Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-56WM-H6F8-C34V

Vulnerability from github – Published: 2026-06-09 00:33 – Updated: 2026-06-09 12:32
VLAI
Details

Use after free in CameraCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T00:16:48Z",
    "severity": "CRITICAL"
  },
  "details": "Use after free in CameraCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-56wm-h6f8-c34v",
  "modified": "2026-06-09T12:32:02Z",
  "published": "2026-06-09T00:33:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11654"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/513362710"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-572W-C5X2-HQ26

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01
VLAI
Details

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9.1.0.5096. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-03T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software\u0027s Foxit PDF Reader version 9.1.0.5096. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
  "id": "GHSA-572w-c5x2-hq26",
  "modified": "2022-05-13T01:01:50Z",
  "published": "2022-05-13T01:01:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3964"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0629"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5744-9F6R-JFW3

Vulnerability from github – Published: 2026-07-08 09:31 – Updated: 2026-07-08 09:31
VLAI
Details

The application opens the PDF, and JavaScript modifies the form. However, the related objects on the page lack complete lifecycle management and null value validation; when the page state changes, the application continuously dereferences invalid objects, eventually leading to a crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T09:16:32Z",
    "severity": "HIGH"
  },
  "details": "The application opens the PDF, and JavaScript modifies the form. However, the related objects on the page lack complete lifecycle management and null value validation; when the page state changes, the application continuously dereferences invalid objects, eventually leading to a crash.",
  "id": "GHSA-5744-9f6r-jfw3",
  "modified": "2026-07-08T09:31:51Z",
  "published": "2026-07-08T09:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57242"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-578J-W6C3-9G46

Vulnerability from github – Published: 2024-05-02 21:30 – Updated: 2024-05-02 21:30
VLAI
Details

Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-02T21:16:11Z",
    "severity": "HIGH"
  },
  "details": "Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-578j-w6c3-9g46",
  "modified": "2024-05-02T21:30:30Z",
  "published": "2024-05-02T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30303"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb24-07.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-579Q-3Q2M-34FW

Vulnerability from github – Published: 2025-02-27 03:33 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

pps: Fix a use-after-free

On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting:

pps pps1: removed
------------[ cut here ]------------
kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.
WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150
CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1
Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : kobject_put+0x120/0x150
lr : kobject_put+0x120/0x150
sp : ffffffc0803d3ae0
x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001
x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440
x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600
x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20
x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 kobject_put+0x120/0x150
 cdev_put+0x20/0x3c
 __fput+0x2c4/0x2d8
 ____fput+0x1c/0x38
 task_work_run+0x70/0xfc
 do_exit+0x2a0/0x924
 do_group_exit+0x34/0x90
 get_signal+0x7fc/0x8c0
 do_signal+0x128/0x13b4
 do_notify_resume+0xdc/0x160
 el0_svc+0xd4/0xf8
 el0t_64_sync_handler+0x140/0x14c
 el0t_64_sync+0x190/0x194
---[ end trace 0000000000000000 ]---

...followed by more symptoms of corruption, with similar stacks:

refcount_t: underflow; use-after-free.
kernel BUG at lib/list_debug.c:62!
Kernel panic - not syncing: Oops - BUG: Fatal exception

This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board.

In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device.

But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev.

pps_core: source serial1 got cdev (251:1)
<...>
pps pps1: removed
pps_core: unregistering pps1
pps_core: deallocating pps1
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:11Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: Fix a use-after-free\n\nOn a board running ntpd and gpsd, I\u0027m seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\n\n    pps pps1: removed\n    ------------[ cut here ]------------\n    kobject: \u0027(null)\u0027 (00000000db4bec24): is not initialized, yet kobject_put() is being called.\n    WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\n    CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\n    Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n    pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : kobject_put+0x120/0x150\n    lr : kobject_put+0x120/0x150\n    sp : ffffffc0803d3ae0\n    x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\n    x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\n    x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\n    x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\n    x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\n    x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\n    x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n    x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n    x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n    x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n    Call trace:\n     kobject_put+0x120/0x150\n     cdev_put+0x20/0x3c\n     __fput+0x2c4/0x2d8\n     ____fput+0x1c/0x38\n     task_work_run+0x70/0xfc\n     do_exit+0x2a0/0x924\n     do_group_exit+0x34/0x90\n     get_signal+0x7fc/0x8c0\n     do_signal+0x128/0x13b4\n     do_notify_resume+0xdc/0x160\n     el0_svc+0xd4/0xf8\n     el0t_64_sync_handler+0x140/0x14c\n     el0t_64_sync+0x190/0x194\n    ---[ end trace 0000000000000000 ]---\n\n...followed by more symptoms of corruption, with similar stacks:\n\n    refcount_t: underflow; use-after-free.\n    kernel BUG at lib/list_debug.c:62!\n    Kernel panic - not syncing: Oops - BUG: Fatal exception\n\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can\u0027t explain why it suddenly started happening every time\nI reboot this particular board.\n\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I\u0027ve\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\n\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps-\u003edev refcount can\u0027t reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps-\u003edev.\n\n    pps_core: source serial1 got cdev (251:1)\n    \u003c...\u003e\n    pps pps1: removed\n    pps_core: unregistering pps1\n    pps_core: deallocating pps1",
  "id": "GHSA-579q-3q2m-34fw",
  "modified": "2026-07-14T15:31:16Z",
  "published": "2025-02-27T03:33:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57979"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a7735ab2cb9747518a7416fb5929e85442dec62"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e5ee3281dc09014367f5112b6d566ba36ea2d49"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/85241f7de216f8298f6e48540ea13d7dcd100870"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91932db1d96b2952299ce30c1c693d834d10ace6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c79a39dc8d060b9e64e8b0fa9d245d44befeefbe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57CW-J6VP-2P9M

Vulnerability from github – Published: 2026-04-06 17:51 – Updated: 2026-04-06 17:51
VLAI
Summary
OpenEXR has use after free in PyObject_StealAttrString
Details

Summary

There is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp.

This bug was found with ZeroPath.

Details

The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.).

https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115

https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L380-L387

https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L1258-L1286

PoC

import OpenEXR, Imath

# Any small EXR will do - use one from OpenEXR test images or any project file
path = "any_small.exr"

# Property returns a fresh temporary int subclass, so the buggy helper
# decrefs it to zero before passing it to PyLong_AsLong => UAF.
class FreshInt(int):
    def __new__(cls, v):
        return int.__new__(cls, v)
    def __del__(self):
        # stir the heap to make the UAF obvious under PYTHONMALLOC=debug
        _ = bytearray(1_000_000)

class PixelTypeProxy:
    @property
    def v(self):
        return FreshInt(Imath.PixelType.FLOAT)  # any small value is fine

f = OpenEXR.InputFile(path)
# channel() forces the wrapper to read pixel_type.v using the buggy helper
# which returns a dangling pointer
print("About to trigger UAF...")
f.channel("R", pixel_type=PixelTypeProxy())
print("If you get here without a crash, try again with AddressSanitizer.")

running

PYTHONMALLOC=debug PYTHONDEVMODE=1 python3 pt.py
About to trigger UAF...
Fatal Python error: Segmentation fault

Current thread 0x00000001f209a140 (most recent call first):
  File "/private/tmp/i/pt.py", line 24 in <module>

Current thread's C stack trace (most recent call first):
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at _Py_DumpStack+0x44 [0x1058c00f8]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at faulthandler_dump_c_stack+0x58 [0x1058d2f3c]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at faulthandler_fatal_error+0x160 [0x1058d2e00]
  Binary file "/usr/lib/system/libsystem_platform.dylib", at _sigtramp+0x38 [0x1841796a4]
  Binary file "/private/tmp/i/lib/python3.14/site-packages/OpenEXR.cpython-314-darwin.so", at _Z16init_OpenEXR_oldP7_object+0x1010 [0x105cb9e94]
  Binary file "/private/tmp/i/lib/python3.14/site-packages/OpenEXR.cpython-314-darwin.so", at _Z16init_OpenEXR_oldP7_object+0x1010 [0x105cb9e94]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at method_vectorcall_VARARGS_KEYWORDS+0x94 [0x1057032bc]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at PyObject_Vectorcall+0x58 [0x1056f5044]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at _PyEval_EvalFrameDefault+0x9cac [0x1058312d8]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at PyEval_EvalCode+0xf8 [0x105827130]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at run_mod+0xac [0x1058a2b60]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at pyrun_file+0xa4 [0x1058a123c]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at _PyRun_SimpleFileObject+0x100 [0x1058a07c0]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at _PyRun_AnyFileObject+0x50 [0x1058a0424]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at pymain_run_file_obj+0xa4 [0x1058cfcd8]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at pymain_run_file+0x48 [0x1058cfa20]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at Py_RunMain+0x354 [0x1058cef60]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at pymain_main+0xe8 [0x1058cf3f8]
  Binary file "/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python", at Py_BytesMain+0x28 [0x1058cf494]
  Binary file "/usr/lib/dyld", at start+0x17bc [0x183d9eb98]

Extension modules: numpy._core._multiarray_umath, numpy.linalg._umath_linalg (total: 2)
Segmentation fault: 11     PYTHONMALLOC=debug PYTHONDEVMODE=1 python3 pt.py

Impact

Completely depends on the context. Typical memory stuff related to UAFs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OpenEXR"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OpenEXR"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OpenEXR"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-06T17:51:23Z",
    "nvd_published_at": "2025-11-10T22:15:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThere is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp.\n\nThis bug was found with [ZeroPath](https://zeropath.com/?utm_source=joshua.hu).\n\n### Details\n\nThe legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pass this dangling pointer to APIs like PyLong_AsLong/PyFloat_AsDouble, resulting in a use-after-free. This is invoked in multiple places (e.g., reading PixelType.v, Box2i, V2f, etc.).\n\nhttps://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115\n\nhttps://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L380-L387\n\nhttps://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L1258-L1286\n\n### PoC\n\n```py\nimport OpenEXR, Imath\n\n# Any small EXR will do - use one from OpenEXR test images or any project file\npath = \"any_small.exr\"\n\n# Property returns a fresh temporary int subclass, so the buggy helper\n# decrefs it to zero before passing it to PyLong_AsLong =\u003e UAF.\nclass FreshInt(int):\n    def __new__(cls, v):\n        return int.__new__(cls, v)\n    def __del__(self):\n        # stir the heap to make the UAF obvious under PYTHONMALLOC=debug\n        _ = bytearray(1_000_000)\n\nclass PixelTypeProxy:\n    @property\n    def v(self):\n        return FreshInt(Imath.PixelType.FLOAT)  # any small value is fine\n\nf = OpenEXR.InputFile(path)\n# channel() forces the wrapper to read pixel_type.v using the buggy helper\n# which returns a dangling pointer\nprint(\"About to trigger UAF...\")\nf.channel(\"R\", pixel_type=PixelTypeProxy())\nprint(\"If you get here without a crash, try again with AddressSanitizer.\")\n```\nrunning\n\n```shell\nPYTHONMALLOC=debug PYTHONDEVMODE=1 python3 pt.py\n```\n\n```\nAbout to trigger UAF...\nFatal Python error: Segmentation fault\n\nCurrent thread 0x00000001f209a140 (most recent call first):\n  File \"/private/tmp/i/pt.py\", line 24 in \u003cmodule\u003e\n\nCurrent thread\u0027s C stack trace (most recent call first):\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at _Py_DumpStack+0x44 [0x1058c00f8]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at faulthandler_dump_c_stack+0x58 [0x1058d2f3c]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at faulthandler_fatal_error+0x160 [0x1058d2e00]\n  Binary file \"/usr/lib/system/libsystem_platform.dylib\", at _sigtramp+0x38 [0x1841796a4]\n  Binary file \"/private/tmp/i/lib/python3.14/site-packages/OpenEXR.cpython-314-darwin.so\", at _Z16init_OpenEXR_oldP7_object+0x1010 [0x105cb9e94]\n  Binary file \"/private/tmp/i/lib/python3.14/site-packages/OpenEXR.cpython-314-darwin.so\", at _Z16init_OpenEXR_oldP7_object+0x1010 [0x105cb9e94]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at method_vectorcall_VARARGS_KEYWORDS+0x94 [0x1057032bc]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at PyObject_Vectorcall+0x58 [0x1056f5044]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at _PyEval_EvalFrameDefault+0x9cac [0x1058312d8]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at PyEval_EvalCode+0xf8 [0x105827130]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at run_mod+0xac [0x1058a2b60]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at pyrun_file+0xa4 [0x1058a123c]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at _PyRun_SimpleFileObject+0x100 [0x1058a07c0]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at _PyRun_AnyFileObject+0x50 [0x1058a0424]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at pymain_run_file_obj+0xa4 [0x1058cfcd8]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at pymain_run_file+0x48 [0x1058cfa20]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at Py_RunMain+0x354 [0x1058cef60]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at pymain_main+0xe8 [0x1058cf3f8]\n  Binary file \"/opt/homebrew/Cellar/python@3.14/3.14.0/Frameworks/Python.framework/Versions/3.14/Python\", at Py_BytesMain+0x28 [0x1058cf494]\n  Binary file \"/usr/lib/dyld\", at start+0x17bc [0x183d9eb98]\n\nExtension modules: numpy._core._multiarray_umath, numpy.linalg._umath_linalg (total: 2)\nSegmentation fault: 11     PYTHONMALLOC=debug PYTHONDEVMODE=1 python3 pt.py\n```\n\n### Impact\n\nCompletely depends on the context. Typical memory stuff related to UAFs.",
  "id": "GHSA-57cw-j6vp-2p9m",
  "modified": "2026-04-06T17:51:23Z",
  "published": "2026-04-06T17:51:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-57cw-j6vp-2p9m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64183"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AcademySoftwareFoundation/openexr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/openexr/blob/b3a19903db0672c63055023aa788e592b16ec3c5/src/wrappers/python/PyOpenEXR_old.cpp#L109-L115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenEXR has use after free in PyObject_StealAttrString"
}

GHSA-57F5-G442-HRW2

Vulnerability from github – Published: 2023-05-09 15:30 – Updated: 2024-04-04 03:55
VLAI
Details

yasm v1.3.0 was discovered to contain a use after free via the function error at /nasm/nasm-pp.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31974"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-09T13:15:18Z",
    "severity": "MODERATE"
  },
  "details": "yasm v1.3.0 was discovered to contain a use after free via the function error at /nasm/nasm-pp.c.",
  "id": "GHSA-57f5-g442-hrw2",
  "modified": "2024-04-04T03:55:31Z",
  "published": "2023-05-09T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31974"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yasm/yasm/issues/208"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57H4-778P-3MP3

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18
VLAI
Details

In acc_read of f_accessory.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173789633References: Upstream kernel

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-25T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In acc_read of f_accessory.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-173789633References: Upstream kernel",
  "id": "GHSA-57h4-778p-3mp3",
  "modified": "2022-05-24T19:18:45Z",
  "published": "2022-05-24T19:18:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0936"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2021-10-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-57HR-VQM5-57QG

Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38
VLAI
Details

An object lifecycle issue in Blink could lead to a use after free in WebAudio in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-09T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "An object lifecycle issue in Blink could lead to a use after free in WebAudio in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.",
  "id": "GHSA-57hr-vqm5-57qg",
  "modified": "2022-05-14T01:38:22Z",
  "published": "2022-05-14T01:38:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17457"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/848306"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57P3-53G8-W4H6

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 12:31
VLAI
Details

Use after free in PDF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T23:16:53Z",
    "severity": "HIGH"
  },
  "details": "Use after free in PDF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)",
  "id": "GHSA-57p3-53g8-w4h6",
  "modified": "2026-05-29T12:31:25Z",
  "published": "2026-05-29T00:38:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9957"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/504516117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.