CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-4P9P-C25Q-HMP5
Vulnerability from github – Published: 2025-03-11 21:30 – Updated: 2025-03-11 21:30Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of CO files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25186.
{
"affected": [],
"aliases": [
"CVE-2025-2013"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T21:15:52Z",
"severity": "HIGH"
},
"details": "Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CO files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25186.",
"id": "GHSA-4p9p-c25q-hmp5",
"modified": "2025-03-11T21:30:41Z",
"published": "2025-03-11T21:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2013"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4PF4-VF9P-VXX6
Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-02-25 00:01VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
{
"affected": [],
"aliases": [
"CVE-2021-22040"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-16T17:15:00Z",
"severity": "MODERATE"
},
"details": "VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine\u0027s VMX process running on the host.",
"id": "GHSA-4pf4-vf9p-vxx6",
"modified": "2022-02-25T00:01:24Z",
"published": "2022-02-17T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22040"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2022-0004.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4PFP-W4VM-364Q
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.
{
"affected": [],
"aliases": [
"CVE-2020-25656"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-02T01:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.",
"id": "GHSA-4pfp-w4vm-364q",
"modified": "2022-05-24T17:35:10Z",
"published": "2022-05-24T17:35:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25656"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888726"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html"
},
{
"type": "WEB",
"url": "https://lkml.org/lkml/2020/10/16/84"
},
{
"type": "WEB",
"url": "https://lkml.org/lkml/2020/10/29/528"
},
{
"type": "WEB",
"url": "https://www.starwindsoftware.com/security/sw-20210325-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4PH5-83MW-VM42
Vulnerability from github – Published: 2026-06-05 12:31 – Updated: 2026-07-13 12:34A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-50263"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T12:16:39Z",
"severity": "MODERATE"
},
"details": "A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure.",
"id": "GHSA-4ph5-83mw-vm42",
"modified": "2026-07-13T12:34:56Z",
"published": "2026-06-05T12:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50263"
},
{
"type": "WEB",
"url": "https://redhat.atlassian.net/browse/PSIRTSUPT-16950"
},
{
"type": "WEB",
"url": "https://lists.x.org/archives/xorg-announce/2026-June/003702.html"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/xorg/xserver/-/commit/ecc634f1b2f7aa473d3a267eada98c4918bf9e05"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485388"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-50263"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38810"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38502"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36798"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36792"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36791"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36768"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36634"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36633"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36632"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36087"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36086"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36085"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29844"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28923"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26709"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26610"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26590"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26566"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26562"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4PHR-7MH9-VVGH
Vulnerability from github – Published: 2022-12-20 21:30 – Updated: 2022-12-20 21:30In removeEventHubDevice of InputDevice.cpp, there is a possible OOB read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-245770596
{
"affected": [],
"aliases": [
"CVE-2022-20554"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "MODERATE"
},
"details": "In removeEventHubDevice of InputDevice.cpp, there is a possible OOB read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-245770596",
"id": "GHSA-4phr-7mh9-vvgh",
"modified": "2022-12-20T21:30:16Z",
"published": "2022-12-20T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20554"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4PJ4-7M9H-V9GF
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147802478References: Upstream kernel
{
"affected": [],
"aliases": [
"CVE-2020-0466"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T22:15:00Z",
"severity": "HIGH"
},
"details": "In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147802478References: Upstream kernel",
"id": "GHSA-4pj4-7m9h-v9gf",
"modified": "2022-05-24T17:36:15Z",
"published": "2022-05-24T17:36:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0466"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-12-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4PJF-GX23-QW59
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Use after free in Windows Device Association Broker service allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-50174"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:43Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Device Association Broker service allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-4pjf-gx23-qw59",
"modified": "2025-10-14T18:30:29Z",
"published": "2025-10-14T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50174"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50174"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4PQP-3CV2-MM87
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-04-17 21:30In the Linux kernel, the following vulnerability has been resolved:
moxart: fix potential use-after-free on remove path
It was reported that the mmc host structure could be accessed after it was freed in moxart_remove(), so fix this by saving the base register of the device and using it instead of the pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2022-48626"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-26T16:27:45Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmoxart: fix potential use-after-free on remove path\n\nIt was reported that the mmc host structure could be accessed after it\nwas freed in moxart_remove(), so fix this by saving the base register of\nthe device and using it instead of the pointer dereference.",
"id": "GHSA-4pqp-3cv2-mm87",
"modified": "2024-04-17T21:30:45Z",
"published": "2024-02-26T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48626"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a0a7ec5574b510b067cfc734b8bdb6564b31d4e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f901d53f120d1921f84f7b9b118e87e94b403c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c25d5ff1856b91bd4365e813f566cb59aaa9552"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af0e6c49438b1596e4be8a267d218a0c88a42323"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bd2db32e7c3e35bd4d9b8bbff689434a50893546"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/be93028d306dac9f5b59ebebd9ec7abcfc69c156"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e6f580d0b3349646d4ee1ce0057eb273e8fb7e2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f5dc193167591e88797262ec78515a0cbe79ff5f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4PQW-3H25-QRQ3
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
zram: fix use-after-free in zram_bvec_write_partial()
zram_read_page() picks the sync or async backing device read path based on whether the parent bio is NULL. zram_bvec_write_partial() passes its parent bio down, so for ZRAM_WB slots the read is dispatched asynchronously and zram_read_page() returns 0 while the bio is still in flight. The caller then runs memcpy_from_bvec(), zram_write_page() and __free_page() on the buffer, leaving the async read to write into a freed page.
zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d ("zram: fix synchronous reads") for the same reason; the write_partial counterpart was missed.
{
"affected": [],
"aliases": [
"CVE-2026-53185"
],
"database_specific": {
"cwe_ids": [
"CWE-364",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:35Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: fix use-after-free in zram_bvec_write_partial()\n\nzram_read_page() picks the sync or async backing device read path based on\nwhether the parent bio is NULL. zram_bvec_write_partial() passes its\nparent bio down, so for ZRAM_WB slots the read is dispatched\nasynchronously and zram_read_page() returns 0 while the bio is still in\nflight. The caller then runs memcpy_from_bvec(), zram_write_page() and\n__free_page() on the buffer, leaving the async read to write into a freed\npage.\n\nzram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d\n(\"zram: fix synchronous reads\") for the same reason; the write_partial\ncounterpart was missed.",
"id": "GHSA-4pqw-3h25-qrq3",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-25T09:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53185"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53185"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492735"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c2821665ff71be3f4b07ecece384669f2877f6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/198b5a14cca27263b9c14b20114c8092de15dfcb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/732fd9f0b9c1cdc6dfd77162ded60df005182cc0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/77a602b505ce4802915853cfc435a4722fab3e64"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c96786d6ff1acc1d54d9241e97767554c1dfdd5b"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53185.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4PVM-WG2G-H8CW
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-50687"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:04Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-4pvm-wg2g-h8cw",
"modified": "2026-07-14T18:32:30Z",
"published": "2026-07-14T18:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50687"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50687"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.