).
v2(Matthew brost) - Add fixes - Move one debug print to better place
v3(Matthew Auld) - Should be drm/xe/uapi - More Cc
v4(Shuicheng Lin) - Fix kmem leak issues by the way
v5 - Remove kmem leak because it has been merged by another patch
v6 - Remove the fix which is not related to current fix
v7 - No change
v8 - Rebase
v9 - Limit the restrictions to iGPU
v10 - No change
(cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)
{
"affected": [],
"aliases": [
"CVE-2026-46309"
],
"database_specific": {
"cwe_ids": [
"CWE-401",
"CWE-524"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T17:16:49Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise\n\nAdd validation in xe_vm_madvise_ioctl() to reject PAT indices with\nXE_COH_NONE coherency mode when applied to CPU cached memory.\n\nUsing coh_none with CPU cached buffers is a security issue. When the\nkernel clears pages before reallocation, the clear operation stays in\nCPU cache (dirty). GPU with coh_none can bypass CPU caches and read\nstale sensitive data directly from DRAM, potentially leaking data from\npreviously freed pages of other processes.\n\nThis aligns with the existing validation in vm_bind path\n(xe_vm_bind_ioctl_validate_bo).\n\nv2(Matthew brost)\n- Add fixes\n- Move one debug print to better place\n\nv3(Matthew Auld)\n- Should be drm/xe/uapi\n- More Cc\n\nv4(Shuicheng Lin)\n- Fix kmem leak issues by the way\n\nv5\n- Remove kmem leak because it has been merged by another patch\n\nv6\n- Remove the fix which is not related to current fix\n\nv7\n- No change\n\nv8\n- Rebase\n\nv9\n- Limit the restrictions to iGPU\n\nv10\n- No change\n\n(cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)",
"id": "GHSA-vpjp-gfpq-57c9",
"modified": "2026-06-30T03:36:57Z",
"published": "2026-06-08T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46309"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-46309"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486468"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87f9b1528e1ffc1da3615d552c9a06aba5e20b00"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fea04cf6f2345bc50f15b6638906c35962b89424"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46309.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPMP-Q24V-V7P4
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-08 21:31In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
__radix_tree_create() allocates and links intermediate nodes into the tree one by one. If a subsequent allocation fails, the already-linked nodes remain in the tree with no corresponding leaf entry. These orphaned internal nodes are never reclaimed because radix_tree_for_each_slot() only visits slots containing leaf values.
The radix_tree API is deprecated in favor of xarray. As suggested by Matthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead of fixing the radix_tree itself [1]. xarray properly handles cleanup of internal nodes — xa_destroy() frees all internal xarray nodes when the qrtr_node is released, preventing the leak.
[1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/
{
"affected": [],
"aliases": [
"CVE-2026-43041"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak\n\n__radix_tree_create() allocates and links intermediate nodes into the\ntree one by one. If a subsequent allocation fails, the already-linked\nnodes remain in the tree with no corresponding leaf entry. These orphaned\ninternal nodes are never reclaimed because radix_tree_for_each_slot()\nonly visits slots containing leaf values.\n\nThe radix_tree API is deprecated in favor of xarray. As suggested by\nMatthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray instead\nof fixing the radix_tree itself [1]. xarray properly handles cleanup of\ninternal nodes \u2014 xa_destroy() frees all internal xarray nodes when the\nqrtr_node is released, preventing the leak.\n\n[1] https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/",
"id": "GHSA-vpmp-q24v-v7p4",
"modified": "2026-05-08T21:31:20Z",
"published": "2026-05-01T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43041"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0fda873092b541bb5a9b87d728a2429f863f8cfa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2428083101f6883f979cceffa76cd8440751ffe6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b75ff0aedd6ade1018ad4a3a9d8336794e36e42"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d2249eefaca59908fe3c264b8eca526424dcfbe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/69402908e277dd164bf8d7c8fd0513c0fac28e9e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f2664bc4f0f356f17c2094587a2b3665e3867e44"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f2dd9aaf6e2861337f5835f877a5b2becaf4b015"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ff134cc43972d7ddceff8cfd36cf6b9eaafc00b3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPP2-6QWW-77R8
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45A flaw was found in Privoxy in versions before 3.0.29. Memory leak when client tags are active can cause a system crash.
{
"affected": [],
"aliases": [
"CVE-2021-20211"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-25T19:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in Privoxy in versions before 3.0.29. Memory leak when client tags are active can cause a system crash.",
"id": "GHSA-vpp2-6qww-77r8",
"modified": "2022-05-24T17:45:22Z",
"published": "2022-05-24T17:45:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20211"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928733"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-16"
},
{
"type": "WEB",
"url": "https://www.privoxy.org/3.0.29/user-manual/whatsnew.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.