CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-5FWP-F47R-RG74
Vulnerability from github – Published: 2023-12-12 12:30 – Updated: 2024-03-12 12:30Affected devices improperly handle specially crafted packets sent to port 102/tcp. This could allow an attacker to create a denial of service condition. A restart is needed to restore normal operations.
{
"affected": [],
"aliases": [
"CVE-2023-46156"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T12:15:13Z",
"severity": "HIGH"
},
"details": "Affected devices improperly handle specially crafted packets sent to port 102/tcp.\nThis could allow an attacker to create a denial of service condition. A restart is needed to restore\nnormal operations.",
"id": "GHSA-5fwp-f47r-rg74",
"modified": "2024-03-12T12:30:47Z",
"published": "2023-12-12T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46156"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-280603.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-592380.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-280603.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-592380.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FX6-F253-W3M2
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41In Foxit Reader 10.1.0.37527, a specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-13548"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T20:15:00Z",
"severity": "HIGH"
},
"details": "In Foxit Reader 10.1.0.37527, a specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
"id": "GHSA-5fx6-f253-w3m2",
"modified": "2022-05-24T17:41:40Z",
"published": "2022-05-24T17:41:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13548"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1166"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5G36-G7F3-8Q34
Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-27 15:30In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: fix use-after-free in encoder release path
The fops_vcodec_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->encode_work. This creates a race window where the workqueue handler (mtk_venc_worker) may still be accessing the context memory after it has been freed.
Race condition:
CPU 0 (release path) CPU 1 (workqueue)
--------------------- ------------------
fops_vcodec_release()
v4l2_m2m_ctx_release()
v4l2_m2m_cancel_job()
// waits for m2m job "done"
mtk_venc_worker()
v4l2_m2m_job_finish()
// m2m job "done"
// BUT worker still running!
// post-job_finish access:
other ctx dereferences
// UAF if ctx already freed
// returns (job "done")
kfree(ctx) // ctx freed
Root cause: The v4l2_m2m_ctx_release() only waits for the m2m job lifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle. After v4l2_m2m_job_finish() is called, the m2m framework considers the job complete and v4l2_m2m_ctx_release() returns, but the worker function continues executing and may still access ctx.
The work is queued during encode operations via: queue_work(ctx->dev->encode_workqueue, &ctx->encode_work) The worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx fields even after calling v4l2_m2m_job_finish().
This vulnerability was confirmed with KASAN by running an instrumented test module that widens the post-job_finish race window. KASAN detected:
BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180 Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12
Workqueue: mtk_vcodec_enc_wq mtk_venc_worker
Allocated by task 47: __kasan_kmalloc+0x7f/0x90 fops_vcodec_open+0x85/0x1a0
Freed by task 47: __kasan_slab_free+0x43/0x70 kfree+0xee/0x3a0 fops_vcodec_release+0xb7/0x190
Fix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx). This ensures the workqueue handler is both cancelled (if pending) and synchronized (waits for any running handler to complete) before the context is freed.
Placement rationale: The fix is placed after v4l2_ctrl_handler_free() and before list_del_init(&ctx->list). At this point, all m2m operations are done (v4l2_m2m_ctx_release() has returned), and we need to ensure the workqueue is synchronized before removing ctx from the list and freeing it.
Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during device_run() operations.
{
"affected": [],
"aliases": [
"CVE-2026-31584"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T15:16:33Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix use-after-free in encoder release path\n\nThe fops_vcodec_release() function frees the context structure (ctx)\nwithout first cancelling any pending or running work in ctx-\u003eencode_work.\nThis creates a race window where the workqueue handler (mtk_venc_worker)\nmay still be accessing the context memory after it has been freed.\n\nRace condition:\n\n CPU 0 (release path) CPU 1 (workqueue)\n --------------------- ------------------\n fops_vcodec_release()\n v4l2_m2m_ctx_release()\n v4l2_m2m_cancel_job()\n // waits for m2m job \"done\"\n mtk_venc_worker()\n v4l2_m2m_job_finish()\n // m2m job \"done\"\n // BUT worker still running!\n // post-job_finish access:\n other ctx dereferences\n // UAF if ctx already freed\n // returns (job \"done\")\n kfree(ctx) // ctx freed\n\nRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m job\nlifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.\nAfter v4l2_m2m_job_finish() is called, the m2m framework considers\nthe job complete and v4l2_m2m_ctx_release() returns, but the worker\nfunction continues executing and may still access ctx.\n\nThe work is queued during encode operations via:\n queue_work(ctx-\u003edev-\u003eencode_workqueue, \u0026ctx-\u003eencode_work)\nThe worker function accesses ctx-\u003em2m_ctx, ctx-\u003edev, and other ctx\nfields even after calling v4l2_m2m_job_finish().\n\nThis vulnerability was confirmed with KASAN by running an instrumented\ntest module that widens the post-job_finish race window. KASAN detected:\n\n BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180\n Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12\n\n Workqueue: mtk_vcodec_enc_wq mtk_venc_worker\n\n Allocated by task 47:\n __kasan_kmalloc+0x7f/0x90\n fops_vcodec_open+0x85/0x1a0\n\n Freed by task 47:\n __kasan_slab_free+0x43/0x70\n kfree+0xee/0x3a0\n fops_vcodec_release+0xb7/0x190\n\nFix this by calling cancel_work_sync(\u0026ctx-\u003eencode_work) before kfree(ctx).\nThis ensures the workqueue handler is both cancelled (if pending) and\nsynchronized (waits for any running handler to complete) before the\ncontext is freed.\n\nPlacement rationale: The fix is placed after v4l2_ctrl_handler_free()\nand before list_del_init(\u0026ctx-\u003elist). At this point, all m2m operations\nare done (v4l2_m2m_ctx_release() has returned), and we need to ensure\nthe workqueue is synchronized before removing ctx from the list and\nfreeing it.\n\nNote: The open error path does NOT need cancel_work_sync() because\nINIT_WORK() only initializes the work structure - it does not schedule\nit. Work is only scheduled later during device_run() operations.",
"id": "GHSA-5g36-g7f3-8q34",
"modified": "2026-04-27T15:30:44Z",
"published": "2026-04-24T15:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31584"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/76e35091ffc722ba39b303e48bc5d08abb59dd56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/93d9a58961a9e09306857e999b3ee76aa4be67f0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a9bdaf9dc42ccca50e53f82165292f74a365c11"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a8a55913552aed45108525d1851c65e1db0cc25b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1692337c6fa26e04f89b22a4d84bf5b7ada50d1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f99353cd0e9f58bf17889049137b8d65fb44ebf1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5G5J-4W29-MR24
Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
drm/vkms: Fix use after free and double free on init error
If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it.
Fix both possible errors by initializing default_config only when the driver initialization succeeded.
{
"affected": [],
"aliases": [
"CVE-2025-22097"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T15:16:04Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix use after free and double free on init error\n\nIf the driver initialization fails, the vkms_exit() function might\naccess an uninitialized or freed default_config pointer and it might\ndouble free it.\n\nFix both possible errors by initializing default_config only when the\ndriver initialization succeeded.",
"id": "GHSA-5g5j-4w29-mr24",
"modified": "2025-11-03T21:33:37Z",
"published": "2025-04-16T15:34:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22097"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f68f1cf09d06061eb549726ff8339e064eddebd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/49a69f67f53518bdd9b7eeebf019a2da6cc0e954"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/561fc0c5cf41f646f3e9e61784cbc0fc832fb936"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/79d138d137b80eeb0a83244d1cff29e64cf91067"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b8a18bb53e06d6d3c1fd03d12533d6e333ba8853"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d5eb8e347905ab17788a7903fa1d3d06747355f5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ed15511a773df86205bda66c37193569575ae828"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5G72-3H75-MGV2
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-10896"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:16:51Z",
"severity": "HIGH"
},
"details": "Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)",
"id": "GHSA-5g72-3h75-mgv2",
"modified": "2026-06-05T03:31:30Z",
"published": "2026-06-05T00:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10896"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513514692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5G77-9Q59-93H8
Vulnerability from github – Published: 2022-12-06 00:30 – Updated: 2022-12-08 21:30An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.
{
"affected": [],
"aliases": [
"CVE-2022-35254"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-05T22:15:00Z",
"severity": "HIGH"
},
"details": "An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.",
"id": "GHSA-5g77-9q59-93h8",
"modified": "2022-12-08T21:30:20Z",
"published": "2022-12-06T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35254"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520/?kA23Z000000GH5OSAW"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5G8P-X9MM-C9VR
Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in smb2_lock
If smb_lock->zero_len has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine.
{
"affected": [],
"aliases": [
"CVE-2025-21945"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T16:15:25Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb2_lock\n\nIf smb_lock-\u003ezero_len has value, -\u003ellist of smb_lock is not delete and\nflock is old one. It will cause use-after-free on error handling\nroutine.",
"id": "GHSA-5g8p-x9mm-c9vr",
"modified": "2025-11-03T21:33:25Z",
"published": "2025-04-01T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21945"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/410ce35a2ed6d0e114132bba29af49b69880c8c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/636e021646cf9b52ddfea7c809b018e91f2188cb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84d2d1641b71dec326e8736a749b7ee76a9599fc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8573571060ca466cbef2c6f03306b2cc7b883506"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0609097fd10d618aed4864038393dd75131289e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GJX-XWMM-PW26
Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2022-08-29 20:06The PowerVR GPU driver allows unprivileged apps to allocated pinned memory, unpin it (which makes it available to be freed), and continue using the page in GPU calls. No privileges required and this results in kernel memory corruption.Product: AndroidVersions: Android SoCAndroid ID: A-232441339
{
"affected": [],
"aliases": [
"CVE-2022-20122"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-24T14:15:00Z",
"severity": "CRITICAL"
},
"details": "The PowerVR GPU driver allows unprivileged apps to allocated pinned memory, unpin it (which makes it available to be freed), and continue using the page in GPU calls. No privileges required and this results in kernel memory corruption.Product: AndroidVersions: Android SoCAndroid ID: A-232441339",
"id": "GHSA-5gjx-xwmm-pw26",
"modified": "2022-08-29T20:06:57Z",
"published": "2022-08-25T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20122"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-08-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GP6-334Q-267G
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31In the Linux kernel, the following vulnerability has been resolved:
net: sched: Fix use after free in red_enqueue()
We can't use "skb" again after passing it to qdisc_enqueue(). This is basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb len before calling child enqueue").
{
"affected": [],
"aliases": [
"CVE-2022-49921"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:17Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: Fix use after free in red_enqueue()\n\nWe can\u0027t use \"skb\" again after passing it to qdisc_enqueue(). This is\nbasically identical to commit 2f09707d0c97 (\"sch_sfb: Also store skb\nlen before calling child enqueue\").",
"id": "GHSA-5gp6-334q-267g",
"modified": "2025-05-07T15:31:27Z",
"published": "2025-05-01T15:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49921"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/170e5317042c302777ed6d59fdb84af9b0219d4e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52e0429471976785c155bfbf51d80990c6cd46e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5960b9081baca85cc7dcb14aec1de85999ea9d36"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/795afe0b9bb6c915f0299a8e309936519be01619"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a238cdcf2bdc72207c74375fc8be13ee549ca9db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e877f8fa49fbccc63cb2df2e9179bddc695b825a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc4b50adb400ee5ec527a04073174e8e73a139fa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GVC-4QPH-J93R
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.
{
"affected": [],
"aliases": [
"CVE-2021-28691"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-29T12:15:00Z",
"severity": "HIGH"
},
"details": "Guest triggered use-after-free in Linux xen-netback A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.",
"id": "GHSA-5gvc-4qph-j93r",
"modified": "2022-05-24T19:06:33Z",
"published": "2022-05-24T19:06:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28691"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-30"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210805-0002"
},
{
"type": "WEB",
"url": "https://xenbits.xenproject.org/xsa/advisory-374.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.