Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

965 vulnerabilities reference this CWE, most recent first.

GHSA-QMFR-QQ4J-JRFC

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-14 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI: hv: Fix double ida_free in hv_pci_probe error path

If hv_pci_probe() fails after storing the domain number in hbus->bridge->domain_nr, there is a call to free this domain_nr via pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge release callback pci_release_host_bridge_dev() also frees the domain_nr causing ida_free to be called on same ID twice and triggering following warning:

ida_free called for id=28971 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 Call Trace: pci_bus_release_emul_domain_nr+0x17/0x20 pci_release_host_bridge_dev+0x4b/0x60 device_release+0x3b/0xa0 kobject_put+0x8e/0x220 devm_pci_alloc_host_bridge_release+0xe/0x20 devres_release_all+0x9a/0xd0 device_unbind_cleanup+0x12/0xa0 really_probe+0x1c5/0x3f0 vmbus_add_channel_work+0x135/0x1a0

Fix this by letting pci core handle the free domain_nr and remove the explicit free called in pci-hyperv driver.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T10:16:23Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: hv: Fix double ida_free in hv_pci_probe error path\n\nIf hv_pci_probe() fails after storing the domain number in\nhbus-\u003ebridge-\u003edomain_nr, there is a call to free this domain_nr via\npci_bus_release_emul_domain_nr(), however, during cleanup, the bridge\nrelease callback pci_release_host_bridge_dev() also frees the domain_nr\ncausing ida_free to be called on same ID twice and triggering following\nwarning:\n\n  ida_free called for id=28971 which is not allocated.\n  WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198\n  Call Trace:\n   pci_bus_release_emul_domain_nr+0x17/0x20\n   pci_release_host_bridge_dev+0x4b/0x60\n   device_release+0x3b/0xa0\n   kobject_put+0x8e/0x220\n   devm_pci_alloc_host_bridge_release+0xe/0x20\n   devres_release_all+0x9a/0xd0\n   device_unbind_cleanup+0x12/0xa0\n   really_probe+0x1c5/0x3f0\n   vmbus_add_channel_work+0x135/0x1a0\n\nFix this by letting pci core handle the free domain_nr and remove\nthe explicit free called in pci-hyperv driver.",
  "id": "GHSA-qmfr-qq4j-jrfc",
  "modified": "2026-05-14T21:30:36Z",
  "published": "2026-05-06T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43097"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21bc8e0ba5c2a081b0a2808c976d4c9dbddf1e48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b6422dff0e518245019233432b6bccfc30b73e2f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QQ64-7FH7-7HMW

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_free and obj_free).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-01T03:15:00Z",
    "severity": "HIGH"
  },
  "details": "mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_free and obj_free).",
  "id": "GHSA-qq64-7fh7-7hmw",
  "modified": "2022-05-24T19:06:47Z",
  "published": "2022-05-24T19:06:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36401"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23801"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QRWJ-6QFP-4P9H

Vulnerability from github – Published: 2025-10-21 12:31 – Updated: 2025-10-21 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ath10k: skip ath10k_halt during suspend for driver state RESTARTING

Double free crash is observed when FW recovery(caused by wmi timeout/crash) is followed by immediate suspend event. The FW recovery is triggered by ath10k_core_restart() which calls driver clean up via ath10k_halt(). When the suspend event occurs between the FW recovery, the restart worker thread is put into frozen state until suspend completes. The suspend event triggers ath10k_stop() which again triggers ath10k_halt() The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be called twice(Note: ath10k_htt_rx_alloc was not called by restart worker thread because of its frozen state), causing the crash.

To fix this, during the suspend flow, skip call to ath10k_halt() in ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING. Also, for driver state ATH10K_STATE_RESTARTING, call ath10k_wait_for_suspend() in ath10k_stop(). This is because call to ath10k_wait_for_suspend() is skipped later in [ath10k_halt() > ath10k_core_stop()] for the driver state ATH10K_STATE_RESTARTING.

The frozen restart worker thread will be cancelled during resume when the device comes out of suspend.

Below is the crash stack for reference:

[ 428.469167] ------------[ cut here ]------------ [ 428.469180] kernel BUG at mm/slub.c:4150! [ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 428.469219] Workqueue: events_unbound async_run_entry_fn [ 428.469230] RIP: 0010:kfree+0x319/0x31b [ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246 [ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000 [ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000 [ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000 [ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 428.469285] Call Trace: [ 428.469295] ? dma_free_attrs+0x5f/0x7d [ 428.469320] ath10k_core_stop+0x5b/0x6f [ 428.469336] ath10k_halt+0x126/0x177 [ 428.469352] ath10k_stop+0x41/0x7e [ 428.469387] drv_stop+0x88/0x10e [ 428.469410] __ieee80211_suspend+0x297/0x411 [ 428.469441] rdev_suspend+0x6e/0xd0 [ 428.469462] wiphy_suspend+0xb1/0x105 [ 428.469483] ? name_show+0x2d/0x2d [ 428.469490] dpm_run_callback+0x8c/0x126 [ 428.469511] ? name_show+0x2d/0x2d [ 428.469517] __device_suspend+0x2e7/0x41b [ 428.469523] async_suspend+0x1f/0x93 [ 428.469529] async_run_entry_fn+0x3d/0xd1 [ 428.469535] process_one_work+0x1b1/0x329 [ 428.469541] worker_thread+0x213/0x372 [ 428.469547] kthread+0x150/0x15f [ 428.469552] ? pr_cont_work+0x58/0x58 [ 428.469558] ? kthread_blkcg+0x31/0x31

Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:27Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: skip ath10k_halt during suspend for driver state RESTARTING\n\nDouble free crash is observed when FW recovery(caused by wmi\ntimeout/crash) is followed by immediate suspend event. The FW recovery\nis triggered by ath10k_core_restart() which calls driver clean up via\nath10k_halt(). When the suspend event occurs between the FW recovery,\nthe restart worker thread is put into frozen state until suspend completes.\nThe suspend event triggers ath10k_stop() which again triggers ath10k_halt()\nThe double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be\ncalled twice(Note: ath10k_htt_rx_alloc was not called by restart worker\nthread because of its frozen state), causing the crash.\n\nTo fix this, during the suspend flow, skip call to ath10k_halt() in\nath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING.\nAlso, for driver state ATH10K_STATE_RESTARTING, call\nath10k_wait_for_suspend() in ath10k_stop(). This is because call to\nath10k_wait_for_suspend() is skipped later in\n[ath10k_halt() \u003e ath10k_core_stop()] for the driver state\nATH10K_STATE_RESTARTING.\n\nThe frozen restart worker thread will be cancelled during resume when the\ndevice comes out of suspend.\n\nBelow is the crash stack for reference:\n\n[  428.469167] ------------[ cut here ]------------\n[  428.469180] kernel BUG at mm/slub.c:4150!\n[  428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[  428.469219] Workqueue: events_unbound async_run_entry_fn\n[  428.469230] RIP: 0010:kfree+0x319/0x31b\n[  428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246\n[  428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000\n[  428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000\n[  428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000\n[  428.469276] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  428.469285] Call Trace:\n[  428.469295]  ? dma_free_attrs+0x5f/0x7d\n[  428.469320]  ath10k_core_stop+0x5b/0x6f\n[  428.469336]  ath10k_halt+0x126/0x177\n[  428.469352]  ath10k_stop+0x41/0x7e\n[  428.469387]  drv_stop+0x88/0x10e\n[  428.469410]  __ieee80211_suspend+0x297/0x411\n[  428.469441]  rdev_suspend+0x6e/0xd0\n[  428.469462]  wiphy_suspend+0xb1/0x105\n[  428.469483]  ? name_show+0x2d/0x2d\n[  428.469490]  dpm_run_callback+0x8c/0x126\n[  428.469511]  ? name_show+0x2d/0x2d\n[  428.469517]  __device_suspend+0x2e7/0x41b\n[  428.469523]  async_suspend+0x1f/0x93\n[  428.469529]  async_run_entry_fn+0x3d/0xd1\n[  428.469535]  process_one_work+0x1b1/0x329\n[  428.469541]  worker_thread+0x213/0x372\n[  428.469547]  kthread+0x150/0x15f\n[  428.469552]  ? pr_cont_work+0x58/0x58\n[  428.469558]  ? kthread_blkcg+0x31/0x31\n\nTested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1",
  "id": "GHSA-qrwj-6qfp-4p9h",
  "modified": "2025-10-21T12:31:26Z",
  "published": "2025-10-21T12:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49519"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5321e5211b5dc873e2e3d0deb749e69ecf4dbfe5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7eb14cb604f49e58b7cf6faa87961a865a3c8649"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8aa3750986ffcf73e0692db3b40dd3a8e8c0c575"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b72a4aff947ba807177bdabb43debaf2c66bee05"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2272428090d0d215a3f017cbbbad731c07eee53"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWHP-2GP7-QHFQ

Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2025-11-03 21:30
VLAI
Details

A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-18T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.",
  "id": "GHSA-qwhp-2gp7-qhfq",
  "modified": "2025-11-03T21:30:38Z",
  "published": "2022-02-19T00:01:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4091"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030307"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWWC-F936-V8H7

Vulnerability from github – Published: 2024-10-02 21:30 – Updated: 2024-10-02 21:30
VLAI
Details

Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device.

These vulnerabilities are due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request to the VPN server of an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-02T19:15:13Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device.\n\nThese vulnerabilities are due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request to the VPN server of an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established.\nNote: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention.",
  "id": "GHSA-qwwc-f936-v8h7",
  "modified": "2024-10-02T21:30:34Z",
  "published": "2024-10-02T21:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20498"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX56-HJGG-8XGM

Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30
VLAI
Details

Windows SMBv3 Server Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T18:15:21Z",
    "severity": "HIGH"
  },
  "details": "Windows SMBv3 Server Remote Code Execution Vulnerability",
  "id": "GHSA-qx56-hjgg-8xgm",
  "modified": "2024-11-12T18:30:58Z",
  "published": "2024-11-12T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43447"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43447"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX6Q-MQG9-4PX7

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-27 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()

smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:40Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()\n\nsmb_direct_flush_send_list() already calls smb_direct_free_sendmsg(),\nso we should not call it again after post_sendmsg()\nmoved it to the batch list.",
  "id": "GHSA-qx6q-mqg9-4px7",
  "modified": "2026-04-27T15:30:45Z",
  "published": "2026-04-24T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31608"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ba03f46132b0d1a7bafb86e1ef61951a2254023"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6968c91fab05b8fc4d6700e0cf34472bb422df25"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/830de6eeb9db4cb7e758201fb99328ef4ca4b032"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84ff995ae826aa6bbcc6c7b9ea569ff67c021d72"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2H5-JH8M-2Q64

Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-03-03 18:31
VLAI
Details

CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-15T19:16:02Z",
    "severity": "HIGH"
  },
  "details": "CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody.",
  "id": "GHSA-r2h5-jh8m-2q64",
  "modified": "2026-03-03T18:31:26Z",
  "published": "2026-01-15T21:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13844"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-013-04.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R2VP-QCG8-M2F6

Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-17 00:00
VLAI
Details

Adobe Bridge version 11.1.1 (and earlier) is affected by a double free vulnerability when parsing a crafted DCM file, which could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-16T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Bridge version 11.1.1 (and earlier) is affected by a double free vulnerability when parsing a crafted DCM file, which could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.",
  "id": "GHSA-r2vp-qcg8-m2f6",
  "modified": "2022-03-17T00:00:28Z",
  "published": "2022-03-17T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42533"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/bridge/apsb21-94.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R369-MHV6-47FJ

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details

The read_MSAT function in ole.c in libxls 1.4.0 has a double free that allows attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2017-2897.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-25T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The read_MSAT function in ole.c in libxls 1.4.0 has a double free that allows attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2017-2897.",
  "id": "GHSA-r369-mhv6-47fj",
  "modified": "2022-05-13T01:27:32Z",
  "published": "2022-05-13T01:27:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/evanmiller/libxls/issues/34"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-64"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.