CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-5F84-9CXM-X8FC
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 12:31Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-10003"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:42Z",
"severity": "HIGH"
},
"details": "Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-5f84-9cxm-x8fc",
"modified": "2026-05-29T12:31:24Z",
"published": "2026-05-29T00:38:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10003"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513609324"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5F8R-H2C3-XVQC
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-18 15:30After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.
This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
{
"affected": [],
"aliases": [
"CVE-2026-8336"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T04:17:42Z",
"severity": "HIGH"
},
"details": "After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command\u2019s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.\n\nThis issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.",
"id": "GHSA-5f8r-h2c3-xvqc",
"modified": "2026-05-18T15:30:33Z",
"published": "2026-05-13T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8336"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-121610"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red",
"type": "CVSS_V4"
}
]
}
GHSA-5FC2-9C9R-4RVQ
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 18:31Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-9881"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:46Z",
"severity": "CRITICAL"
},
"details": "Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical)",
"id": "GHSA-5fc2-9c9r-4rvq",
"modified": "2026-05-29T18:31:22Z",
"published": "2026-05-29T00:38:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9881"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/505140741"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FC8-2988-XMJX
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Microsoft Windows DNS allows an unauthorized attacker to elevate privileges over a network.
{
"affected": [],
"aliases": [
"CVE-2026-50487"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:54Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Windows DNS allows an unauthorized attacker to elevate privileges over a network.",
"id": "GHSA-5fc8-2988-xmjx",
"modified": "2026-07-14T18:32:27Z",
"published": "2026-07-14T18:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50487"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50487"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FFM-PJ46-CRX5
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unload event handling.
{
"affected": [],
"aliases": [
"CVE-2011-2846"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-09-19T12:02:00Z",
"severity": "MODERATE"
},
"details": "Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unload event handling.",
"id": "GHSA-5ffm-pj46-crx5",
"modified": "2022-05-13T01:26:51Z",
"published": "2022-05-13T01:26:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2846"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69872"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14451"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=89219"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/75545"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48274"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48288"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48377"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1026774"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5FHJ-G3P3-PQ9G
Vulnerability from github – Published: 2022-07-20 22:47 – Updated: 2025-05-02 12:48There is a bug in Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection (GC). This means that if a GC happens at runtime then the collector will mistakenly think some Wasm stack frames do not have live references to garbage collected values and therefore reclaim and deallocate them. The function can then subsequently continue to use the values, leading later to use-after-free bugs. This bug was introduced in Cranelift's migration to the regalloc2 register allocator in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2.
Mitigations for this issue can be achieved by doing one of:
- Disabling the reference types proposal by passing
falsetowasmtime::Config::wasm_reference_types. - Downgrading to Wasmtime 0.36.0 or prior.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "0.37.0"
},
{
"fixed": "0.38.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "cranelift-codegen"
},
"ranges": [
{
"events": [
{
"introduced": "0.84.0"
},
{
"fixed": "0.85.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31146"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-20T22:47:13Z",
"nvd_published_at": "2022-07-21T04:15:00Z",
"severity": "MODERATE"
},
"details": "There is a bug in Wasmtime\u0027s code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection (GC). This means that if a GC happens at runtime then the collector will mistakenly think some Wasm stack frames do not have live references to garbage collected values and therefore reclaim and deallocate them. The function can then subsequently continue to use the values, leading later to use-after-free bugs. This bug was introduced in Cranelift\u0027s migration to the `regalloc2` register allocator in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2.\n\nMitigations for this issue can be achieved by doing one of:\n\n* Disabling the reference types proposal by passing `false` to [`wasmtime::Config::wasm_reference_types`](https://docs.rs/wasmtime/0.38.0/wasmtime/struct.Config.html#method.wasm_reference_types).\n* Downgrading to Wasmtime 0.36.0 or prior.",
"id": "GHSA-5fhj-g3p3-pq9g",
"modified": "2025-05-02T12:48:59Z",
"published": "2022-07-20T22:47:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-5fhj-g3p3-pq9g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31146"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/commit/2ba4bce5cc719e5a74e571a534424614e62ecc41"
},
{
"type": "WEB",
"url": "https://github.com/WebAssembly/reference-types"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0100.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Wasmtime vulnerable to Use After Free with `externref`s"
}
GHSA-5FP8-36F9-Q5MP
Vulnerability from github – Published: 2022-04-06 00:01 – Updated: 2022-04-09 00:00Use after free in Window Dialogue in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-0460"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-05T01:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Window Dialogue in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-5fp8-36f9-q5mp",
"modified": "2022-04-09T00:00:31Z",
"published": "2022-04-06T00:01:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0460"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1250227"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FQ8-X84X-J269
Vulnerability from github – Published: 2023-12-31 00:30 – Updated: 2024-01-09 21:30ehttp 1.0.6 before 17405b9 has an epoll_socket.cpp read_func use-after-free. An attacker can make many connections over a short time to trigger this.
{
"affected": [],
"aliases": [
"CVE-2023-52266"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-31T00:15:44Z",
"severity": "HIGH"
},
"details": "ehttp 1.0.6 before 17405b9 has an epoll_socket.cpp read_func use-after-free. An attacker can make many connections over a short time to trigger this.",
"id": "GHSA-5fq8-x84x-j269",
"modified": "2024-01-09T21:30:28Z",
"published": "2023-12-31T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52266"
},
{
"type": "WEB",
"url": "https://github.com/hongliuliao/ehttp/issues/38"
},
{
"type": "WEB",
"url": "https://github.com/hongliuliao/ehttp/commit/17405b975948abc216f6a085d2d027ec1cfd5766"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FQH-WRRW-3QC9
Vulnerability from github – Published: 2025-06-06 15:30 – Updated: 2025-12-16 21:30In the Linux kernel, the following vulnerability has been resolved:
sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free.
This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek.
{
"affected": [],
"aliases": [
"CVE-2025-38000"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T13:15:39Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\n\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc\u0027s peek() operation before incrementing sch-\u003eq.qlen and\nsch-\u003eqstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc\u0027s qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\n\nThis patch fixes the bug by moving the increment of sch-\u003eq.qlen and\nsch-\u003eqstats.backlog before the call to the child qdisc\u0027s peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek.",
"id": "GHSA-5fqh-wrrw-3qc9",
"modified": "2025-12-16T21:30:50Z",
"published": "2025-06-06T15:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38000"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FV2-P56V-GJQ9
Vulnerability from github – Published: 2022-05-14 02:27 – Updated: 2022-05-14 02:27Use-after-free vulnerability in the CWindow object implementation in Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2015-6042"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-10-14T01:59:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in the CWindow object implementation in Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"Internet Explorer Memory Corruption Vulnerability.\"",
"id": "GHSA-5fv2-p56v-gjq9",
"modified": "2022-05-14T02:27:22Z",
"published": "2022-05-14T02:27:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6042"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-106"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1033800"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-15-520"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.