Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

965 vulnerabilities reference this CWE, most recent first.

GHSA-RFWW-WWGQ-55V3

Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30
VLAI
Details

libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-20T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar-\u003elzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.",
  "id": "GHSA-rfww-wwgq-55v3",
  "modified": "2022-05-13T01:30:43Z",
  "published": "2022-05-13T01:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000877"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libarchive/libarchive/pull/1105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libarchive/libarchive/pull/1105/commits/021efa522ad729ff0f5806c4ce53e4a6cc1daa31"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2298"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3698"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W645KCLWFDBDGFJHG57WOVXGE62QSIJI"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3859-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4360"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106324"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RG5H-FXW6-HP6R

Vulnerability from github – Published: 2021-12-22 00:00 – Updated: 2022-01-05 00:02
VLAI
Details

A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which could cause a Denail of Service via a crafted file in the MP4Box command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-21T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which could cause a Denail of Service via a crafted file in the MP4Box command.",
  "id": "GHSA-rg5h-fxw6-hp6r",
  "modified": "2022-01-05T00:02:06Z",
  "published": "2021-12-22T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45288"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1956"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RGVF-J3X5-6277

Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2025-05-03 00:30
VLAI
Details

A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.",
  "id": "GHSA-rgvf-j3x5-6277",
  "modified": "2025-05-03T00:30:32Z",
  "published": "2024-04-09T21:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3446"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6964"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-3446"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274211"
    },
    {
      "type": "WEB",
      "url": "https://patchew.org/QEMU/20240409105537.18308-1-philmd@linaro.org"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250502-0007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RH22-Q4J2-M68R

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:42
VLAI
Details

An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12219"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-20T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.",
  "id": "GHSA-rh22-q4j2-m68r",
  "modified": "2024-04-04T00:42:48Z",
  "published": "2022-05-24T16:46:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12219"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.libsdl.org/show_bug.cgi?id=4625"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6FDFPYUJ7YPY3XB5U75VJHBSVRVIKO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ2VRD57UOBT72JUC2DIFHEFCH4N64SW"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4238-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RH37-88V6-QM47

Vulnerability from github – Published: 2022-04-19 00:00 – Updated: 2025-11-04 00:30
VLAI
Details

A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-18T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.",
  "id": "GHSA-rh37-88v6-qm47",
  "modified": "2025-11-04T00:30:31Z",
  "published": "2022-04-19T00:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42778"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenSC/OpenSC/commit/f015746d"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2016083"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RH4W-P52R-WX7R

Vulnerability from github – Published: 2022-01-14 00:02 – Updated: 2023-05-27 06:30
VLAI
Details

The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_text_get_utf8_line function in load_text.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-13T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_text_get_utf8_line function in load_text.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.",
  "id": "GHSA-rh4w-p52r-wx7r",
  "modified": "2023-05-27T06:30:38Z",
  "published": "2022-01-14T00:02:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/30ac5e5236b790accd1f25347eebf2dc8c6c1bcb"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJ34-CRXV-J5MG

Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-06-30 03:37
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Clean up DMABUFs before disabling function

On device shutdown, make vfio_pci_core_close_device() call vfio_pci_dma_buf_cleanup() before the function is disabled via vfio_pci_core_disable(). This ensures that all access via DMABUFs is revoked before the function's BARs become inaccessible.

This fixes an issue where, if the function is disabled first, a tiny window exists in which the function's MSE is cleared and yet BARs could still be accessed via the DMABUF. The resources would also be freed and up for grabs by a different driver.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-826"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T20:17:25Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Clean up DMABUFs before disabling function\n\nOn device shutdown, make vfio_pci_core_close_device() call\nvfio_pci_dma_buf_cleanup() before the function is disabled via\nvfio_pci_core_disable().  This ensures that all access via DMABUFs is\nrevoked before the function\u0027s BARs become inaccessible.\n\nThis fixes an issue where, if the function is disabled first, a tiny\nwindow exists in which the function\u0027s MSE is cleared and yet BARs\ncould still be accessed via the DMABUF.  The resources would also be\nfreed and up for grabs by a different driver.",
  "id": "GHSA-rj34-crxv-j5mg",
  "modified": "2026-06-30T03:37:14Z",
  "published": "2026-06-26T21:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53322"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-53322"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493709"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f1000a30f67cf7d328059242776a858611d5ef9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d97708701434ce72968e771976aaf9d3438fcafd"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53322.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJW2-5698-2F3H

Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-04 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix mr->map double free

rxe_mr_cleanup() which tries to free mr->map again will be called when rxe_mr_init_user() fails:

CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x5d panic+0x19e/0x349 end_report.part.0+0x54/0x7c kasan_report.cold+0xa/0xf rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe] __rxe_cleanup+0x10a/0x1e0 [rdma_rxe] rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe] ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]

This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix memory leak in error path code") and then we fixed it in commit 8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this fix was reverted together at last by commit 1e75550648da (Revert "RDMA/rxe: Create duplicate mapping tables for FMRs")

Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is successfully allocated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T16:15:38Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix mr-\u003emap double free\n\nrxe_mr_cleanup() which tries to free mr-\u003emap again will be called when\nrxe_mr_init_user() fails:\n\n   CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25\n   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n   Call Trace:\n    \u003cTASK\u003e\n    dump_stack_lvl+0x45/0x5d\n    panic+0x19e/0x349\n    end_report.part.0+0x54/0x7c\n    kasan_report.cold+0xa/0xf\n    rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]\n    __rxe_cleanup+0x10a/0x1e0 [rdma_rxe]\n    rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]\n    ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]\n    ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]\n    ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]\n\nThis issue was firstly exposed since commit b18c7da63fcb (\"RDMA/rxe: Fix\nmemory leak in error path code\") and then we fixed it in commit\n8ff5f5d9d8cf (\"RDMA/rxe: Prevent double freeing rxe_map_set()\") but this\nfix was reverted together at last by commit 1e75550648da (Revert\n\"RDMA/rxe: Create duplicate mapping tables for FMRs\")\n\nSimply let rxe_mr_cleanup() always handle freeing the mr-\u003emap once it is\nsuccessfully allocated.",
  "id": "GHSA-rjw2-5698-2f3h",
  "modified": "2026-02-04T21:30:24Z",
  "published": "2025-10-07T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50543"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06f73568f553b5be6ba7f6fe274d333ea29fc46d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6ce577f09013206e36e674cd27da3707b2278268"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d984dac8f6bf4ebd3398af82b357e1d181ecaac"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RPC4-J585-WG54

Vulnerability from github – Published: 2022-05-14 01:31 – Updated: 2025-01-21 18:31
VLAI
Details

Double free vulnerability in the OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted OpenType font, aka "OpenType Font Double Free Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-12-16T19:33:00Z",
    "severity": "MODERATE"
  },
  "details": "Double free vulnerability in the OpenType Font (OTF) driver in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a crafted OpenType font, aka \"OpenType Font Double Free Vulnerability.\"",
  "id": "GHSA-rpc4-j585-wg54",
  "modified": "2025-01-21T18:31:01Z",
  "published": "2022-05-14T01:31:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3957"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-091"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12329"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1024873"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA10-348A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RPQ8-3F5M-JP4R

Vulnerability from github – Published: 2022-05-17 03:42 – Updated: 2022-05-17 03:42
VLAI
Details

Double free vulnerability in the SplDoublyLinkedList::offsetSet function in ext/spl/spl_dllist.c in PHP 7.x before 7.0.6 allows remote attackers to execute arbitrary code via a crafted index.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-07T10:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Double free vulnerability in the SplDoublyLinkedList::offsetSet function in ext/spl/spl_dllist.c in PHP 7.x before 7.0.6 allows remote attackers to execute arbitrary code via a crafted index.",
  "id": "GHSA-rpq8-3f5m-jp4r",
  "modified": "2022-05-17T03:42:18Z",
  "published": "2022-05-17T03:42:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3132"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=71735"
    },
    {
      "type": "WEB",
      "url": "https://php.net/ChangeLog-7.php"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2016-3132"
    },
    {
      "type": "WEB",
      "url": "http://github.com/php/php-src/commit/28a6ed9f9a36b9c517e4a8a429baf4dd382fc5d5?w=1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92356"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.