CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-5GWP-J3J8-5V64
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-04 15:30In the Linux kernel, the following vulnerability has been resolved:
ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed
If the initialization fails in calling addrconf_init_net(), devconf_all is the pointer that has been released. Then ip6mr_sk_done() is called to release the net, accessing devconf->mc_forwarding directly causes invalid pointer access.
The process is as follows: setup_net() ops_init() addrconf_init_net() all = kmemdup(...) ---> alloc "all" ... net->ipv6.devconf_all = all; __addrconf_sysctl_register() ---> failed ... kfree(all); ---> ipv6.devconf_all invalid ... ops_exit_list() ... ip6mr_sk_done() devconf = net->ipv6.devconf_all; //devconf is invalid pointer if (!devconf || !atomic_read(&devconf->mc_forwarding))
The following is the Call Trace information: BUG: KASAN: use-after-free in ip6mr_sk_done+0x112/0x3a0 Read of size 4 at addr ffff888075508e88 by task ip/14554 Call Trace: dump_stack_lvl+0x8e/0xd1 print_report+0x155/0x454 kasan_report+0xba/0x1f0 kasan_check_range+0x35/0x1b0 ip6mr_sk_done+0x112/0x3a0 rawv6_close+0x48/0x70 inet_release+0x109/0x230 inet6_release+0x4c/0x70 sock_release+0x87/0x1b0 igmp6_net_exit+0x6b/0x170 ops_exit_list+0xb0/0x170 setup_net+0x7ac/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f7963322547
Allocated by task 14554: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0xa1/0xb0 __kmalloc_node_track_caller+0x4a/0xb0 kmemdup+0x28/0x60 addrconf_init_net+0x1be/0x840 ops_init+0xa5/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 14554: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 _kasanslab_free+0x155/0x1b0 slab_free_freelist_hook+0x11b/0x220 kmem_cache_free+0xa4/0x360 addrconf_init_net+0x623/0x840 ops_init+0xa5/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0
{
"affected": [],
"aliases": [
"CVE-2022-50310"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:42Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed\n\nIf the initialization fails in calling addrconf_init_net(), devconf_all is\nthe pointer that has been released. Then ip6mr_sk_done() is called to\nrelease the net, accessing devconf-\u003emc_forwarding directly causes invalid\npointer access.\n\nThe process is as follows:\nsetup_net()\n\tops_init()\n\t\taddrconf_init_net()\n\t\tall = kmemdup(...) ---\u003e alloc \"all\"\n\t\t...\n\t\tnet-\u003eipv6.devconf_all = all;\n\t\t__addrconf_sysctl_register() ---\u003e failed\n\t\t...\n\t\tkfree(all); ---\u003e ipv6.devconf_all invalid\n\t\t...\n\tops_exit_list()\n\t\t...\n\t\tip6mr_sk_done()\n\t\t\tdevconf = net-\u003eipv6.devconf_all;\n\t\t\t//devconf is invalid pointer\n\t\t\tif (!devconf || !atomic_read(\u0026devconf-\u003emc_forwarding))\n\nThe following is the Call Trace information:\nBUG: KASAN: use-after-free in ip6mr_sk_done+0x112/0x3a0\nRead of size 4 at addr ffff888075508e88 by task ip/14554\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x8e/0xd1\nprint_report+0x155/0x454\nkasan_report+0xba/0x1f0\nkasan_check_range+0x35/0x1b0\nip6mr_sk_done+0x112/0x3a0\nrawv6_close+0x48/0x70\ninet_release+0x109/0x230\ninet6_release+0x4c/0x70\nsock_release+0x87/0x1b0\nigmp6_net_exit+0x6b/0x170\nops_exit_list+0xb0/0x170\nsetup_net+0x7ac/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f7963322547\n\n\u003c/TASK\u003e\nAllocated by task 14554:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\n__kasan_kmalloc+0xa1/0xb0\n__kmalloc_node_track_caller+0x4a/0xb0\nkmemdup+0x28/0x60\naddrconf_init_net+0x1be/0x840\nops_init+0xa5/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFreed by task 14554:\nkasan_save_stack+0x1e/0x40\nkasan_set_track+0x21/0x30\nkasan_save_free_info+0x2a/0x40\n____kasan_slab_free+0x155/0x1b0\nslab_free_freelist_hook+0x11b/0x220\n__kmem_cache_free+0xa4/0x360\naddrconf_init_net+0x623/0x840\nops_init+0xa5/0x410\nsetup_net+0x5aa/0xbd0\ncopy_net_ns+0x2e6/0x6b0\ncreate_new_namespaces+0x382/0xa50\nunshare_nsproxy_namespaces+0xa6/0x1c0\nksys_unshare+0x3a4/0x7e0\n__x64_sys_unshare+0x2d/0x40\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0",
"id": "GHSA-5gwp-j3j8-5v64",
"modified": "2025-12-04T15:30:30Z",
"published": "2025-09-15T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50310"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1ca695207ed2271ecbf8ee6c641970f621c157cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22a68c3b9362eaac7b035eba09e95e6b3f7a912c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GWV-Q5PW-GGRW
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-13 00:01Windows GDI Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-34498"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-14T18:15:00Z",
"severity": "HIGH"
},
"details": "Windows GDI Elevation of Privilege Vulnerability",
"id": "GHSA-5gwv-q5pw-ggrw",
"modified": "2022-07-13T00:01:26Z",
"published": "2022-05-24T19:07:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34498"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34498"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-825"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GXC-5WFV-R5F9
Vulnerability from github – Published: 2024-03-24 03:30 – Updated: 2025-03-14 03:31In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may access QNetworkReply header data via a dangling pointer.
{
"affected": [],
"aliases": [
"CVE-2024-30161"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-24T01:15:45Z",
"severity": "MODERATE"
},
"details": "In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may access QNetworkReply header data via a dangling pointer.",
"id": "GHSA-5gxc-5wfv-r5f9",
"modified": "2025-03-14T03:31:21Z",
"published": "2024-03-24T03:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30161"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/c/qt/qtbase/+/544314"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5H2W-VXV5-92F3
Vulnerability from github – Published: 2022-05-14 03:22 – Updated: 2022-05-14 03:22remctld in remctl before 3.14, when an attacker is authorized to execute a command that uses the sudo option, has a use-after-free that leads to a daemon crash, memory corruption, or arbitrary command execution.
{
"affected": [],
"aliases": [
"CVE-2018-0493"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-03T07:29:00Z",
"severity": "HIGH"
},
"details": "remctld in remctl before 3.14, when an attacker is authorized to execute a command that uses the sudo option, has a use-after-free that leads to a daemon crash, memory corruption, or arbitrary command execution.",
"id": "GHSA-5h2w-vxv5-92f3",
"modified": "2022-05-14T03:22:28Z",
"published": "2022-05-14T03:22:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0493"
},
{
"type": "WEB",
"url": "https://git.eyrie.org/?p=kerberos/remctl.git;a=commit;h=86c7e44090c988112a37589d2c7a94029eb5e641"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4159"
},
{
"type": "WEB",
"url": "https://www.eyrie.org/~eagle/software/remctl/security/2018-04-01.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5H57-625J-3FXR
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2021-1764"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-02T18:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause a denial of service.",
"id": "GHSA-5h57-625j-3fxr",
"modified": "2022-05-24T17:46:18Z",
"published": "2022-05-24T17:46:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1764"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212146"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212147"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212148"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212149"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5H5M-F4W8-FR6M
Vulnerability from github – Published: 2022-05-14 03:43 – Updated: 2022-05-14 03:43A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70.
{
"affected": [],
"aliases": [
"CVE-2018-0001"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-10T22:29:00Z",
"severity": "CRITICAL"
},
"details": "A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70.",
"id": "GHSA-5h5m-f4w8-fr6m",
"modified": "2022-05-14T03:43:34Z",
"published": "2022-05-14T03:43:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0001"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10828"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103092"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040180"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5H67-QRJ6-3R9Q
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13Use after free in Permissions in Google Chrome prior to 93.0.4577.63 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30607"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-03T20:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Permissions in Google Chrome prior to 93.0.4577.63 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-5h67-qrj6-3r9q",
"modified": "2022-05-24T19:13:00Z",
"published": "2022-05-24T19:13:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30607"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop_31.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1235949"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LVY4WIWTVVYKQMROJJS365TZBKEARCF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJPUSAWIJMQFBQQQYXAICLI4EKFQOH6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QW4R2K5HVJ4R6XDZYOJCCFPIN2XHNS3L"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30607"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5HCH-HC3R-5HP2
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-53735"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T18:15:43Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.",
"id": "GHSA-5hch-hc3r-5hp2",
"modified": "2025-08-12T18:31:32Z",
"published": "2025-08-12T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53735"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53735"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5HF4-4QJP-Q973
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-05-24 16:54Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2019-8013"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T20:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-5hf4-4qjp-q973",
"modified": "2022-05-24T16:54:11Z",
"published": "2022-05-24T16:54:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8013"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-41.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5HGX-86QP-F7H3
Vulnerability from github – Published: 2023-02-18 00:31 – Updated: 2023-02-18 00:31FrameMaker 2020 Update 4 (and earlier), 2022 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-21584"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-17T22:15:00Z",
"severity": "MODERATE"
},
"details": "FrameMaker 2020 Update 4 (and earlier), 2022 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-5hgx-86qp-f7h3",
"modified": "2023-02-18T00:31:59Z",
"published": "2023-02-18T00:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21584"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/framemaker/apsb23-06.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.