Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

965 vulnerabilities reference this CWE, most recent first.

GHSA-3C28-G28M-GM93

Vulnerability from github – Published: 2026-04-30 12:33 – Updated: 2026-05-06 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xen/privcmd: fix double free via VMA splitting

privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback.

Both VMAs now point to the same pages array. When the unmapped portion is closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages)

The surviving VMA still holds the dangling pointer. When it is later destroyed, the same sequence runs again, which leads to a double free.

Fix this issue by adding a .may_split callback denying the VMA split.

This is XSA-487 / CVE-2026-31787

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T11:16:21Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n    - xen_unmap_domain_gfn_range()\n    - xen_free_unpopulated_pages()\n    - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787",
  "id": "GHSA-3c28-g28m-gm93",
  "modified": "2026-05-06T21:31:31Z",
  "published": "2026-04-30T12:33:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31787"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/28/14"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-487.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3C4M-3XHW-2CR2

Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-01-10 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: fix a double-free in si_dpm_init

When the allocation of adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, amdgpu_free_extended_power_table is called to free some fields of adev. However, when the control flow returns to si_dpm_sw_init, it goes to label dpm_failed and calls si_dpm_fini, which calls amdgpu_free_extended_power_table again and free those fields again. Thus a double-free is triggered.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T15:15:20Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix a double-free in si_dpm_init\n\nWhen the allocation of\nadev-\u003epm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails,\namdgpu_free_extended_power_table is called to free some fields of adev.\nHowever, when the control flow returns to si_dpm_sw_init, it goes to\nlabel dpm_failed and calls si_dpm_fini, which calls\namdgpu_free_extended_power_table again and free those fields again. Thus\na double-free is triggered.",
  "id": "GHSA-3c4m-3xhw-2cr2",
  "modified": "2025-01-10T18:31:37Z",
  "published": "2024-05-17T15:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52691"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06d95c99d5a4f5accdb79464076efe62e668c706"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2bf47c89bbaca2bae16581ef1b28aaec0ade0334"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac16667237a82e2597e329eb9bc520d1cf9dff30"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/afe9f5b871f86d58ecdc45b217b662227d7890d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca8e2e251c65e5a712f6025e27bd9b26d16e6f4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f957a1be647f7fc65926cbf572992ec2747a93f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb1936cb587262cd539e84b34541abb06e42b2f9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CFF-W54F-J96W

Vulnerability from github – Published: 2026-03-05 09:30 – Updated: 2026-03-06 00:31
VLAI
Details

Double free vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T08:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Double free vulnerability in the window module.\u00a0Impact: Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-3cff-w54f-j96w",
  "modified": "2026-03-06T00:31:30Z",
  "published": "2026-03-05T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28537"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2026/3"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3F9F-WFF5-C5PP

Vulnerability from github – Published: 2024-02-27 21:31 – Updated: 2024-04-10 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails

When loading a device-mapper table for a request-based mapped device, and the allocation/initialization of the blk_mq_tag_set for the device fails, a following device remove will cause a double free.

E.g. (dmesg): device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device device-mapper: ioctl: unable to set up device queue for new table. Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0305e098835de000 TEID: 0305e098835de803 Fault in home space mode while using kernel ASCE. AS:000000025efe0007 R3:0000000000000024 Oops: 0038 ilc:3 [#1] SMP Modules linked in: ... lots of modules ... Supported: Yes, External CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G W X 5.3.18-53-default #1 SLE15-SP3 Hardware name: IBM 8561 T01 7I2 (LPAR) Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000 000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000 000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640 00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8 Krnl Code: 000000025e368eb8: c4180041e100 lgrl %r1,25eba50b8 000000025e368ebe: ecba06b93a55 risbg %r11,%r10,6,185,58 #000000025e368ec4: e3b010000008 ag %r11,0(%r1) >000000025e368eca: e310b0080004 lg %r1,8(%r11) 000000025e368ed0: a7110001 tmll %r1,1 000000025e368ed4: a7740129 brc 7,25e369126 000000025e368ed8: e320b0080004 lg %r2,8(%r11) 000000025e368ede: b904001b lgr %r1,%r11 Call Trace: [<000000025e368eca>] kfree+0x42/0x330 [<000000025e5202a2>] blk_mq_free_tag_set+0x72/0xb8 [<000003ff801316a8>] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod] [<000003ff80120082>] free_dev+0x52/0xd0 [dm_mod] [<000003ff801233f0>] __dm_destroy+0x150/0x1d0 [dm_mod] [<000003ff8012bb9a>] dev_remove+0x162/0x1c0 [dm_mod] [<000003ff8012a988>] ctl_ioctl+0x198/0x478 [dm_mod] [<000003ff8012ac8a>] dm_ctl_ioctl+0x22/0x38 [dm_mod] [<000000025e3b11ee>] ksys_ioctl+0xbe/0xe0 [<000000025e3b127a>] __s390x_sys_ioctl+0x2a/0x40 [<000000025e8c15ac>] system_call+0xd8/0x2c8 Last Breaking-Event-Address: [<000000025e52029c>] blk_mq_free_tag_set+0x6c/0xb8 Kernel panic - not syncing: Fatal exception: panic_on_oops

When allocation/initialization of the blk_mq_tag_set fails in dm_mq_init_request_queue(), it is uninitialized/freed, but the pointer is not reset to NULL; so when dev_remove() later gets into dm_mq_cleanup_mapped_device() it sees the pointer and tries to uninitialize and free it again.

Fix this by setting the pointer to NULL in dm_mq_init_request_queue() error-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-27T19:04:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm rq: fix double free of blk_mq_tag_set in dev remove after table load fails\n\nWhen loading a device-mapper table for a request-based mapped device,\nand the allocation/initialization of the blk_mq_tag_set for the device\nfails, a following device remove will cause a double free.\n\nE.g. (dmesg):\n  device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device\n  device-mapper: ioctl: unable to set up device queue for new table.\n  Unable to handle kernel pointer dereference in virtual kernel address space\n  Failing address: 0305e098835de000 TEID: 0305e098835de803\n  Fault in home space mode while using kernel ASCE.\n  AS:000000025efe0007 R3:0000000000000024\n  Oops: 0038 ilc:3 [#1] SMP\n  Modules linked in: ... lots of modules ...\n  Supported: Yes, External\n  CPU: 0 PID: 7348 Comm: multipathd Kdump: loaded Tainted: G        W      X    5.3.18-53-default #1 SLE15-SP3\n  Hardware name: IBM 8561 T01 7I2 (LPAR)\n  Krnl PSW : 0704e00180000000 000000025e368eca (kfree+0x42/0x330)\n             R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n  Krnl GPRS: 000000000000004a 000000025efe5230 c1773200d779968d 0000000000000000\n             000000025e520270 000000025e8d1b40 0000000000000003 00000007aae10000\n             000000025e5202a2 0000000000000001 c1773200d779968d 0305e098835de640\n             00000007a8170000 000003ff80138650 000000025e5202a2 000003e00396faa8\n  Krnl Code: 000000025e368eb8: c4180041e100       lgrl    %r1,25eba50b8\n             000000025e368ebe: ecba06b93a55       risbg   %r11,%r10,6,185,58\n            #000000025e368ec4: e3b010000008       ag      %r11,0(%r1)\n            \u003e000000025e368eca: e310b0080004       lg      %r1,8(%r11)\n             000000025e368ed0: a7110001           tmll    %r1,1\n             000000025e368ed4: a7740129           brc     7,25e369126\n             000000025e368ed8: e320b0080004       lg      %r2,8(%r11)\n             000000025e368ede: b904001b           lgr     %r1,%r11\n  Call Trace:\n   [\u003c000000025e368eca\u003e] kfree+0x42/0x330\n   [\u003c000000025e5202a2\u003e] blk_mq_free_tag_set+0x72/0xb8\n   [\u003c000003ff801316a8\u003e] dm_mq_cleanup_mapped_device+0x38/0x50 [dm_mod]\n   [\u003c000003ff80120082\u003e] free_dev+0x52/0xd0 [dm_mod]\n   [\u003c000003ff801233f0\u003e] __dm_destroy+0x150/0x1d0 [dm_mod]\n   [\u003c000003ff8012bb9a\u003e] dev_remove+0x162/0x1c0 [dm_mod]\n   [\u003c000003ff8012a988\u003e] ctl_ioctl+0x198/0x478 [dm_mod]\n   [\u003c000003ff8012ac8a\u003e] dm_ctl_ioctl+0x22/0x38 [dm_mod]\n   [\u003c000000025e3b11ee\u003e] ksys_ioctl+0xbe/0xe0\n   [\u003c000000025e3b127a\u003e] __s390x_sys_ioctl+0x2a/0x40\n   [\u003c000000025e8c15ac\u003e] system_call+0xd8/0x2c8\n  Last Breaking-Event-Address:\n   [\u003c000000025e52029c\u003e] blk_mq_free_tag_set+0x6c/0xb8\n  Kernel panic - not syncing: Fatal exception: panic_on_oops\n\nWhen allocation/initialization of the blk_mq_tag_set fails in\ndm_mq_init_request_queue(), it is uninitialized/freed, but the pointer\nis not reset to NULL; so when dev_remove() later gets into\ndm_mq_cleanup_mapped_device() it sees the pointer and tries to\nuninitialize and free it again.\n\nFix this by setting the pointer to NULL in dm_mq_init_request_queue()\nerror-handling. Also set it to NULL in dm_mq_cleanup_mapped_device().",
  "id": "GHSA-3f9f-wff5-c5pp",
  "modified": "2024-04-10T21:30:28Z",
  "published": "2024-02-27T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46938"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1cb02dc76f4c0a2749a02b26469512d6984252e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6086f957416a6e87236c06079fcaba7a3998aeca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/772b9f59657665af3b68d24d12b9d172d31f0dfb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ae0185255eaf05bd66f4215c81e99bf01140fd9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e947c8f4a5620df77e43c9c75310dc510250166"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a992a283c0b77d0a7c2c348add0e6a21fb1dab67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b42c0a33dfdd451d9be62dd5de58c39f2750b6e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d757bf4c69cda3c3ab7f775dfabbf5a80e2f6f9d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FV2-9G2F-63H7

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-0312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-01-28T22:59:00Z",
    "severity": "HIGH"
  },
  "details": "Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.",
  "id": "GHSA-3fv2-9g2f-63h7",
  "modified": "2022-05-13T01:06:44Z",
  "published": "2022-05-13T01:06:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0312"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100394"
    },
    {
      "type": "WEB",
      "url": "https://technet.microsoft.com/library/security/2755801"
    },
    {
      "type": "WEB",
      "url": "http://helpx.adobe.com/security/products/flash-player/apsb15-03.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/62432"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/62543"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/62660"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/72343"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1031634"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3G4V-P46Q-RP5H

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32
VLAI
Details

Double-free vulnerability in the RSMC module Impact: Successful exploitation of this vulnerability will affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T14:22:04Z",
    "severity": "MODERATE"
  },
  "details": "Double-free vulnerability in the RSMC module\nImpact: Successful exploitation of this vulnerability will affect availability.",
  "id": "GHSA-3g4v-p46q-rp5h",
  "modified": "2024-05-14T15:32:51Z",
  "published": "2024-05-14T15:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52383"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/5"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-phones-202405-0000001902628049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3G82-R8F2-R5VQ

Vulnerability from github – Published: 2022-05-14 02:21 – Updated: 2022-05-14 02:21
VLAI
Details

Dave Gamble cJSON version 1.7.2 and earlier contains a CWE-415: Double Free vulnerability in cJSON library that can result in Possible crash or RCE. This attack appear to be exploitable via Attacker must be able to force victim to print JSON data, depending on how cJSON library is used this could be either local or over a network. This vulnerability appears to have been fixed in 1.7.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-20T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Dave Gamble cJSON version 1.7.2 and earlier contains a CWE-415: Double Free vulnerability in cJSON library that can result in Possible crash or RCE. This attack appear to be exploitable via Attacker must be able to force victim to print JSON data, depending on how cJSON library is used this could be either local or over a network. This vulnerability appears to have been fixed in 1.7.3.",
  "id": "GHSA-3g82-r8f2-r5vq",
  "modified": "2022-05-14T02:21:24Z",
  "published": "2022-05-14T02:21:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DaveGamble/cJSON/issues/241"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3J5R-RX9M-43H3

Vulnerability from github – Published: 2022-01-13 00:00 – Updated: 2022-01-20 00:02
VLAI
Details

A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-12T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).",
  "id": "GHSA-3j5r-rx9m-43h3",
  "modified": "2022-01-20T00:02:17Z",
  "published": "2022-01-13T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37529"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/mcj/tickets/125"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3M5C-7HQX-55X7

Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24
VLAI
Details

Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-4494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-12-07T21:00:00Z",
    "severity": "HIGH"
  },
  "details": "Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.",
  "id": "GHSA-3m5c-7hqx-55x7",
  "modified": "2022-05-13T01:24:53Z",
  "published": "2022-05-13T01:24:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4494"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11916"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/chromium/issues/detail?id=63444"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2010/12/stable-beta-channel-updates.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2011//Mar/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2011//Mar/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2011/Mar/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055775.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=139447903326211\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0217.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/40775"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42472"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42721"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42762"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4554"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4564"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4566"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4581"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2137"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:260"
    },
    {
      "type": "WEB",
      "url": "http://www.openoffice.org/security/cves/CVE-2010-4008_CVE-2010-4494.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-1749.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/3319"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/3336"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0230"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3MCM-H8QP-66GM

Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2024-06-03 18:55
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()

When unregister pd capabilitie in tcpm, KASAN will capture below double -free issue. The root cause is the same capabilitiy will be kfreed twice, the first time is kfreed by pd_capabilities_release() and the second time is explicitly kfreed by tcpm_port_unregister_pd().

[ 3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc [ 3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10 [ 4.001206] [ 4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53 [ 4.012402] Hardware name: Freescale i.MX8QXP MEK (DT) [ 4.017569] Workqueue: events_unbound deferred_probe_work_func [ 4.023456] Call trace: [ 4.025920] dump_backtrace+0x94/0xec [ 4.029629] show_stack+0x18/0x24 [ 4.032974] dump_stack_lvl+0x78/0x90 [ 4.036675] print_report+0xfc/0x5c0 [ 4.040289] kasan_report_invalid_free+0xa0/0xc0 [ 4.044937] __kasan_slab_free+0x124/0x154 [ 4.049072] kfree+0xb4/0x1e8 [ 4.052069] tcpm_port_unregister_pd+0x1a4/0x3dc [ 4.056725] tcpm_register_port+0x1dd0/0x2558 [ 4.061121] tcpci_register_port+0x420/0x71c [ 4.065430] tcpci_probe+0x118/0x2e0

To fix the issue, this will remove kree() from tcpm_port_unregister_pd().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T06:15:07Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: fix double-free issue in tcpm_port_unregister_pd()\n\nWhen unregister pd capabilitie in tcpm, KASAN will capture below double\n-free issue. The root cause is the same capabilitiy will be kfreed twice,\nthe first time is kfreed by pd_capabilities_release() and the second time\nis explicitly kfreed by tcpm_port_unregister_pd().\n\n[    3.988059] BUG: KASAN: double-free in tcpm_port_unregister_pd+0x1a4/0x3dc\n[    3.995001] Free of addr ffff0008164d3000 by task kworker/u16:0/10\n[    4.001206]\n[    4.002712] CPU: 2 PID: 10 Comm: kworker/u16:0 Not tainted 6.8.0-rc5-next-20240220-05616-g52728c567a55 #53\n[    4.012402] Hardware name: Freescale i.MX8QXP MEK (DT)\n[    4.017569] Workqueue: events_unbound deferred_probe_work_func\n[    4.023456] Call trace:\n[    4.025920]  dump_backtrace+0x94/0xec\n[    4.029629]  show_stack+0x18/0x24\n[    4.032974]  dump_stack_lvl+0x78/0x90\n[    4.036675]  print_report+0xfc/0x5c0\n[    4.040289]  kasan_report_invalid_free+0xa0/0xc0\n[    4.044937]  __kasan_slab_free+0x124/0x154\n[    4.049072]  kfree+0xb4/0x1e8\n[    4.052069]  tcpm_port_unregister_pd+0x1a4/0x3dc\n[    4.056725]  tcpm_register_port+0x1dd0/0x2558\n[    4.061121]  tcpci_register_port+0x420/0x71c\n[    4.065430]  tcpci_probe+0x118/0x2e0\n\nTo fix the issue, this will remove kree() from tcpm_port_unregister_pd().",
  "id": "GHSA-3mcm-h8qp-66gm",
  "modified": "2024-06-03T18:55:50Z",
  "published": "2024-05-01T06:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26932"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/242e425ed580b2f4dbcb86c8fc03a410a4084a69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b63f90487bdf93a4223ce7853d14717e9d452856"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.