Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-4MMH-H9HR-3PWJ

Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30
VLAI
Details

Windows Defender Credential Guard Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T17:15:44Z",
    "severity": "HIGH"
  },
  "details": "Windows Defender Credential Guard Elevation of Privilege Vulnerability",
  "id": "GHSA-4mmh-h9hr-3pwj",
  "modified": "2024-04-09T18:30:26Z",
  "published": "2024-04-09T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26237"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26237"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4MP6-2R26-5PW4

Vulnerability from github – Published: 2026-06-24 21:30 – Updated: 2026-06-24 21:30
VLAI
Details

Use after free in FileSystem in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T19:17:08Z",
    "severity": "HIGH"
  },
  "details": "Use after free in FileSystem in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-4mp6-2r26-5pw4",
  "modified": "2026-06-24T21:30:43Z",
  "published": "2026-06-24T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13027"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/520543781"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4MQ7-7Q99-XHQ3

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-03-27 21:31
VLAI
Details

Use after free in Mailslot File System allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T18:16:27Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Mailslot File System allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-4mq7-7q99-xhq3",
  "modified": "2026-03-27T21:31:32Z",
  "published": "2026-02-10T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21253"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21253"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2026-21253-detection-script-elevation-of-privilege-vulnerability-in-mailslot-file-system"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2026-21253-mitigation-script-elevation-of-privilege-vulnerability-in-mailslot-file-system"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4MQJ-P59H-V7C8

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-06 06:30
VLAI
Details

Use after free in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:20Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: Medium)",
  "id": "GHSA-4mqj-p59h-v7c8",
  "modified": "2026-06-06T06:30:29Z",
  "published": "2026-06-05T00:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11144"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/501676175"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4MX7-H455-MWXV

Vulnerability from github – Published: 2025-02-27 18:31 – Updated: 2025-02-27 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

jffs2: fix use-after-free in jffs2_clear_xattr_subsystem

When we mount a jffs2 image, assume that the first few blocks of the image are normal and contain at least one xattr-related inode, but the next block is abnormal. As a result, an error is returned in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then called in jffs2_build_filesystem() and then again in jffs2_do_fill_super().

Finally we can observe the following report: ================================================================== BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac Read of size 8 at addr ffff8881243384e0 by task mount/719

Call Trace: dump_stack+0x115/0x16b jffs2_clear_xattr_subsystem+0x95/0x6ac jffs2_do_fill_super+0x84f/0xc30 jffs2_fill_super+0x2ea/0x4c0 mtd_get_sb+0x254/0x400 mtd_get_sb_by_nr+0x4f/0xd0 get_tree_mtd+0x498/0x840 jffs2_get_tree+0x25/0x30 vfs_get_tree+0x8d/0x2e0 path_mount+0x50f/0x1e50 do_mount+0x107/0x130 __se_sys_mount+0x1c5/0x2f0 __x64_sys_mount+0xc7/0x160 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Allocated by task 719: kasan_save_stack+0x23/0x60 __kasan_kmalloc.constprop.0+0x10b/0x120 kasan_slab_alloc+0x12/0x20 kmem_cache_alloc+0x1c0/0x870 jffs2_alloc_xattr_ref+0x2f/0xa0 jffs2_scan_medium.cold+0x3713/0x4794 jffs2_do_mount_fs.cold+0xa7/0x2253 jffs2_do_fill_super+0x383/0xc30 jffs2_fill_super+0x2ea/0x4c0 [...]

Freed by task 719: kmem_cache_free+0xcc/0x7b0 jffs2_free_xattr_ref+0x78/0x98 jffs2_clear_xattr_subsystem+0xa1/0x6ac jffs2_do_mount_fs.cold+0x5e6/0x2253 jffs2_do_fill_super+0x383/0xc30 jffs2_fill_super+0x2ea/0x4c0 [...]

The buggy address belongs to the object at ffff8881243384b8 which belongs to the cache jffs2_xattr_ref of size 48 The buggy address is located 40 bytes inside of 48-byte region [ffff8881243384b8, ffff8881243384e8) [...] ==================================================================

The triggering of the BUG is shown in the following stack:

jffs2_fill_super jffs2_do_fill_super jffs2_do_mount_fs jffs2_build_filesystem jffs2_scan_medium jffs2_scan_eraseblock <--- ERROR jffs2_clear_xattr_subsystem <--- free jffs2_clear_xattr_subsystem <--- free again


An error is returned in jffs2_do_mount_fs(). If the error is returned by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to be executed. If the error is returned by jffs2_build_filesystem(), the jffs2_clear_xattr_subsystem() also does not need to be executed again. So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root' to fix this UAF problem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T06:37:07Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: fix use-after-free in jffs2_clear_xattr_subsystem\n\nWhen we mount a jffs2 image, assume that the first few blocks of\nthe image are normal and contain at least one xattr-related inode,\nbut the next block is abnormal. As a result, an error is returned\nin jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then\ncalled in jffs2_build_filesystem() and then again in\njffs2_do_fill_super().\n\nFinally we can observe the following report:\n ==================================================================\n BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac\n Read of size 8 at addr ffff8881243384e0 by task mount/719\n\n Call Trace:\n  dump_stack+0x115/0x16b\n  jffs2_clear_xattr_subsystem+0x95/0x6ac\n  jffs2_do_fill_super+0x84f/0xc30\n  jffs2_fill_super+0x2ea/0x4c0\n  mtd_get_sb+0x254/0x400\n  mtd_get_sb_by_nr+0x4f/0xd0\n  get_tree_mtd+0x498/0x840\n  jffs2_get_tree+0x25/0x30\n  vfs_get_tree+0x8d/0x2e0\n  path_mount+0x50f/0x1e50\n  do_mount+0x107/0x130\n  __se_sys_mount+0x1c5/0x2f0\n  __x64_sys_mount+0xc7/0x160\n  do_syscall_64+0x45/0x70\n  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\n Allocated by task 719:\n  kasan_save_stack+0x23/0x60\n  __kasan_kmalloc.constprop.0+0x10b/0x120\n  kasan_slab_alloc+0x12/0x20\n  kmem_cache_alloc+0x1c0/0x870\n  jffs2_alloc_xattr_ref+0x2f/0xa0\n  jffs2_scan_medium.cold+0x3713/0x4794\n  jffs2_do_mount_fs.cold+0xa7/0x2253\n  jffs2_do_fill_super+0x383/0xc30\n  jffs2_fill_super+0x2ea/0x4c0\n [...]\n\n Freed by task 719:\n  kmem_cache_free+0xcc/0x7b0\n  jffs2_free_xattr_ref+0x78/0x98\n  jffs2_clear_xattr_subsystem+0xa1/0x6ac\n  jffs2_do_mount_fs.cold+0x5e6/0x2253\n  jffs2_do_fill_super+0x383/0xc30\n  jffs2_fill_super+0x2ea/0x4c0\n [...]\n\n The buggy address belongs to the object at ffff8881243384b8\n  which belongs to the cache jffs2_xattr_ref of size 48\n The buggy address is located 40 bytes inside of\n  48-byte region [ffff8881243384b8, ffff8881243384e8)\n [...]\n ==================================================================\n\nThe triggering of the BUG is shown in the following stack:\n-----------------------------------------------------------\njffs2_fill_super\n  jffs2_do_fill_super\n    jffs2_do_mount_fs\n      jffs2_build_filesystem\n        jffs2_scan_medium\n          jffs2_scan_eraseblock        \u003c--- ERROR\n        jffs2_clear_xattr_subsystem    \u003c--- free\n    jffs2_clear_xattr_subsystem        \u003c--- free again\n-----------------------------------------------------------\n\nAn error is returned in jffs2_do_mount_fs(). If the error is returned\nby jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to\nbe executed. If the error is returned by jffs2_build_filesystem(), the\njffs2_clear_xattr_subsystem() also does not need to be executed again.\nSo move jffs2_clear_xattr_subsystem() from \u0027out_inohash\u0027 to \u0027out_root\u0027\nto fix this UAF problem.",
  "id": "GHSA-4mx7-h455-mwxv",
  "modified": "2025-02-27T18:31:07Z",
  "published": "2025-02-27T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47656"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22327bd7988f21de3a53c1373f3b81542bfe1f44"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30bf7244acf32f19cb722c39f7bc1c2a9f300422"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3bd2454162ec6bbb5503233c804fce6e4b6dcec5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c7c44ee1650677fbe89d86edbad9497b7679b5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7a75740206af5f17e9f3efa384211cba70213da1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7bb7428dd73991bf4b3a7a61b493ca50046c2b13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c0f024f29e055840a5a89fe23b96ae3f921afed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9150cb625b46f68d524f4cfd491f1aafc23e10a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c3b07c875fa8f906f932976460fd14798596f101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4P29-QP7W-5P8P

Vulnerability from github – Published: 2024-11-21 21:33 – Updated: 2024-12-11 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: Fix use-after-free of network namespace.

Recently, we got a customer report that CIFS triggers oops while reconnecting to a server. [0]

The workload runs on Kubernetes, and some pods mount CIFS servers in non-root network namespaces. The problem rarely happened, but it was always while the pod was dying.

The root cause is wrong reference counting for network namespace.

CIFS uses kernel sockets, which do not hold refcnt of the netns that the socket belongs to. That means CIFS must ensure the socket is always freed before its netns; otherwise, use-after-free happens.

The repro steps are roughly:

  1. mount CIFS in a non-root netns
  2. drop packets from the netns
  3. destroy the netns
  4. unmount CIFS

We can reproduce the issue quickly with the script [1] below and see the splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.

When the socket is TCP, it is hard to guarantee the netns lifetime without holding refcnt due to async timers.

Let's hold netns refcnt for each socket as done for SMC in commit 9744d2bf1976 ("smc: Fix use-after-free in tcp_write_timer_handler().").

Note that we need to move put_net() from cifs_put_tcp_session() to clean_demultiplex_info(); otherwise, __sock_create() still could touch a freed netns while cifsd tries to reconnect from cifs_demultiplex_thread().

Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns.

[0]: CIFS: VFS: \XXXXXXXXXXX has not responded in 15 seconds. Reconnecting... CIFS: Serverclose failed 4 times, giving up Unable to handle kernel paging request at virtual address 14de99e461f84a07 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [14de99e461f84a07] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs CPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1 Hardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fib_rules_lookup+0x44/0x238 lr : __fib_lookup+0x64/0xbc sp : ffff8000265db790 x29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01 x26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580 x23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500 x20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002 x11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294 x8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000 x5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0 x2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500 Call trace: fib_rules_lookup+0x44/0x238 __fib_lookup+0x64/0xbc ip_route_output_key_hash_rcu+0x2c4/0x398 ip_route_output_key_hash+0x60/0x8c tcp_v4_connect+0x290/0x488 __inet_stream_connect+0x108/0x3d0 inet_stream_connect+0x50/0x78 kernel_connect+0x6c/0xac generic_ip_conne ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-21T19:15:12Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free of network namespace.\n\nRecently, we got a customer report that CIFS triggers oops while\nreconnecting to a server.  [0]\n\nThe workload runs on Kubernetes, and some pods mount CIFS servers\nin non-root network namespaces.  The problem rarely happened, but\nit was always while the pod was dying.\n\nThe root cause is wrong reference counting for network namespace.\n\nCIFS uses kernel sockets, which do not hold refcnt of the netns that\nthe socket belongs to.  That means CIFS must ensure the socket is\nalways freed before its netns; otherwise, use-after-free happens.\n\nThe repro steps are roughly:\n\n  1. mount CIFS in a non-root netns\n  2. drop packets from the netns\n  3. destroy the netns\n  4. unmount CIFS\n\nWe can reproduce the issue quickly with the script [1] below and see\nthe splat [2] if CONFIG_NET_NS_REFCNT_TRACKER is enabled.\n\nWhen the socket is TCP, it is hard to guarantee the netns lifetime\nwithout holding refcnt due to async timers.\n\nLet\u0027s hold netns refcnt for each socket as done for SMC in commit\n9744d2bf1976 (\"smc: Fix use-after-free in tcp_write_timer_handler().\").\n\nNote that we need to move put_net() from cifs_put_tcp_session() to\nclean_demultiplex_info(); otherwise, __sock_create() still could touch a\nfreed netns while cifsd tries to reconnect from cifs_demultiplex_thread().\n\nAlso, maybe_get_net() cannot be put just before __sock_create() because\nthe code is not under RCU and there is a small chance that the same\naddress happened to be reallocated to another netns.\n\n[0]:\nCIFS: VFS: \\\\XXXXXXXXXXX has not responded in 15 seconds. Reconnecting...\nCIFS: Serverclose failed 4 times, giving up\nUnable to handle kernel paging request at virtual address 14de99e461f84a07\nMem abort info:\n  ESR = 0x0000000096000004\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x04: level 0 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000004\n  CM = 0, WnR = 0\n[14de99e461f84a07] address between user and kernel address ranges\nInternal error: Oops: 0000000096000004 [#1] SMP\nModules linked in: cls_bpf sch_ingress nls_utf8 cifs cifs_arc4 cifs_md4 dns_resolver tcp_diag inet_diag veth xt_state xt_connmark nf_conntrack_netlink xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 sunrpc vfat fat aes_ce_blk aes_ce_cipher ghash_ce sm4_ce_cipher sm4 sm3_ce sm3 sha3_ce sha512_ce sha512_arm64 sha1_ce ena button sch_fq_codel loop fuse configfs dmi_sysfs sha2_ce sha256_arm64 dm_mirror dm_region_hash dm_log dm_mod dax efivarfs\nCPU: 5 PID: 2690970 Comm: cifsd Not tainted 6.1.103-109.184.amzn2023.aarch64 #1\nHardware name: Amazon EC2 r7g.4xlarge/, BIOS 1.0 11/1/2018\npstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : fib_rules_lookup+0x44/0x238\nlr : __fib_lookup+0x64/0xbc\nsp : ffff8000265db790\nx29: ffff8000265db790 x28: 0000000000000000 x27: 000000000000bd01\nx26: 0000000000000000 x25: ffff000b4baf8000 x24: ffff00047b5e4580\nx23: ffff8000265db7e0 x22: 0000000000000000 x21: ffff00047b5e4500\nx20: ffff0010e3f694f8 x19: 14de99e461f849f7 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000000 x12: 3f92800abd010002\nx11: 0000000000000001 x10: ffff0010e3f69420 x9 : ffff800008a6f294\nx8 : 0000000000000000 x7 : 0000000000000006 x6 : 0000000000000000\nx5 : 0000000000000001 x4 : ffff001924354280 x3 : ffff8000265db7e0\nx2 : 0000000000000000 x1 : ffff0010e3f694f8 x0 : ffff00047b5e4500\nCall trace:\n fib_rules_lookup+0x44/0x238\n __fib_lookup+0x64/0xbc\n ip_route_output_key_hash_rcu+0x2c4/0x398\n ip_route_output_key_hash+0x60/0x8c\n tcp_v4_connect+0x290/0x488\n __inet_stream_connect+0x108/0x3d0\n inet_stream_connect+0x50/0x78\n kernel_connect+0x6c/0xac\n generic_ip_conne\n---truncated---",
  "id": "GHSA-4p29-qp7w-5p8p",
  "modified": "2024-12-11T15:31:16Z",
  "published": "2024-11-21T21:33:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53095"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c7f9282fc27fc36dbaffc8527c723de264a132f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8c71494181153a134c96da28766a57bd1eac8cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef7134c7fc48e1441b398e55a862232868a6f0a7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4P2W-R4HM-WG7F

Vulnerability from github – Published: 2022-07-09 00:00 – Updated: 2022-07-17 00:00
VLAI
Details

Use After Free in GitHub repository vim/vim prior to 9.0.0046.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2345"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-08T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use After Free in GitHub repository vim/vim prior to 9.0.0046.",
  "id": "GHSA-4p2w-r4hm-wg7f",
  "modified": "2022-07-17T00:00:46Z",
  "published": "2022-07-09T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2345"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1eed7009-db6d-487b-bc41-8f2fd260483f"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-32"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4P3M-VCW5-28GR

Vulnerability from github – Published: 2022-05-13 01:29 – Updated: 2025-04-12 12:46
VLAI
Details

Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-1351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-03-30T10:59:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.",
  "id": "GHSA-4p3m-vcw5-28gr",
  "modified": "2025-04-12T12:46:38Z",
  "published": "2022-05-13T01:29:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1351"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=68677"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201606-10"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT205267"
    },
    {
      "type": "WEB",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=777c39f4042327eac4b63c7ee87dc1c7a09a3115"
    },
    {
      "type": "WEB",
      "url": "http://git.php.net/?p=php-src.git;a=commit;h=777c39f4042327eac4b63c7ee87dc1c7a09a3115"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2015/01/24/9"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1053.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1066.html"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:079"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/71929"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4P5Q-RG67-69XG

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2025-11-03 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work.

If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                                 | cdns_i3c_master_hj

cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base

Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50061"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:18Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition\n\nIn the cdns_i3c_master_probe function, \u0026master-\u003ehj_work is bound with\ncdns_i3c_master_hj. And cdns_i3c_master_interrupt can call\ncnds_i3c_master_demux_ibis function to start the work.\n\nIf we remove the module which will call cdns_i3c_master_remove to\nmake cleanup, it will free master-\u003ebase through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0                                      CPU1\n\n                                     | cdns_i3c_master_hj\ncdns_i3c_master_remove               |\ni3c_master_unregister(\u0026master-\u003ebase) |\ndevice_unregister(\u0026master-\u003edev)      |\ndevice_release                       |\n//free master-\u003ebase                  |\n                                     | i3c_master_do_daa(\u0026master-\u003ebase)\n                                     | //use master-\u003ebase\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in cdns_i3c_master_remove.",
  "id": "GHSA-4p5q-rg67-69xg",
  "modified": "2025-11-03T21:31:28Z",
  "published": "2024-10-21T21:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50061"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a21bad9964c91b34d65ba269914233720c0b1ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4P8F-JCHV-665G

Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32
VLAI
Details

IrfanView DJVU File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of DJVU files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24578.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T21:15:10Z",
    "severity": "HIGH"
  },
  "details": "IrfanView DJVU File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of DJVU files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24578.",
  "id": "GHSA-4p8f-jchv-665g",
  "modified": "2024-11-22T21:32:17Z",
  "published": "2024-11-22T21:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11521"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1579"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.