CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
965 vulnerabilities reference this CWE, most recent first.
GHSA-P5F8-J4HP-99X6
Vulnerability from github – Published: 2022-01-14 00:02 – Updated: 2023-05-27 06:30The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the avc_compute_poc function in av_parsers.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2021-40570"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-13T18:15:00Z",
"severity": "HIGH"
},
"details": "The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the avc_compute_poc function in av_parsers.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.",
"id": "GHSA-p5f8-j4hp-99x6",
"modified": "2023-05-27T06:30:38Z",
"published": "2022-01-14T00:02:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40570"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/1899"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/04dbf08bff4d61948bab80c3f9096ecc60c7f302"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P5R5-29J4-G3F7
Vulnerability from github – Published: 2023-03-31 18:30 – Updated: 2023-04-07 03:30hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2023-28464"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-31T16:15:00Z",
"severity": "HIGH"
},
"details": "hci_conn_cleanup in net/bluetooth/hci_conn.c in the Linux kernel through 6.2.9 has a use-after-free (observed in hci_conn_hash_flush) because of calls to hci_dev_put and hci_conn_put. There is a double free that may lead to privilege escalation.",
"id": "GHSA-p5r5-29j4-g3f7",
"modified": "2023-04-07T03:30:19Z",
"published": "2023-03-31T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28464"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm%40gmail.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm@gmail.com"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230517-0004"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/03/28/2"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/03/28/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P5X3-MG6W-JG4C
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2025-08-26 21:30Miniaudio 0.10.35 has a Double free vulnerability that could cause a buffer overflow in ma_default_vfs_close__stdio in miniaudio.h.
{
"affected": [],
"aliases": [
"CVE-2021-34184"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-25T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Miniaudio 0.10.35 has a Double free vulnerability that could cause a buffer overflow in ma_default_vfs_close__stdio in miniaudio.h.",
"id": "GHSA-p5x3-mg6w-jg4c",
"modified": "2025-08-26T21:30:54Z",
"published": "2022-05-24T19:06:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34184"
},
{
"type": "WEB",
"url": "https://github.com/mackron/miniaudio/issues/319"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P63M-CMVW-GF7R
Vulnerability from github – Published: 2026-04-27 18:32 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
mm/kasan: fix double free for kasan pXds
kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just directly pass the start of the pxd table which is passed as the 1st argument.
This fixes the below double free kasan issue seen with PMEM:
radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages
BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20 Free of addr c0000003c38e0000 by task ndctl/2164
CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries Call Trace: dump_stack_lvl+0x88/0xc4 (unreliable) print_report+0x214/0x63c kasan_report_invalid_free+0xe4/0x110 check_slab_allocation+0x100/0x150 kmem_cache_free+0x128/0x6e0 kasan_remove_zero_shadow+0x9c4/0xa20 memunmap_pages+0x2b8/0x5c0 devm_action_release+0x54/0x70 release_nodes+0xc8/0x1a0 devres_release_all+0xe0/0x140 device_unbind_cleanup+0x30/0x120 device_release_driver_internal+0x3e4/0x450 unbind_store+0xfc/0x110 drv_attr_store+0x78/0xb0 sysfs_kf_write+0x114/0x140 kernfs_fop_write_iter+0x264/0x3f0 vfs_write+0x3bc/0x7d0 ksys_write+0xa4/0x190 system_call_exception+0x190/0x480 system_call_vectored_common+0x15c/0x2ec ---- interrupt: 3000 at 0x7fff93b3d3f4 NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000 REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392) MSR: 800000000280f033 CR: 48888208 XER: 00000000 <...> NIP [00007fff93b3d3f4] 0x7fff93b3d3f4 LR [00007fff93b3d3f4] 0x7fff93b3d3f4 ---- interrupt: 3000
The buggy address belongs to the object at c0000003c38e0000 which belongs to the cache pgtable-2^9 of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [c0000003c38e0000, c0000003c38e1000)
The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:c0000003bfd63e01 flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff) page_type: f5(slab) raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected
[ 138.953636] [ T2164] Memory state around the buggy address: [ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953669] [ T2164] ^ [ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 138.953692] [ T2164] ================================================================== [ 138.953701] [ T2164] Disabling lock debugging due to kernel taint
{
"affected": [],
"aliases": [
"CVE-2026-31686"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-27T18:16:53Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kasan: fix double free for kasan pXds\n\nkasan_free_pxd() assumes the page table is always struct page aligned. \nBut that\u0027s not always the case for all architectures. E.g. In case of\npowerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache\nnamed pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let\u0027s just\ndirectly pass the start of the pxd table which is passed as the 1st\nargument.\n\nThis fixes the below double free kasan issue seen with PMEM:\n\nradix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages\n==================================================================\nBUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20\nFree of addr c0000003c38e0000 by task ndctl/2164\n\nCPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY\nHardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries\nCall Trace:\n dump_stack_lvl+0x88/0xc4 (unreliable)\n print_report+0x214/0x63c\n kasan_report_invalid_free+0xe4/0x110\n check_slab_allocation+0x100/0x150\n kmem_cache_free+0x128/0x6e0\n kasan_remove_zero_shadow+0x9c4/0xa20\n memunmap_pages+0x2b8/0x5c0\n devm_action_release+0x54/0x70\n release_nodes+0xc8/0x1a0\n devres_release_all+0xe0/0x140\n device_unbind_cleanup+0x30/0x120\n device_release_driver_internal+0x3e4/0x450\n unbind_store+0xfc/0x110\n drv_attr_store+0x78/0xb0\n sysfs_kf_write+0x114/0x140\n kernfs_fop_write_iter+0x264/0x3f0\n vfs_write+0x3bc/0x7d0\n ksys_write+0xa4/0x190\n system_call_exception+0x190/0x480\n system_call_vectored_common+0x15c/0x2ec\n---- interrupt: 3000 at 0x7fff93b3d3f4\nNIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000\nREGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392)\nMSR: 800000000280f033 \u003cSF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE\u003e CR: 48888208 XER: 00000000\n\u003c...\u003e\nNIP [00007fff93b3d3f4] 0x7fff93b3d3f4\nLR [00007fff93b3d3f4] 0x7fff93b3d3f4\n---- interrupt: 3000\n\n The buggy address belongs to the object at c0000003c38e0000\n which belongs to the cache pgtable-2^9 of size 4096\n The buggy address is located 0 bytes inside of\n 4096-byte region [c0000003c38e0000, c0000003c38e1000)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c\n head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n memcg:c0000003bfd63e01\n flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff)\n page_type: f5(slab)\n raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000\n raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01\n head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000\n head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01\n head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\n page dumped because: kasan: bad access detected\n\n[ 138.953636] [ T2164] Memory state around the buggy address:\n[ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953661] [ T2164] \u003ec0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953669] [ T2164] ^\n[ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 138.953692] [ T2164] ==================================================================\n[ 138.953701] [ T2164] Disabling lock debugging due to kernel taint",
"id": "GHSA-p63m-cmvw-gf7r",
"modified": "2026-06-01T18:31:28Z",
"published": "2026-04-27T18:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31686"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2277246ea265cdca64ce6fdea4b26cd6ff0ec4db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3298bdf5a878ded06351eb293856fa84e050029e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/51d8c78be0c27ddb91bc2c0263941d8b30a47d3b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d7b2d5c107a1f6302cf0006d859985e7c3ddd1c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85d98614e089a67dc6faa8ca766fe10a639f82b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a05f77cb227c39c5069aea6f12762a29d1e6c103"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b38237a2ea9c6c19836eee2c57037e1f9f103576"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cec74b2ab7dff866b1d77eaa545b9e8fd14a1f87"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f6204f7ff6aff62ce6242a76982c5ba3a9ded707"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P67W-5H3H-82G5
Vulnerability from github – Published: 2025-10-24 18:30 – Updated: 2025-10-24 18:30In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: uvc: fix list double add in uvcg_video_pump
A panic can occur if the endpoint becomes disabled and the uvcg_video_pump adds the request back to the req_free list after it has already been queued to the endpoint. The endpoint complete will add the request back to the req_free list. Invalidate the local request handle once it's been queued.
<6>[ 246.796704][T13726] configfs-gadget gadget: uvc: uvc_function_set_alt(1, 0) <3>[ 246.797078][ T26] list_add double add: new=ffffff878bee5c40, prev=ffffff878bee5c40, next=ffffff878b0f0a90. <6>[ 246.797213][ T26] ------------[ cut here ]------------ <2>[ 246.797224][ T26] kernel BUG at lib/list_debug.c:31! <6>[ 246.807073][ T26] Call trace: <6>[ 246.807180][ T26] uvcg_video_pump+0x364/0x38c <6>[ 246.807366][ T26] process_one_work+0x2a4/0x544 <6>[ 246.807394][ T26] worker_thread+0x350/0x784 <6>[ 246.807442][ T26] kthread+0x2ac/0x320
{
"affected": [],
"aliases": [
"CVE-2022-49686"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: fix list double add in uvcg_video_pump\n\nA panic can occur if the endpoint becomes disabled and the\nuvcg_video_pump adds the request back to the req_free list after it has\nalready been queued to the endpoint. The endpoint complete will add the\nrequest back to the req_free list. Invalidate the local request handle\nonce it\u0027s been queued.\n\n\u003c6\u003e[ 246.796704][T13726] configfs-gadget gadget: uvc: uvc_function_set_alt(1, 0)\n\u003c3\u003e[ 246.797078][ T26] list_add double add: new=ffffff878bee5c40, prev=ffffff878bee5c40, next=ffffff878b0f0a90.\n\u003c6\u003e[ 246.797213][ T26] ------------[ cut here ]------------\n\u003c2\u003e[ 246.797224][ T26] kernel BUG at lib/list_debug.c:31!\n\u003c6\u003e[ 246.807073][ T26] Call trace:\n\u003c6\u003e[ 246.807180][ T26] uvcg_video_pump+0x364/0x38c\n\u003c6\u003e[ 246.807366][ T26] process_one_work+0x2a4/0x544\n\u003c6\u003e[ 246.807394][ T26] worker_thread+0x350/0x784\n\u003c6\u003e[ 246.807442][ T26] kthread+0x2ac/0x320",
"id": "GHSA-p67w-5h3h-82g5",
"modified": "2025-10-24T18:30:56Z",
"published": "2025-10-24T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49686"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/96163f835e65f8c9897487fac965819f0651d671"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d95ac8b920de1d39525fadc408ce675697626ca6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P7H5-86FQ-J7R3
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-01-07 18:30In the Linux kernel, the following vulnerability has been resolved:
net: atlantic: eliminate double free in error handling logic
Driver has a logic leak in ring data allocation/free, where aq_ring_free could be called multiple times on same ring, if system is under stress and got memory allocation error.
Ring pointer was used as an indicator of failure, but this is not correct since only ring data is allocated/deallocated. Ring itself is an array member.
Changing ring allocation functions to return error code directly. This simplifies error handling and eliminates aq_ring_free on higher layer.
{
"affected": [],
"aliases": [
"CVE-2023-52664"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T14:15:08Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.",
"id": "GHSA-p7h5-86fq-j7r3",
"modified": "2025-01-07T18:30:43Z",
"published": "2024-05-17T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52664"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8FM-9C82-PW4G
Vulnerability from github – Published: 2026-05-04 15:31 – Updated: 2026-06-30 03:36Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.
This issue affects Apache HTTP Server: 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-23918"
],
"database_specific": {
"cwe_ids": [
"CWE-1341",
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-04T15:16:03Z",
"severity": "HIGH"
},
"details": "Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\n\nThis issue affects Apache HTTP Server: 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue.",
"id": "GHSA-p8fm-9c82-pw4g",
"modified": "2026-06-30T03:36:29Z",
"published": "2026-05-04T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23918"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13938"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-23918"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2465304"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23918.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8GJ-W7RH-3G6F
Vulnerability from github – Published: 2022-05-13 01:39 – Updated: 2025-04-20 03:37The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCP listeners when the -a option is enabled.
{
"affected": [],
"aliases": [
"CVE-2017-9078"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-19T14:29:00Z",
"severity": "HIGH"
},
"details": "The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCP listeners when the -a option is enabled.",
"id": "GHSA-p8gj-w7rh-3g6f",
"modified": "2025-04-20T03:37:51Z",
"published": "2022-05-13T01:39:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9078"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20191004-0006"
},
{
"type": "WEB",
"url": "http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2017q2/001985.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3859"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8X5-C6C9-8CWX
Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-06 18:30The curl logic that works with SASL authentication could end up cleaning up
the GSASL context twice without clearing the pointer in between, making it
free() the same pointer twice.
{
"affected": [],
"aliases": [
"CVE-2026-8925"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T07:16:24Z",
"severity": "CRITICAL"
},
"details": "The curl logic that works with SASL authentication could end up cleaning up\nthe GSASL context *twice* without clearing the pointer in between, making it\n`free()` the same pointer twice.",
"id": "GHSA-p8x5-c6c9-8cwx",
"modified": "2026-07-06T18:30:47Z",
"published": "2026-07-03T09:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8925"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3735193"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-8925.html"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-8925.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9FM-3QQ2-RMM2
Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-11-04 00:32In the Linux kernel, the following vulnerability has been resolved:
net: vertexcom: mse102x: Fix possible double free of TX skb
The scope of the TX skb is wider than just mse102x_tx_frame_spi(), so in case the TX skb room needs to be expanded, we should free the the temporary skb instead of the original skb. Otherwise the original TX skb pointer would be freed again in mse102x_tx_work(), which leads to crashes:
Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23 Hardware name: chargebyte Charge SOM DC-ONE (DT) Workqueue: events mse102x_tx_work [mse102x] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_release_data+0xb8/0x1d8 lr : skb_release_data+0x1ac/0x1d8 sp : ffff8000819a3cc0 x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0 x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50 x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000 x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8 x8 : fffffc00001bc008 x7 : 0000000000000000 x6 : 0000000000000008 x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009 x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000 Call trace: skb_release_data+0xb8/0x1d8 kfree_skb_reason+0x48/0xb0 mse102x_tx_work+0x164/0x35c [mse102x] process_one_work+0x138/0x260 worker_thread+0x32c/0x438 kthread+0x118/0x11c ret_from_fork+0x10/0x20 Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)
{
"affected": [],
"aliases": [
"CVE-2024-50276"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T02:16:29Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vertexcom: mse102x: Fix possible double free of TX skb\n\nThe scope of the TX skb is wider than just mse102x_tx_frame_spi(),\nso in case the TX skb room needs to be expanded, we should free the\nthe temporary skb instead of the original skb. Otherwise the original\nTX skb pointer would be freed again in mse102x_tx_work(), which leads\nto crashes:\n\n Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP\n CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23\n Hardware name: chargebyte Charge SOM DC-ONE (DT)\n Workqueue: events mse102x_tx_work [mse102x]\n pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_release_data+0xb8/0x1d8\n lr : skb_release_data+0x1ac/0x1d8\n sp : ffff8000819a3cc0\n x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0\n x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff\n x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50\n x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc\n x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000\n x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000\n x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8\n x8 : fffffc00001bc008\n x7 : 0000000000000000 x6 : 0000000000000008\n x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009\n x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n skb_release_data+0xb8/0x1d8\n kfree_skb_reason+0x48/0xb0\n mse102x_tx_work+0x164/0x35c [mse102x]\n process_one_work+0x138/0x260\n worker_thread+0x32c/0x438\n kthread+0x118/0x11c\n ret_from_fork+0x10/0x20\n Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)",
"id": "GHSA-p9fm-3qq2-rmm2",
"modified": "2025-11-04T00:32:03Z",
"published": "2024-11-19T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50276"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1325e838089da25217f4b403318a270fcdf88f34"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f26339b2ed63d1e8e18a18674fb73a392f3660e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2cf0e77f5a0aa1ff336aa71743eda55c73902187"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/91c9daa21f3ff8668f9e1d6c860024ce7ad64137"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.