Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9820 vulnerabilities reference this CWE, most recent first.

GHSA-5J57-53HQ-VMC7

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-26 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()

This driver's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:16Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()\n\nThis driver\u0027s remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver\u0027s remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself.",
  "id": "GHSA-5j57-53hq-vmc7",
  "modified": "2024-12-26T21:30:35Z",
  "published": "2024-05-21T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47278"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b67808ade8893a1b3608ddd74fac7854786c919"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c597d5c59c7a6417dba06590f59b922e01188e8d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J5F-9WH9-HFJ9

Vulnerability from github – Published: 2025-02-12 15:31 – Updated: 2026-05-12 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

hrtimers: Handle CPU state correctly on hotplug

Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to CPUHP_ONLINE:

Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set to 1 throughout. However, during a CPU unplug operation, the tick and the clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online state, for instance CFS incorrectly assumes that the hrtick is already active, and the chance of the clockevent device to transition to oneshot mode is also lost forever for the CPU, unless it goes back to a lower state than CPUHP_HRTIMERS_PREPARE once.

This round-trip reveals another issue; cpu_base.online is not set to 1 after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().

Aside of that, the bulk of the per CPU state is not reset either, which means there are dangling pointers in the worst case.

Address this by adding a corresponding startup() callback, which resets the stale per CPU state and sets the online flag.

[ tglx: Make the new callback unconditionally available, remove the online modification in the prepare() callback and clear the remaining state in the starting callback instead of the prepare callback ]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T14:15:31Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhrtimers: Handle CPU state correctly on hotplug\n\nConsider a scenario where a CPU transitions from CPUHP_ONLINE to halfway\nthrough a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to\nCPUHP_ONLINE:\n\nSince hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set\nto 1 throughout. However, during a CPU unplug operation, the tick and the\nclockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online\nstate, for instance CFS incorrectly assumes that the hrtick is already\nactive, and the chance of the clockevent device to transition to oneshot\nmode is also lost forever for the CPU, unless it goes back to a lower state\nthan CPUHP_HRTIMERS_PREPARE once.\n\nThis round-trip reveals another issue; cpu_base.online is not set to 1\nafter the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().\n\nAside of that, the bulk of the per CPU state is not reset either, which\nmeans there are dangling pointers in the worst case.\n\nAddress this by adding a corresponding startup() callback, which resets the\nstale per CPU state and sets the online flag.\n\n[ tglx: Make the new callback unconditionally available, remove the online\n  \tmodification in the prepare() callback and clear the remaining\n  \tstate in the starting callback instead of the prepare callback ]",
  "id": "GHSA-5j5f-9wh9-hfj9",
  "modified": "2026-05-12T15:30:46Z",
  "published": "2025-02-12T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57951"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J92-W6XV-QP2M

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nvmet: avoid potential UAF in nvmet_req_complete()

An nvme target ->queue_response() operation implementation may free the request passed as argument. Such implementation potentially could result in a use after free of the request pointer when percpu_ref_put() is called in nvmet_req_complete().

Avoid such problem by using a local variable to save the sq pointer before calling __nvmet_req_complete(), thus avoiding dereferencing the req pointer after that function call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:30Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: avoid potential UAF in nvmet_req_complete()\n\nAn nvme target -\u003equeue_response() operation implementation may free the\nrequest passed as argument. Such implementation potentially could result\nin a use after free of the request pointer when percpu_ref_put() is\ncalled in nvmet_req_complete().\n\nAvoid such problem by using a local variable to save the sq pointer\nbefore calling __nvmet_req_complete(), thus avoiding dereferencing the\nreq pointer after that function call.",
  "id": "GHSA-5j92-w6xv-qp2m",
  "modified": "2025-11-10T18:30:29Z",
  "published": "2025-05-02T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53116"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04c394208831d5e0d5cfee46722eb0f033cd4083"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6173a77b7e9d3e202bdb9897b23f2a8afe7bf286"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ed9813871038b25a934b21ab76b5b7dbf44fc3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6317235da8aa7cb97529ebc8121cc2a4c4c437a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcd535f07c58342302a2cd2bdd8894fe0872c8a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e5d99b29012bbf0e86929403209723b2806500c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1d5888a5efe345b63c430b256e95acb0a475642"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fafcb4b26393870c45462f9af6a48e581dbbcf7e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J9P-C334-FVCP

Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-06-14 06:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

of: unittest: fix use-after-free in of_unittest_changeset()

The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to read a string property, leading to a use-after-free.

Fix this by moving the of_node_put() call after the last access to 'parent', avoiding the UAF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46288"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-08T17:16:46Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: fix use-after-free in of_unittest_changeset()\n\nThe variable \u0027parent\u0027 is assigned the value of \u0027nchangeset\u0027 earlier in the\nfunction, meaning both point to the same struct device_node. The call to\nof_node_put(nchangeset) can decrement the reference count to zero and\nfree the node if there are no other holders. After that, the code still\nuses \u0027parent\u0027 to check for the presence of a property and to read a\nstring property, leading to a use-after-free.\n\nFix this by moving the of_node_put() call after the last access to\n\u0027parent\u0027, avoiding the UAF.",
  "id": "GHSA-5j9p-c334-fvcp",
  "modified": "2026-06-14T06:30:23Z",
  "published": "2026-06-08T18:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46288"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/37318d1a27c9cc5a70d3cd7e49e30ec86f2b8ca1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6fdad20b7975bdc32e85b45f8f7c640f6687b81f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f0f0926f3010b10cff5e93446258f971e42f2fd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/faecdd423c27f0d6090156a435ba9dbbac0eaddb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J9X-G954-9JRP

Vulnerability from github – Published: 2022-05-14 01:13 – Updated: 2022-05-14 01:13
VLAI
Details

In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd function of the mxml-node.c file. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted xml file, as demonstrated by mxmldoc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-30T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd function of the mxml-node.c file. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted xml file, as demonstrated by mxmldoc.",
  "id": "GHSA-5j9x-g954-9jrp",
  "modified": "2022-05-14T01:13:34Z",
  "published": "2022-05-14T01:13:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20592"
    },
    {
      "type": "WEB",
      "url": "https://github.com/michaelrsweet/mxml/issues/237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_1.txt.err"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_2.txt.err"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N53IJHDYR5HVQLKH4J6B27OEQLGKSGY5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNWF6BAU7S42O4LE4B74KIMHFE2HDNMI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JCP-H69W-6FG7

Vulnerability from github – Published: 2026-06-25 00:33 – Updated: 2026-06-27 06:30
VLAI
Details

A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T00:17:46Z",
    "severity": "MODERATE"
  },
  "details": "A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.",
  "id": "GHSA-5jcp-h69w-6fg7",
  "modified": "2026-06-27T06:30:25Z",
  "published": "2026-06-25T00:33:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60466"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/3284"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/35/35_gf_filter_pid_get_packet_filter_core_filter_pid_c_6827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/35/README.md"
    },
    {
      "type": "WEB",
      "url": "https://infosec.exchange/@sigdevel/116780402249845037"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/27/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JGH-5FP7-98P9

Vulnerability from github – Published: 2024-09-11 15:31 – Updated: 2024-09-12 15:33
VLAI
Details

Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T14:15:13Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-5jgh-5fp7-98p9",
  "modified": "2024-09-12T15:33:00Z",
  "published": "2024-09-11T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8637"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_10.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/361784548"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JGM-Q5CF-6H4H

Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31
VLAI
Details

Use after free in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T17:15:56Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-5jgm-q5cf-6h4h",
  "modified": "2025-09-09T18:31:21Z",
  "published": "2025-09-09T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54112"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JGQ-H327-WHQC

Vulnerability from github – Published: 2024-11-04 12:32 – Updated: 2024-11-04 12:32
VLAI
Details

Memory corruption while handling session errors from firmware.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-04T10:15:08Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption while handling session errors from firmware.",
  "id": "GHSA-5jgq-h327-whqc",
  "modified": "2024-11-04T12:32:56Z",
  "published": "2024-11-04T12:32:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38415"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JGQ-PV8M-5CX7

Vulnerability from github – Published: 2026-02-18 18:30 – Updated: 2026-03-13 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: add chann_lock to protect ksmbd_chann_list xarray

ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del).

Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-18T16:22:32Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add chann_lock to protect ksmbd_chann_list xarray\n\nksmbd_chann_list xarray lacks synchronization, allowing use-after-free in\nmulti-channel sessions (between lookup_chann_list() and ksmbd_chann_del).\n\nAdds rw_semaphore chann_lock to struct ksmbd_session and protects\nall xa_load/xa_store/xa_erase accesses.",
  "id": "GHSA-5jgq-pv8m-5cx7",
  "modified": "2026-03-13T21:31:40Z",
  "published": "2026-02-18T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23226"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/36ef605c0395b94b826a8c8d6f2697071173de6e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c2ca31608521895dd742a43beca4b4d29762345"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f3a06cc57976cafa8c6f716646be6c79a99e485"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e4a8a96a93d08570e0405cfd989a8a07e5b6ff33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.