CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-52MQ-7C45-JWP5
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-03 09:33In the Linux kernel, the following vulnerability has been resolved:
bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready().
syzbot reported use-after-free of AF_UNIX socket's sk->sk_socket in sk_psock_verdict_data_ready(). [0]
In unix_stream_sendmsg(), the peer socket's ->sk_data_ready() is called after dropping its unix_state_lock().
Although the sender socket holds the peer's refcount, it does not prevent the peer's sock_orphan(), and the peer's sk_socket might be freed after one RCU grace period.
Let's fetch the peer's sk->sk_socket and sk->sk_socket->ops under RCU in sk_psock_verdict_data_ready().
[0]: BUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278 Read of size 8 at addr ffff8880594da860 by task syz.4.1842/11013
CPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278 unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482 sock_sendmsg_nosec net/socket.c:721 [inline] __sock_sendmsg net/socket.c:736 [inline] _syssendmsg+0x972/0x9f0 net/socket.c:2585 _sys_sendmsg+0x2a5/0x360 net/socket.c:2639 __sys_sendmsg net/socket.c:2671 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7facf899c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819 RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004 RBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78
Allocated by task 11013: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885 sock_alloc_inode+0x28/0xc0 net/socket.c:316 alloc_inode+0x6a/0x1b0 fs/inode.c:347 new_inode_pseudo include/linux/fs.h:3003 [inline] sock_alloc net/socket.c:631 [inline] __sock_create+0x12d/0x9d0 net/socket.c:1562 sock_create net/socket.c:1656 [inline] __sys_socketpair+0x1c4/0x560 net/socket.c:1803 __do_sys_socketpair net/socket.c:1856 [inline] __se_sys_socketpair net/socket.c:1853 [inline] __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 15: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kmem_cache_free+0x187/0x630 mm/slub.c:6295 rcu_do_batch kernel/rcu/tree.c: ---truncated---
{
"affected": [],
"aliases": [
"CVE-2026-43016"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:45Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sockmap: Fix use-after-free of sk-\u003esk_socket in sk_psock_verdict_data_ready().\n\nsyzbot reported use-after-free of AF_UNIX socket\u0027s sk-\u003esk_socket\nin sk_psock_verdict_data_ready(). [0]\n\nIn unix_stream_sendmsg(), the peer socket\u0027s -\u003esk_data_ready() is\ncalled after dropping its unix_state_lock().\n\nAlthough the sender socket holds the peer\u0027s refcount, it does not\nprevent the peer\u0027s sock_orphan(), and the peer\u0027s sk_socket might\nbe freed after one RCU grace period.\n\nLet\u0027s fetch the peer\u0027s sk-\u003esk_socket and sk-\u003esk_socket-\u003eops under\nRCU in sk_psock_verdict_data_ready().\n\n[0]:\nBUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\nRead of size 8 at addr ffff8880594da860 by task syz.4.1842/11013\n\nCPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278\n unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482\n sock_sendmsg_nosec net/socket.c:721 [inline]\n __sock_sendmsg net/socket.c:736 [inline]\n ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639\n __sys_sendmsg net/socket.c:2671 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7facf899c819\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819\nRDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004\nRBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78\n \u003c/TASK\u003e\n\nAllocated by task 11013:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n unpoison_slab_object mm/kasan/common.c:340 [inline]\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366\n kasan_slab_alloc include/linux/kasan.h:253 [inline]\n slab_post_alloc_hook mm/slub.c:4538 [inline]\n slab_alloc_node mm/slub.c:4866 [inline]\n kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885\n sock_alloc_inode+0x28/0xc0 net/socket.c:316\n alloc_inode+0x6a/0x1b0 fs/inode.c:347\n new_inode_pseudo include/linux/fs.h:3003 [inline]\n sock_alloc net/socket.c:631 [inline]\n __sock_create+0x12d/0x9d0 net/socket.c:1562\n sock_create net/socket.c:1656 [inline]\n __sys_socketpair+0x1c4/0x560 net/socket.c:1803\n __do_sys_socketpair net/socket.c:1856 [inline]\n __se_sys_socketpair net/socket.c:1853 [inline]\n __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 15:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:253 [inline]\n __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285\n kasan_slab_free include/linux/kasan.h:235 [inline]\n slab_free_hook mm/slub.c:2685 [inline]\n slab_free mm/slub.c:6165 [inline]\n kmem_cache_free+0x187/0x630 mm/slub.c:6295\n rcu_do_batch kernel/rcu/tree.c:\n---truncated---",
"id": "GHSA-52mq-7c45-jwp5",
"modified": "2026-05-03T09:33:10Z",
"published": "2026-05-01T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43016"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18861f87a043e78b1f901cae4237e755ed7ef095"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/68187f18a89be4b6237d28ae1313b5adf76238c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d597e3e74027900ffa81b8ff47ab51999a3e110"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ad8391d37f334ee73ba91926f8b4e4cf6d31ea04"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af95bc39a83d82ae6ad253986335037256888b3f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52P4-CQPV-XM5J
Vulnerability from github – Published: 2022-04-23 00:03 – Updated: 2024-05-01 18:30In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.
{
"affected": [],
"aliases": [
"CVE-2022-29582"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-22T16:15:00Z",
"severity": "HIGH"
},
"details": "In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.",
"id": "GHSA-52p4-cqpv-xm5j",
"modified": "2024-05-01T18:30:34Z",
"published": "2022-04-23T00:03:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29582"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/e677edbcabee849bfdd43f1602bccbecf736a646"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e677edbcabee849bfdd43f1602bccbecf736a646"
},
{
"type": "WEB",
"url": "https://github.com/Ruia-ruia/CVE-2022-29582-Exploit"
},
{
"type": "WEB",
"url": "https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5127"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2022/04/22/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/04/22/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/08/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/24/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52P7-742F-7QM9
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to float removal.
{
"affected": [],
"aliases": [
"CVE-2011-2792"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-08-03T00:55:00Z",
"severity": "MODERATE"
},
"details": "Use-after-free vulnerability in Google Chrome before 13.0.782.107 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to float removal.",
"id": "GHSA-52p7-742f-7qm9",
"modified": "2022-05-13T01:26:27Z",
"published": "2022-05-13T01:26:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2792"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/68954"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14511"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=87148"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2011/08/stable-channel-update.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00004.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/74242"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4981"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4999"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT5000"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-52PV-4C2G-Q569
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the setAttribute method of a TimeField. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6486.
{
"affected": [],
"aliases": [
"CVE-2018-17649"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-24T04:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the setAttribute method of a TimeField. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6486.",
"id": "GHSA-52pv-4c2g-q569",
"modified": "2022-05-13T01:33:57Z",
"published": "2022-05-13T01:33:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17649"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1148"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52PV-8487-C6JP
Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-06-30 03:36A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
{
"affected": [],
"aliases": [
"CVE-2026-28947"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T21:18:55Z",
"severity": "HIGH"
},
"details": "A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.",
"id": "GHSA-52pv-8487-c6jp",
"modified": "2026-06-30T03:36:39Z",
"published": "2026-05-11T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28947"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127121"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127120"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127119"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127118"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127115"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127110"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28947.json"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-28947"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28148"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28147"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28146"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28114"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27804"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27785"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27728"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25927"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25918"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52Q6-3X8H-V328
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2025-10-22 00:32Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30554"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-02T19:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-52q6-3x8h-v328",
"modified": "2025-10-22T00:32:18Z",
"published": "2022-05-24T19:06:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30554"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1219857"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-06"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30554"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52R6-M74F-9G7W
Vulnerability from github – Published: 2022-11-21 18:30 – Updated: 2022-11-22 21:30A use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 12.0.1.12430. By prematurely destroying annotation objects, a specially-crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.
{
"affected": [],
"aliases": [
"CVE-2022-38097"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-21T16:15:00Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability exists in the JavaScript engine of Foxit Software\u0027s PDF Reader, version 12.0.1.12430. By prematurely destroying annotation objects, a specially-crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.",
"id": "GHSA-52r6-m74f-9g7w",
"modified": "2022-11-22T21:30:18Z",
"published": "2022-11-21T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38097"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52V6-WPR7-XP26
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.3.37598. A specially crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
{
"affected": [],
"aliases": [
"CVE-2021-21831"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-05T21:15:00Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability exists in the JavaScript engine of Foxit Software\u2019s PDF Reader, version 10.1.3.37598. A specially crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.",
"id": "GHSA-52v6-wpr7-xp26",
"modified": "2022-05-24T22:28:13Z",
"published": "2022-05-24T22:28:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21831"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1294"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52W9-98Q8-6PWF
Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-06-14 06:30In the Linux kernel, the following vulnerability has been resolved:
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled work was the tail of its hash bucket. When doing this, it checks whether the preceding entry in acct->work_list has the same hash value, but never checks that the predecessor is hashed at all. io_get_work_hash() is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash bits are never set for non-hashed work, so it returns 0. Thus, when a hashed bucket-0 work is cancelled while a non-hashed work is its list predecessor, the check spuriously passes and a pointer to the non-hashed io_kiocb is stored in wq->hash_tail[0].
Because non-hashed work is dequeued via the fast path in io_get_next_work(), which never touches hash_tail[], the stale pointer is never cleared. Therefore, after the non-hashed io_kiocb completes and is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The io_wq is per-task (tctx->io_wq) and survives ring open/close, so the dangling pointer persists for the lifetime of the task; the next hashed bucket-0 enqueue dereferences it in io_wq_insert_work() and wq_list_add_after() writes through freed memory.
Add the missing io_wq_is_hashed() check so a non-hashed predecessor never inherits a hash_tail[] slot.
{
"affected": [],
"aliases": [
"CVE-2026-46274"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T16:16:40Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio-wq: check that the predecessor is hashed in io_wq_remove_pending()\n\nio_wq_remove_pending() needs to fix up wq-\u003ehash_tail[] if the cancelled\nwork was the tail of its hash bucket. When doing this, it checks whether\nthe preceding entry in acct-\u003ework_list has the same hash value, but\nnever checks that the predecessor is hashed at all. io_get_work_hash()\nis simply atomic_read(\u0026work-\u003eflags) \u003e\u003e IO_WQ_HASH_SHIFT, and the hash\nbits are never set for non-hashed work, so it returns 0. Thus, when a\nhashed bucket-0 work is cancelled while a non-hashed work is its list\npredecessor, the check spuriously passes and a pointer to the non-hashed\nio_kiocb is stored in wq-\u003ehash_tail[0].\n\nBecause non-hashed work is dequeued via the fast path in\nio_get_next_work(), which never touches hash_tail[], the stale pointer\nis never cleared. Therefore, after the non-hashed io_kiocb completes and\nis freed back to req_cachep, wq-\u003ehash_tail[0] is a dangling pointer. The\nio_wq is per-task (tctx-\u003eio_wq) and survives ring open/close, so the\ndangling pointer persists for the lifetime of the task; the next hashed\nbucket-0 enqueue dereferences it in io_wq_insert_work() and\nwq_list_add_after() writes through freed memory.\n\nAdd the missing io_wq_is_hashed() check so a non-hashed predecessor\nnever inherits a hash_tail[] slot.",
"id": "GHSA-52w9-98q8-6pwf",
"modified": "2026-06-14T06:30:23Z",
"published": "2026-06-08T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46274"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/252c5051dba9c709b6a72f2866f93e5e618b3f06"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a20ebf0c81b61f5ea3b1b529c100cad69b9f603"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d376c131af7c7739a87ff037ed2fdb67c2542c8a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6bda9df0c0a3080804181464d5c0f4d78a4e769"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52X7-WCQQ-WFJP
Vulnerability from github – Published: 2024-01-02 18:30 – Updated: 2024-07-09 12:30A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user to escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2024-0193"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T18:15:08Z",
"severity": "HIGH"
},
"details": "A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user to escalate their privileges on the system.",
"id": "GHSA-52x7-wcqq-wfjp",
"modified": "2024-07-09T12:30:55Z",
"published": "2024-01-02T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0193"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1018"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1019"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1248"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2094"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4412"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4415"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0193"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.