Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-5FWP-F47R-RG74

Vulnerability from github – Published: 2023-12-12 12:30 – Updated: 2024-03-12 12:30
VLAI
Details

Affected devices improperly handle specially crafted packets sent to port 102/tcp. This could allow an attacker to create a denial of service condition. A restart is needed to restore normal operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T12:15:13Z",
    "severity": "HIGH"
  },
  "details": "Affected devices improperly handle specially crafted packets sent to port 102/tcp.\nThis could allow an attacker to create a denial of service condition. A restart is needed to restore\nnormal operations.",
  "id": "GHSA-5fwp-f47r-rg74",
  "modified": "2024-03-12T12:30:47Z",
  "published": "2023-12-12T12:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46156"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-280603.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-592380.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-280603.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-592380.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FX6-F253-W3M2

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

In Foxit Reader 10.1.0.37527, a specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Foxit Reader 10.1.0.37527, a specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
  "id": "GHSA-5fx6-f253-w3m2",
  "modified": "2022-05-24T17:41:40Z",
  "published": "2022-05-24T17:41:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13548"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1166"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G36-G7F3-8Q34

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-27 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: mediatek: vcodec: fix use-after-free in encoder release path

The fops_vcodec_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->encode_work. This creates a race window where the workqueue handler (mtk_venc_worker) may still be accessing the context memory after it has been freed.

Race condition:

CPU 0 (release path)               CPU 1 (workqueue)
---------------------               ------------------
fops_vcodec_release()
  v4l2_m2m_ctx_release()
    v4l2_m2m_cancel_job()
    // waits for m2m job "done"
                                    mtk_venc_worker()
                                      v4l2_m2m_job_finish()
                                      // m2m job "done"
                                      // BUT worker still running!
                                      // post-job_finish access:
                                    other ctx dereferences
                                      // UAF if ctx already freed
    // returns (job "done")
  kfree(ctx)  // ctx freed

Root cause: The v4l2_m2m_ctx_release() only waits for the m2m job lifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle. After v4l2_m2m_job_finish() is called, the m2m framework considers the job complete and v4l2_m2m_ctx_release() returns, but the worker function continues executing and may still access ctx.

The work is queued during encode operations via: queue_work(ctx->dev->encode_workqueue, &ctx->encode_work) The worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx fields even after calling v4l2_m2m_job_finish().

This vulnerability was confirmed with KASAN by running an instrumented test module that widens the post-job_finish race window. KASAN detected:

BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180 Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12

Workqueue: mtk_vcodec_enc_wq mtk_venc_worker

Allocated by task 47: __kasan_kmalloc+0x7f/0x90 fops_vcodec_open+0x85/0x1a0

Freed by task 47: __kasan_slab_free+0x43/0x70 kfree+0xee/0x3a0 fops_vcodec_release+0xb7/0x190

Fix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx). This ensures the workqueue handler is both cancelled (if pending) and synchronized (waits for any running handler to complete) before the context is freed.

Placement rationale: The fix is placed after v4l2_ctrl_handler_free() and before list_del_init(&ctx->list). At this point, all m2m operations are done (v4l2_m2m_ctx_release() has returned), and we need to ensure the workqueue is synchronized before removing ctx from the list and freeing it.

Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during device_run() operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31584"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:33Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix use-after-free in encoder release path\n\nThe fops_vcodec_release() function frees the context structure (ctx)\nwithout first cancelling any pending or running work in ctx-\u003eencode_work.\nThis creates a race window where the workqueue handler (mtk_venc_worker)\nmay still be accessing the context memory after it has been freed.\n\nRace condition:\n\n    CPU 0 (release path)               CPU 1 (workqueue)\n    ---------------------               ------------------\n    fops_vcodec_release()\n      v4l2_m2m_ctx_release()\n        v4l2_m2m_cancel_job()\n        // waits for m2m job \"done\"\n                                        mtk_venc_worker()\n                                          v4l2_m2m_job_finish()\n                                          // m2m job \"done\"\n                                          // BUT worker still running!\n                                          // post-job_finish access:\n                                        other ctx dereferences\n                                          // UAF if ctx already freed\n        // returns (job \"done\")\n      kfree(ctx)  // ctx freed\n\nRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m job\nlifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.\nAfter v4l2_m2m_job_finish() is called, the m2m framework considers\nthe job complete and v4l2_m2m_ctx_release() returns, but the worker\nfunction continues executing and may still access ctx.\n\nThe work is queued during encode operations via:\n  queue_work(ctx-\u003edev-\u003eencode_workqueue, \u0026ctx-\u003eencode_work)\nThe worker function accesses ctx-\u003em2m_ctx, ctx-\u003edev, and other ctx\nfields even after calling v4l2_m2m_job_finish().\n\nThis vulnerability was confirmed with KASAN by running an instrumented\ntest module that widens the post-job_finish race window. KASAN detected:\n\n  BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180\n  Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12\n\n  Workqueue: mtk_vcodec_enc_wq mtk_venc_worker\n\n  Allocated by task 47:\n    __kasan_kmalloc+0x7f/0x90\n    fops_vcodec_open+0x85/0x1a0\n\n  Freed by task 47:\n    __kasan_slab_free+0x43/0x70\n    kfree+0xee/0x3a0\n    fops_vcodec_release+0xb7/0x190\n\nFix this by calling cancel_work_sync(\u0026ctx-\u003eencode_work) before kfree(ctx).\nThis ensures the workqueue handler is both cancelled (if pending) and\nsynchronized (waits for any running handler to complete) before the\ncontext is freed.\n\nPlacement rationale: The fix is placed after v4l2_ctrl_handler_free()\nand before list_del_init(\u0026ctx-\u003elist). At this point, all m2m operations\nare done (v4l2_m2m_ctx_release() has returned), and we need to ensure\nthe workqueue is synchronized before removing ctx from the list and\nfreeing it.\n\nNote: The open error path does NOT need cancel_work_sync() because\nINIT_WORK() only initializes the work structure - it does not schedule\nit. Work is only scheduled later during device_run() operations.",
  "id": "GHSA-5g36-g7f3-8q34",
  "modified": "2026-04-27T15:30:44Z",
  "published": "2026-04-24T15:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31584"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76e35091ffc722ba39b303e48bc5d08abb59dd56"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93d9a58961a9e09306857e999b3ee76aa4be67f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a9bdaf9dc42ccca50e53f82165292f74a365c11"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8a55913552aed45108525d1851c65e1db0cc25b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1692337c6fa26e04f89b22a4d84bf5b7ada50d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f99353cd0e9f58bf17889049137b8d65fb44ebf1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G5J-4W29-MR24

Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/vkms: Fix use after free and double free on init error

If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it.

Fix both possible errors by initializing default_config only when the driver initialization succeeded.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T15:16:04Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix use after free and double free on init error\n\nIf the driver initialization fails, the vkms_exit() function might\naccess an uninitialized or freed default_config pointer and it might\ndouble free it.\n\nFix both possible errors by initializing default_config only when the\ndriver initialization succeeded.",
  "id": "GHSA-5g5j-4w29-mr24",
  "modified": "2025-11-03T21:33:37Z",
  "published": "2025-04-16T15:34:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22097"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f68f1cf09d06061eb549726ff8339e064eddebd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49a69f67f53518bdd9b7eeebf019a2da6cc0e954"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/561fc0c5cf41f646f3e9e61784cbc0fc832fb936"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79d138d137b80eeb0a83244d1cff29e64cf91067"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8a18bb53e06d6d3c1fd03d12533d6e333ba8853"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5eb8e347905ab17788a7903fa1d3d06747355f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ed15511a773df86205bda66c37193569575ae828"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G72-3H75-MGV2

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31
VLAI
Details

Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:16:51Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)",
  "id": "GHSA-5g72-3h75-mgv2",
  "modified": "2026-06-05T03:31:30Z",
  "published": "2026-06-05T00:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10896"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/513514692"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G77-9Q59-93H8

Vulnerability from github – Published: 2022-12-06 00:30 – Updated: 2022-12-08 21:30
VLAI
Details

An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-05T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.",
  "id": "GHSA-5g77-9q59-93h8",
  "modified": "2022-12-08T21:30:20Z",
  "published": "2022-12-06T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35254"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520/?kA23Z000000GH5OSAW"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G8P-X9MM-C9VR

Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free in smb2_lock

If smb_lock->zero_len has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T16:15:25Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb2_lock\n\nIf smb_lock-\u003ezero_len has value, -\u003ellist of smb_lock is not delete and\nflock is old one. It will cause use-after-free on error handling\nroutine.",
  "id": "GHSA-5g8p-x9mm-c9vr",
  "modified": "2025-11-03T21:33:25Z",
  "published": "2025-04-01T18:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21945"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/410ce35a2ed6d0e114132bba29af49b69880c8c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/636e021646cf9b52ddfea7c809b018e91f2188cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84d2d1641b71dec326e8736a749b7ee76a9599fc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8573571060ca466cbef2c6f03306b2cc7b883506"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0609097fd10d618aed4864038393dd75131289e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GJX-XWMM-PW26

Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2022-08-29 20:06
VLAI
Details

The PowerVR GPU driver allows unprivileged apps to allocated pinned memory, unpin it (which makes it available to be freed), and continue using the page in GPU calls. No privileges required and this results in kernel memory corruption.Product: AndroidVersions: Android SoCAndroid ID: A-232441339

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-24T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The PowerVR GPU driver allows unprivileged apps to allocated pinned memory, unpin it (which makes it available to be freed), and continue using the page in GPU calls. No privileges required and this results in kernel memory corruption.Product: AndroidVersions: Android SoCAndroid ID: A-232441339",
  "id": "GHSA-5gjx-xwmm-pw26",
  "modified": "2022-08-29T20:06:57Z",
  "published": "2022-08-25T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20122"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-08-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GP6-334Q-267G

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: sched: Fix use after free in red_enqueue()

We can't use "skb" again after passing it to qdisc_enqueue(). This is basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb len before calling child enqueue").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:17Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: Fix use after free in red_enqueue()\n\nWe can\u0027t use \"skb\" again after passing it to qdisc_enqueue().  This is\nbasically identical to commit 2f09707d0c97 (\"sch_sfb: Also store skb\nlen before calling child enqueue\").",
  "id": "GHSA-5gp6-334q-267g",
  "modified": "2025-05-07T15:31:27Z",
  "published": "2025-05-01T15:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49921"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/170e5317042c302777ed6d59fdb84af9b0219d4e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52e0429471976785c155bfbf51d80990c6cd46e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5960b9081baca85cc7dcb14aec1de85999ea9d36"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/795afe0b9bb6c915f0299a8e309936519be01619"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a238cdcf2bdc72207c74375fc8be13ee549ca9db"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e877f8fa49fbccc63cb2df2e9179bddc695b825a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc4b50adb400ee5ec527a04073174e8e73a139fa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GVC-4QPH-J93R

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-29T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.",
  "id": "GHSA-5gvc-4qph-j93r",
  "modified": "2022-05-24T19:06:33Z",
  "published": "2022-05-24T19:06:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28691"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-30"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210805-0002"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xenproject.org/xsa/advisory-374.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.