CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
966 vulnerabilities reference this CWE, most recent first.
GHSA-M84J-W2C4-3379
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 21:30In the Linux kernel, the following vulnerability has been resolved:
reset: gpio: fix double free in reset_add_gpio_aux_device() error path
When __auxiliary_device_add() fails, reset_add_gpio_aux_device() calls auxiliary_device_uninit(adev).
The device release callback reset_gpio_aux_device_release() frees adev, but the current error path then calls kfree(adev) again, causing a double free.
Keep kfree(adev) for the auxiliary_device_init() failure path, but avoid freeing adev after auxiliary_device_uninit().
{
"affected": [],
"aliases": [
"CVE-2026-31745"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:37Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nreset: gpio: fix double free in reset_add_gpio_aux_device() error path\n\nWhen __auxiliary_device_add() fails, reset_add_gpio_aux_device()\ncalls auxiliary_device_uninit(adev).\n\nThe device release callback reset_gpio_aux_device_release() frees\nadev, but the current error path then calls kfree(adev) again,\ncausing a double free.\n\nKeep kfree(adev) for the auxiliary_device_init() failure path, but\navoid freeing adev after auxiliary_device_uninit().",
"id": "GHSA-m84j-w2c4-3379",
"modified": "2026-05-07T21:30:24Z",
"published": "2026-05-01T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31745"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1de465753220deb41569cf2add87bbb0673731db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fbffb8c7c7bb4d38e9f65e0bee446685011de5d8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M86Q-CGJ9-94C8
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
tipc: fix double-free in tipc_buf_append()
tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer.
If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free.
Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.
{
"affected": [],
"aliases": [
"CVE-2026-52993"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:10Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix double-free in tipc_buf_append()\n\ntipc_msg_validate() can potentially reallocate the skb it is validating,\nfreeing the old one. In tipc_buf_append(), it was being called with a\npointer to a local variable which was a copy of the caller\u0027s skb\npointer.\n\nIf the skb was reallocated and validation subsequently failed, the error\nhandling path would free the original skb pointer, which had already\nbeen freed, leading to double-free.\n\nFix this by checking if head now points to a newly allocated reassembled\nskb. If it does, reassign *headbuf for later freeing operations.",
"id": "GHSA-m86q-cgj9-94c8",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-24T18:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52993"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-52993"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492437"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0274f24485fc38032d4093e463dc3ff5c7a667c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1d5e589055880fae229e229e1929e087dbe08cf3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/29940fff14110ca48c5ccc168d121665b51bb778"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d104882bc815d4ec666ace9155f5f52715879a6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ee4deadaae7cb2e3d53af0fc889cf92a73413c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a438975a6dcdbd70865978c021650d1485586f0b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3556656c6daebf8def751c7e71d11dd0a180d24"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52993.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M8Q7-4F56-CHP9
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Double free vulnerability in the Theora decoder in Google Chrome before 15.0.874.120 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream.
{
"affected": [],
"aliases": [
"CVE-2011-3892"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-11-11T11:55:00Z",
"severity": "HIGH"
},
"details": "Double free vulnerability in the Theora decoder in Google Chrome before 15.0.874.120 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream.",
"id": "GHSA-m8q7-4f56-chp9",
"modified": "2022-05-13T01:26:55Z",
"published": "2022-05-13T01:26:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3892"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14484"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=100465"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2011/11/stable-channel-update.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/46933"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/49089"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2471"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:075"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:076"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M98V-Q78H-PJ87
Vulnerability from github – Published: 2022-06-27 00:00 – Updated: 2022-07-09 00:00rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
{
"affected": [],
"aliases": [
"CVE-2022-34495"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-26T16:15:00Z",
"severity": "MODERATE"
},
"details": "rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.",
"id": "GHSA-m98v-q78h-pj87",
"modified": "2022-07-09T00:00:27Z",
"published": "2022-06-27T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34495"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/c2eecefec5df1306eafce28ccdf1ca159a552ecc"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.18.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9C3-V5XG-J7MC
Vulnerability from github – Published: 2024-07-30 09:31 – Updated: 2025-10-07 18:31In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Only free buffer VA that is not NULL
In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly called only when the buffer to free exists, there are some instances that didn't do the check and triggered warnings in practice.
We believe those checks were forgotten unintentionally. Add the checks back to fix the warnings.
{
"affected": [],
"aliases": [
"CVE-2023-52888"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T08:15:02Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Only free buffer VA that is not NULL\n\nIn the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly\ncalled only when the buffer to free exists, there are some instances\nthat didn\u0027t do the check and triggered warnings in practice.\n\nWe believe those checks were forgotten unintentionally. Add the checks\nback to fix the warnings.",
"id": "GHSA-m9c3-v5xg-j7mc",
"modified": "2025-10-07T18:31:01Z",
"published": "2024-07-30T09:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52888"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/303d01082edaf817ee2df53a40dca9da637a2c04"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c217253c76c94f76d1df31d0bbdcb88dc07be91"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb005c801ec70ff4307727bd3bd6e8280169ef32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MCJ5-769C-6F8G
Vulnerability from github – Published: 2022-05-14 03:40 – Updated: 2022-05-14 03:40The Flp Driver in some Huawei smartphones of the software Vicky-AL00AC00B124D, Vicky-AL00AC00B157D, Vicky-AL00AC00B167 has a double free vulnerability. An attacker can trick a user to install a malicious application which has a high privilege to exploit this vulnerability. Successful exploitation may cause denial of service (DoS) attack.
{
"affected": [],
"aliases": [
"CVE-2017-15330"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-15T16:29:00Z",
"severity": "HIGH"
},
"details": "The Flp Driver in some Huawei smartphones of the software Vicky-AL00AC00B124D, Vicky-AL00AC00B157D, Vicky-AL00AC00B167 has a double free vulnerability. An attacker can trick a user to install a malicious application which has a high privilege to exploit this vulnerability. Successful exploitation may cause denial of service (DoS) attack.",
"id": "GHSA-mcj5-769c-6f8g",
"modified": "2022-05-14T03:40:01Z",
"published": "2022-05-14T03:40:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15330"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171206-01-smartphone-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MCVJ-6JJV-7HW9
Vulnerability from github – Published: 2024-04-28 15:30 – Updated: 2025-01-10 18:31In the Linux kernel, the following vulnerability has been resolved:
mm/slab_common: fix possible double free of kmem_cache
When doing slub_debug test, kfence's 'test_memcache_typesafe_by_rcu' kunit test case cause a use-after-free error:
BUG: KASAN: use-after-free in kobject_del+0x14/0x30 Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261
CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x34/0x48 print_address_description.constprop.0+0x87/0x2a5 print_report+0x103/0x1ed kasan_report+0xb7/0x140 kobject_del+0x14/0x30 kmem_cache_destroy+0x130/0x170 test_exit+0x1a/0x30 kunit_try_run_case+0xad/0xc0 kunit_generic_run_threadfn_adapter+0x26/0x50 kthread+0x17b/0x1b0
The cause is inside kmem_cache_destroy():
kmem_cache_destroy acquire lock/mutex shutdown_cache schedule_work(kmem_cache_release) (if RCU flag set) release lock/mutex kmem_cache_release (if RCU flag not set)
In some certain timing, the scheduled work could be run before the next RCU flag checking, which can then get a wrong value and lead to double kmem_cache_release().
Fix it by caching the RCU flag inside protected area, just like 'refcnt'
{
"affected": [],
"aliases": [
"CVE-2022-48649"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-28T13:15:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix possible double free of kmem_cache\n\nWhen doing slub_debug test, kfence\u0027s \u0027test_memcache_typesafe_by_rcu\u0027\nkunit test case cause a use-after-free error:\n\n BUG: KASAN: use-after-free in kobject_del+0x14/0x30\n Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261\n\n CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x48\n print_address_description.constprop.0+0x87/0x2a5\n print_report+0x103/0x1ed\n kasan_report+0xb7/0x140\n kobject_del+0x14/0x30\n kmem_cache_destroy+0x130/0x170\n test_exit+0x1a/0x30\n kunit_try_run_case+0xad/0xc0\n kunit_generic_run_threadfn_adapter+0x26/0x50\n kthread+0x17b/0x1b0\n \u003c/TASK\u003e\n\nThe cause is inside kmem_cache_destroy():\n\nkmem_cache_destroy\n acquire lock/mutex\n shutdown_cache\n schedule_work(kmem_cache_release) (if RCU flag set)\n release lock/mutex\n kmem_cache_release (if RCU flag not set)\n\nIn some certain timing, the scheduled work could be run before\nthe next RCU flag checking, which can then get a wrong value\nand lead to double kmem_cache_release().\n\nFix it by caching the RCU flag inside protected area, just like \u0027refcnt\u0027",
"id": "GHSA-mcvj-6jjv-7hw9",
"modified": "2025-01-10T18:31:37Z",
"published": "2024-04-28T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48649"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c673c6ceac53fb2e631c9fbbd79957099a08927f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d71608a877362becdc94191f190902fac1e64d35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MH4C-HQR8-MC3F
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:50nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \n character to ssh-brute.nse or ssh-auth-methods.nse.
{
"affected": [],
"aliases": [
"CVE-2017-18594"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-29T00:15:00Z",
"severity": "HIGH"
},
"details": "nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \\n character to ssh-brute.nse or ssh-auth-methods.nse.",
"id": "GHSA-mh4c-hqr8-mc3f",
"modified": "2024-04-04T01:50:23Z",
"published": "2022-05-24T16:55:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18594"
},
{
"type": "WEB",
"url": "https://github.com/nmap/nmap/issues/1077"
},
{
"type": "WEB",
"url": "https://github.com/nmap/nmap/issues/1227"
},
{
"type": "WEB",
"url": "https://github.com/nmap/nmap/commit/350bbe0597d37ad67abe5fef8fba984707b4e9ad"
},
{
"type": "WEB",
"url": "https://github.com/AMatchandaHaystack/Research/blob/master/Nmap%26libsshDF"
},
{
"type": "WEB",
"url": "https://seclists.org/nmap-announce/2019/0"
},
{
"type": "WEB",
"url": "https://seclists.org/nmap-dev/2018/q2/45"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00073.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00075.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MH5F-M889-7RW3
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:34Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 can double-free a cached block of data when listing files in a crafted ext4 filesystem.
{
"affected": [],
"aliases": [
"CVE-2019-13105"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-06T20:15:00Z",
"severity": "HIGH"
},
"details": "Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 can double-free a cached block of data when listing files in a crafted ext4 filesystem.",
"id": "GHSA-mh5f-m889-7rw3",
"modified": "2024-04-04T01:34:02Z",
"published": "2022-05-24T16:52:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13105"
},
{
"type": "WEB",
"url": "https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75"
},
{
"type": "WEB",
"url": "https://github.com/u-boot/u-boot/commits/master"
},
{
"type": "WEB",
"url": "https://lists.denx.de/pipermail/u-boot/2019-July/375513.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHMM-R9X5-V638
Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2022-04-30 00:02Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2 before v0.26.2, which allows an attacker to cause a denial of service via a crafted repository index file.
{
"affected": [],
"aliases": [
"CVE-2018-8099"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T00:29:00Z",
"severity": "MODERATE"
},
"details": "Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2 before v0.26.2, which allows an attacker to cause a denial of service via a crafted repository index file.",
"id": "GHSA-mhmm-r9x5-v638",
"modified": "2022-04-30T00:02:19Z",
"published": "2022-04-30T00:02:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8099"
},
{
"type": "WEB",
"url": "https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe"
},
{
"type": "WEB",
"url": "https://libgit2.github.com/security"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.