CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-4RVW-X335-VF6P
Vulnerability from github – Published: 2022-12-13 18:30 – Updated: 2022-12-15 18:30A vulnerability has been identified in JT2Go (All versions), Teamcenter Visualization V13.2 (All versions < V13.2.0.12), Teamcenter Visualization V13.3 (All versions < V13.3.0.8), Teamcenter Visualization V14.0 (All versions < V14.0.0.4), Teamcenter Visualization V14.1 (All versions < V14.1.0.6). The CGM_NIST_Loader.dll contains a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2022-41285"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-13T16:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in JT2Go (All versions), Teamcenter Visualization V13.2 (All versions \u003c V13.2.0.12), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.8), Teamcenter Visualization V14.0 (All versions \u003c V14.0.0.4), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.6). The CGM_NIST_Loader.dll contains a use-after-free vulnerability that could be triggered while parsing specially crafted CGM files. An attacker could leverage this vulnerability to execute code in the context of the current process.",
"id": "GHSA-4rvw-x335-vf6p",
"modified": "2022-12-15T18:30:16Z",
"published": "2022-12-13T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41285"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-700053.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RW8-CXGP-9R2G
Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash.
{
"affected": [],
"aliases": [
"CVE-2024-40782"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T23:15:11Z",
"severity": "CRITICAL"
},
"details": "A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash.",
"id": "GHSA-4rw8-cxgp-9r2g",
"modified": "2026-04-02T21:31:48Z",
"published": "2024-07-30T00:34:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40782"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214124"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214123"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214122"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214119"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214117"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214116"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214124"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214123"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214122"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214121"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214119"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214117"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214116"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120916"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120915"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120914"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120913"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120911"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120909"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120908"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00006.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/15"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/17"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/18"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/21"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/22"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RWG-8M37-CJCC
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-58629"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:45Z",
"severity": "HIGH"
},
"details": "Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-4rwg-8m37-cjcc",
"modified": "2026-07-14T18:32:42Z",
"published": "2026-07-14T18:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58629"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58629"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RWR-9F6C-X66X
Vulnerability from github – Published: 2024-05-02 21:30 – Updated: 2024-05-02 21:30Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-30304"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-02T21:16:12Z",
"severity": "HIGH"
},
"details": "Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-4rwr-9f6c-x66x",
"modified": "2024-05-02T21:30:30Z",
"published": "2024-05-02T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30304"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb24-07.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RX6-P6GQ-RM2V
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-28 00:00Use after free in regular expressions in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-1310"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T14:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in regular expressions in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-4rx6-p6gq-rm2v",
"modified": "2022-07-28T00:00:48Z",
"published": "2022-07-26T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1310"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1307610"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RXF-RCJH-42F3
Vulnerability from github – Published: 2023-03-29 21:30 – Updated: 2023-04-06 18:30This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.2.53575. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17551.
{
"affected": [],
"aliases": [
"CVE-2022-37390"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.2.53575. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-17551.",
"id": "GHSA-4rxf-rcjh-42f3",
"modified": "2023-04-06T18:30:20Z",
"published": "2023-03-29T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37390"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1062"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V34-9X49-P452
Vulnerability from github – Published: 2023-09-12 18:30 – Updated: 2025-10-22 00:32Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-36802"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T17:15:15Z",
"severity": "HIGH"
},
"details": "Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability",
"id": "GHSA-4v34-9x49-p452",
"modified": "2025-10-22T00:32:50Z",
"published": "2023-09-12T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36802"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36802"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V3M-FHX4-QP25
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-22 00:00MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.
{
"affected": [],
"aliases": [
"CVE-2022-27457"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-14T13:15:00Z",
"severity": "HIGH"
},
"details": "MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.",
"id": "GHSA-4v3m-fhx4-qp25",
"modified": "2022-04-22T00:00:59Z",
"published": "2022-04-15T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27457"
},
{
"type": "WEB",
"url": "https://jira.mariadb.org/browse/MDEV-28098"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220526-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V48-C98Q-4VPC
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-06 18:30In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit:
-
fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent().
-
fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS.
-
fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list.
The resulting use-after-free manifests as:
pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388
Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure — freeing pending contexts, maps, mmaps, and the channel context reference — into the kref release callback fastrpc_user_free(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes.
{
"affected": [],
"aliases": [
"CVE-2026-53161"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:33Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix use-after-free of fastrpc_user in workqueue context\n\nThere is a race between fastrpc_device_release() and the workqueue\nthat processes DSP responses. When the user closes the file descriptor,\nfastrpc_device_release() frees the fastrpc_user structure. Concurrently,\nan in-flight DSP invocation can complete and fastrpc_rpmsg_callback()\nschedules context cleanup via schedule_work(\u0026ctx-\u003eput_work). If the\nworkqueue runs fastrpc_context_free() in parallel with or after\nfastrpc_device_release() has freed the user structure, it dereferences\nthe freed fastrpc_user. Depending on the state of the context at the\ntime of the race, any one of the following accesses can be hit:\n\n 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf-\u003efl-\u003ecctx, ...)\n to strip the SID bits from the stored IOVA before passing the\n physical address to dma_free_coherent().\n\n 2. fastrpc_free_map() reads map-\u003efl-\u003ecctx-\u003evmperms[0].vmid to\n reconstruct the source permission bitmask needed for the\n qcom_scm_assign_mem() call that returns memory from the DSP VM\n back to HLOS.\n\n 3. fastrpc_free_map() acquires map-\u003efl-\u003elock to safely remove the\n map node from the fl-\u003emaps list.\n\nThe resulting use-after-free manifests as:\n\n pc : fastrpc_buf_free+0x38/0x80 [fastrpc]\n lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]\n fastrpc_context_free+0xa8/0x1b0 [fastrpc]\n fastrpc_context_put_wq+0x78/0xa0 [fastrpc]\n process_one_work+0x180/0x450\n worker_thread+0x26c/0x388\n\nAdd kref-based reference counting to fastrpc_user. Have each invoke\ncontext take a reference on the user at allocation time and release it\nwhen the context is freed. Release the initial reference in\nfastrpc_device_release() at file close. Move the teardown of the user\nstructure \u2014 freeing pending contexts, maps, mmaps, and the channel\ncontext reference \u2014 into the kref release callback fastrpc_user_free(),\nso that it runs only when the last reference is dropped, regardless of\nwhether that happens at device close or after the final in-flight\ncontext completes.",
"id": "GHSA-4v48-c98q-4vpc",
"modified": "2026-07-06T18:30:36Z",
"published": "2026-06-25T09:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53161"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6e5c2be09f814377d7f1ce97370a5b7b3e02814"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d42679eef34dd590b694ce3b666c5e2ba10cd4bf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df08fadcf0e5f3708365ec3b6d30b5aafd98bea1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1e3a05efe5954d5bad01157d79429d39a67a7ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e85eb5feca8e254905ffa6c57a3c99c89a674a0f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ecea4967c2bff92c2fafbc59893f711b39f7b152"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fbe0947420eec18a84638d29468c2d563ce4e6a3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V4W-XC3P-XC43
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32401526. References: N-CVE-2017-0428.
{
"affected": [],
"aliases": [
"CVE-2017-0428"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-08T15:59:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32401526. References: N-CVE-2017-0428.",
"id": "GHSA-4v4w-xc3p-xc43",
"modified": "2022-05-13T01:40:02Z",
"published": "2022-05-13T01:40:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0428"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-02-01.html"
},
{
"type": "WEB",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4561"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96070"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037798"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.