Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-29PG-6WGV-66X3

Vulnerability from github – Published: 2024-12-29 09:30 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ionic: Fix netdev notifier unregister on failure

If register_netdev() fails, then the driver leaks the netdev notifier. Fix this by calling ionic_lif_unregister() on register_netdev() failure. This will also call ionic_lif_unregister_phc() if it has already been registered.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-29T09:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: Fix netdev notifier unregister on failure\n\nIf register_netdev() fails, then the driver leaks the netdev notifier.\nFix this by calling ionic_lif_unregister() on register_netdev()\nfailure. This will also call ionic_lif_unregister_phc() if it has\nalready been registered.",
  "id": "GHSA-29pg-6wgv-66x3",
  "modified": "2025-11-03T21:32:02Z",
  "published": "2024-12-29T09:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56715"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87847938f5708b2509b279369c96572254bcf2ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9590d32e090ea2751e131ae5273859ca22f5ac14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da5736f516a664a9e1ff74902663c64c423045d2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da93a12876f8b969df7316dc93aac7e725f88252"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee2e931b2b46de9af7f681258e8ec8e2cd81cfc6"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2C3F-FWWH-C3V4

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

objtool: Fix memory leak in create_static_call_sections()

strdup() allocates memory for key_name. We need to release the memory in the following error paths. Add free() to avoid memory leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:46Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool: Fix memory leak in create_static_call_sections()\n\nstrdup() allocates memory for key_name. We need to release the memory in\nthe following error paths. Add free() to avoid memory leak.",
  "id": "GHSA-2c3f-fwwh-c3v4",
  "modified": "2025-12-11T15:30:30Z",
  "published": "2025-09-18T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53423"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a75866a5ceff5d4fdd5471e06c4c4d03e0298b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3da73f102309fe29150e5c35acd20dd82063ff67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1368eaea058e451d20ea99ca27e72d9df0d16dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8f63d747bf7c983882a5ea7456a5f84ad3acad5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d131718d9c45d559951f57c4b88209ca407433c4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CFH-53W7-WVX4

Vulnerability from github – Published: 2025-03-14 00:30 – Updated: 2025-03-14 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

habanalabs: fix possible memory leak in MMU DR fini

This patch fixes what seems to be copy paste error.

We will have a memory leak if the host-resident shadow is NULL (which will likely happen as the DR and HR are not dependent).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs: fix possible memory leak in MMU DR fini\n\nThis patch fixes what seems to be copy paste error.\n\nWe will have a memory leak if the host-resident shadow is NULL (which\nwill likely happen as the DR and HR are not dependent).",
  "id": "GHSA-2cfh-53w7-wvx4",
  "modified": "2025-03-14T00:30:48Z",
  "published": "2025-03-14T00:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49102"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12e49aefda2e04b07604f13e03f40027cbeb0dc6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30058d3a83cfe8c6aacbfe5ab13c01dd0c1799e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d421fb7a9eddd8ce0a05641a3db97283fe20699"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eb85eec858c1a5c11d3a0bff403f6440b05b40dc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CHR-7VPH-93PF

Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-05-17 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: Fix memory leak in set_ssp_complete

Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are not freed after being removed from the pending list.

Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced mgmt_pending_foreach() calls with individual command handling but missed adding mgmt_pending_free() calls in both error and success paths of set_ssp_complete(). Other completion functions like set_le_complete() were fixed correctly in the same commit.

This causes a memory leak of the mgmt_pending_cmd structure and its associated parameter data for each SSP command that completes.

Add the missing mgmt_pending_free(cmd) calls in both code paths to fix the memory leak. Also fix the same issue in set_advertising_complete().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T16:15:55Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\n\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\n\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\n\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete().",
  "id": "GHSA-2chr-7vph-93pf",
  "modified": "2026-05-17T18:30:26Z",
  "published": "2026-02-14T18:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23151"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1850a558d116d7e3e2ef36d06a56f59b640cc214"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b6318505378828ee415d6ef678db6a74c077504"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7e42dc47beb48851bc0008c1e1b79126de9d975"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CRP-R6G2-9C5P

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: iosm: fix memory leak in ipc_wwan_dellink

IOSM driver registers network device without setting the needs_free_netdev flag, and does NOT call free_netdev() when unregisters network device, which causes a memory leak.

This patch sets needs_free_netdev to true when registers network device, which makes netdev subsystem call free_netdev() automatically after unregister_netdevice().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: fix memory leak in ipc_wwan_dellink\n\nIOSM driver registers network device without setting the\nneeds_free_netdev flag, and does NOT call free_netdev() when\nunregisters network device, which causes a memory leak.\n\nThis patch sets needs_free_netdev to true when registers\nnetwork device, which makes netdev subsystem call free_netdev()\nautomatically after unregister_netdevice().",
  "id": "GHSA-2crp-r6g2-9c5p",
  "modified": "2025-05-07T15:31:25Z",
  "published": "2025-05-01T15:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49867"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/128514b51a5ba2c82f9e4a106f1c10423907618a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ce2348c2858d723f7fe389dead9b43b08e0944e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f25caaca424703d5a0607310f0452f978f1f78d9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2CXG-HJM3-XMVR

Vulnerability from github – Published: 2024-12-29 12:30 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING

In fscache_create_volume(), there is a missing memory barrier between the bit-clearing operation and the wake-up operation. This may cause a situation where, after a wake-up, the bit-clearing operation hasn't been detected yet, leading to an indefinite wait. The triggering process is as follows:

[cookie1] [cookie2] [volume_work] fscache_perform_lookup fscache_create_volume fscache_perform_lookup fscache_create_volume fscache_create_volume_work cachefiles_acquire_volume clear_and_wake_up_bit test_and_set_bit test_and_set_bit goto maybe_wait goto no_wait

In the above process, cookie1 and cookie2 has the same volume. When cookie1 enters the -no_wait- process, it will clear the bit and wake up the waiting process. If a barrier is missing, it may cause cookie2 to remain in the -wait- process indefinitely.

In commit 3288666c7256 ("fscache: Use clear_and_wake_up_bit() in fscache_create_volume_work()"), barriers were added to similar operations in fscache_create_volume_work(), but fscache_create_volume() was missed.

By combining the clear and wake operations into clear_and_wake_up_bit() to fix this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-29T12:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING\n\nIn fscache_create_volume(), there is a missing memory barrier between the\nbit-clearing operation and the wake-up operation. This may cause a\nsituation where, after a wake-up, the bit-clearing operation hasn\u0027t been\ndetected yet, leading to an indefinite wait. The triggering process is as\nfollows:\n\n  [cookie1]                [cookie2]                  [volume_work]\nfscache_perform_lookup\n  fscache_create_volume\n                        fscache_perform_lookup\n                          fscache_create_volume\n\t\t\t                        fscache_create_volume_work\n                                                  cachefiles_acquire_volume\n                                                  clear_and_wake_up_bit\n    test_and_set_bit\n                            test_and_set_bit\n                              goto maybe_wait\n      goto no_wait\n\nIn the above process, cookie1 and cookie2 has the same volume. When cookie1\nenters the -no_wait- process, it will clear the bit and wake up the waiting\nprocess. If a barrier is missing, it may cause cookie2 to remain in the\n-wait- process indefinitely.\n\nIn commit 3288666c7256 (\"fscache: Use clear_and_wake_up_bit() in\nfscache_create_volume_work()\"), barriers were added to similar operations\nin fscache_create_volume_work(), but fscache_create_volume() was missed.\n\nBy combining the clear and wake operations into clear_and_wake_up_bit() to\nfix this issue.",
  "id": "GHSA-2cxg-hjm3-xmvr",
  "modified": "2025-11-03T21:32:02Z",
  "published": "2024-12-29T12:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56755"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22f9400a6f3560629478e0a64247b8fcc811a24d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/539fabba965e119b98066fc6ba5257b5eaf4eda2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8beb682cc9a0798a280bbb95e3e41617237090b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8cc1df3113cb71a0df2c46dd5b102c9e11c8a8c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddab02607eed9e415dc62fde421d4329e5345315"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2F2X-8MWP-P2GC

Vulnerability from github – Published: 2026-02-12 15:29 – Updated: 2026-02-12 22:07
VLAI
Summary
webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map
Details

Summary

An attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources.

Details

webtransport-go maintains an internal map tracking WebTransport streams (both unidirectional and bidirectional) belonging to a session. In affected versions, entries for closed streams were not removed from this map, causing the map to grow indefinitely as streams were created and closed.

A malicious peer can exploit this by opening large numbers of streams and closing them, leading to steady memory growth proportional to the number of closed streams.

The Fix

webtransport-go now removes closed streams from the internal map upon closure. This allows the associated resources to be garbage collected, bounding memory usage to active streams only.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/webtransport-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-459"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-12T15:29:11Z",
    "nvd_published_at": "2026-02-12T19:15:51Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nAn attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources.\n\n## Details\nwebtransport-go maintains an internal map tracking WebTransport streams (both unidirectional and bidirectional) belonging to a session. In affected versions, entries for closed streams were not removed from this map, causing the map to grow indefinitely as streams were created and closed.\n\nA malicious peer can exploit this by opening large numbers of streams and closing them, leading to steady memory growth proportional to the number of closed streams.\n\n## The Fix\nwebtransport-go now removes closed streams from the internal map upon closure. This allows the associated resources to be garbage collected, bounding memory usage to active streams only.",
  "id": "GHSA-2f2x-8mwp-p2gc",
  "modified": "2026-02-12T22:07:42Z",
  "published": "2026-02-12T15:29:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21438"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quic-go/webtransport-go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map"
}

GHSA-2F5J-PRVF-GF42

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02
VLAI
Details

** DISPUTED ** An issue has been found in HTSlib 1.8. It is a memory leak in fai_read in faidx.c. NOTE: This has been disputed with the assertion that this vulnerability exists in the test harness and HTSlib users would be aware of the need to destruct this object returned by fai_load() in their own code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-13844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-10T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "** DISPUTED ** An issue has been found in HTSlib 1.8. It is a memory leak in fai_read in faidx.c. NOTE: This has been disputed with the assertion that this vulnerability exists in the test harness and HTSlib users would be aware of the need to destruct this object returned by fai_load() in their own code.",
  "id": "GHSA-2f5j-prvf-gf42",
  "modified": "2022-05-13T01:02:09Z",
  "published": "2022-05-13T01:02:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13844"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samtools/htslib/issues/731#issuecomment-403675330"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2F9C-GCWW-48V7

Vulnerability from github – Published: 2024-06-20 12:31 – Updated: 2025-09-17 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Forcibly leave nested virt when SMM state is toggled

Forcibly leave nested virtualization operation if userspace toggles SMM state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both vmxon=false and smm.vmxon=false, but all other nVMX state allocated.

Don't attempt to gracefully handle the transition as (a) most transitions are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't sufficient information to handle all transitions, e.g. SVM wants access to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede KVM_SET_NESTED_STATE during state restore as the latter disallows putting the vCPU into L2 if SMM is active, and disallows tagging the vCPU as being post-VMXON in SMM if SMM is not active.

Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU in an architecturally impossible state.

WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Modules linked in: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Call Trace: kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline] kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline] kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline] kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T12:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Forcibly leave nested virt when SMM state is toggled\n\nForcibly leave nested virtualization operation if userspace toggles SMM\nstate via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS.  If userspace\nforces the vCPU out of SMM while it\u0027s post-VMXON and then injects an SMI,\nvmx_enter_smm() will overwrite vmx-\u003enested.smm.vmxon and end up with both\nvmxon=false and smm.vmxon=false, but all other nVMX state allocated.\n\nDon\u0027t attempt to gracefully handle the transition as (a) most transitions\nare nonsencial, e.g. forcing SMM while L2 is running, (b) there isn\u0027t\nsufficient information to handle all transitions, e.g. SVM wants access\nto the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede\nKVM_SET_NESTED_STATE during state restore as the latter disallows putting\nthe vCPU into L2 if SMM is active, and disallows tagging the vCPU as\nbeing post-VMXON in SMM if SMM is not active.\n\nAbuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX\ndue to failure to free vmcs01\u0027s shadow VMCS, but the bug goes far beyond\njust a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU\nin an architecturally impossible state.\n\n  WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]\n  WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656\n  Modules linked in:\n  CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n  RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]\n  RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656\n  Code: \u003c0f\u003e 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00\n  Call Trace:\n   \u003cTASK\u003e\n   kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123\n   kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]\n   kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460\n   kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline]\n   kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676\n   kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline]\n   kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250\n   kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273\n   __fput+0x286/0x9f0 fs/file_table.c:311\n   task_work_run+0xdd/0x1a0 kernel/task_work.c:164\n   exit_task_work include/linux/task_work.h:32 [inline]\n   do_exit+0xb29/0x2a30 kernel/exit.c:806\n   do_group_exit+0xd2/0x2f0 kernel/exit.c:935\n   get_signal+0x4b0/0x28c0 kernel/signal.c:2862\n   arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868\n   handle_signal_work kernel/entry/common.c:148 [inline]\n   exit_to_user_mode_loop kernel/entry/common.c:172 [inline]\n   exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207\n   __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n   syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300\n   do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n   \u003c/TASK\u003e",
  "id": "GHSA-2f9c-gcww-48v7",
  "modified": "2025-09-17T18:31:14Z",
  "published": "2024-06-20T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48763"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/080dbe7e9b86a0392d8dffc00d9971792afc121f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4c0d89c92e957ecccce12e66b63875d0cc7af7e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e302786233e6bc512986d007c96458ccf5ca21c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7e570780efc5cec9b2ed1e0472a7da14e864fdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FM5-X4WV-3P5G

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()

The cmd_buff needs to be freed when error happened in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()\n\nThe cmd_buff needs to be freed when error happened in\ndpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().",
  "id": "GHSA-2fm5-x4wv-3p5g",
  "modified": "2024-10-24T15:31:08Z",
  "published": "2024-10-21T21:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48957"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4fad22a1281c500f15b172c9d261eff347ca634b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/54d830e24247fa8361b016dd2069362866f45cb6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/785ee7a82297e1512d9061aae91699212ed65796"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.