CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9820 vulnerabilities reference this CWE, most recent first.
GHSA-5JH3-V7Q7-QV3Q
Vulnerability from github – Published: 2024-12-28 06:30 – Updated: 2024-12-28 18:30Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.
{
"affected": [],
"aliases": [
"CVE-2024-46973"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-28T05:15:08Z",
"severity": "HIGH"
},
"details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.",
"id": "GHSA-5jh3-v7q7-qv3q",
"modified": "2024-12-28T18:30:48Z",
"published": "2024-12-28T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46973"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5JH9-CX9R-V7WW
Vulnerability from github – Published: 2022-01-07 00:00 – Updated: 2022-01-13 00:01An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.
{
"affected": [],
"aliases": [
"CVE-2021-46142"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-06T04:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.",
"id": "GHSA-5jh9-cx9r-v7ww",
"modified": "2022-01-13T00:01:29Z",
"published": "2022-01-07T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46142"
},
{
"type": "WEB",
"url": "https://github.com/uriparser/uriparser/issues/122"
},
{
"type": "WEB",
"url": "https://github.com/uriparser/uriparser/pull/124"
},
{
"type": "WEB",
"url": "https://blog.hartwork.org/posts/uriparser-096-with-security-fixes-released"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO6T7WA27H7K3WI2AXUAGPWBGK4HM65D"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YGIJTDNEMU2V4H3JJBQVKBRHU5GBQKG2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5063"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5JHC-4HQ3-5WP3
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14033.
{
"affected": [],
"aliases": [
"CVE-2021-34844"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-04T16:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14033.",
"id": "GHSA-5jhc-4hq3-5wp3",
"modified": "2022-05-24T19:09:57Z",
"published": "2022-05-24T19:09:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34844"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-926"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5JHR-GG3J-GGCF
Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2024-07-03 18:38Use after free in Dawn in Google Chrome prior to 124.0.6367.118 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2024-4368"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T13:15:52Z",
"severity": "MODERATE"
},
"details": "Use after free in Dawn in Google Chrome prior to 124.0.6367.118 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-5jhr-gg3j-ggcf",
"modified": "2024-07-03T18:38:09Z",
"published": "2024-05-01T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4368"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_30.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/333508731"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPETICRXUOGRIM4U3BCRTIKE3IZWCSBT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7I4FMQSOVTCIIH4XT2MJGEQRUACLPB6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE3ASLH6QF2E5OVJI5VA3JSEPJFFFMNY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5JM2-2WJJ-8RGG
Vulnerability from github – Published: 2022-05-14 03:56 – Updated: 2022-05-14 03:56A use after free in PDFium in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
{
"affected": [],
"aliases": [
"CVE-2016-5211"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-19T05:59:00Z",
"severity": "HIGH"
},
"details": "A use after free in PDFium in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.",
"id": "GHSA-5jm2-2wjj-8rgg",
"modified": "2022-05-14T03:56:36Z",
"published": "2022-05-14T03:56:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5211"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/649229"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201612-11"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2919.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94633"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5JPX-997X-JHRP
Vulnerability from github – Published: 2025-03-12 12:30 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: Don't reference skb after sending to VIOS
Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb.
It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will result in use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic] Read of size 4 at addr c00000024eb48a70 by task hxecom/14495 <...> Call Trace: [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable) [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0 [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8 [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0 [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic] [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358 <...> Freed by task 0: kasan_save_stack+0x34/0x68 kasan_save_track+0x2c/0x50 kasan_save_free_info+0x64/0x108 __kasan_mempool_poison_object+0x148/0x2d4 napi_skb_cache_put+0x5c/0x194 net_tx_action+0x154/0x5b8 handle_softirqs+0x20c/0x60c do_softirq_own_stack+0x6c/0x88 <...> The buggy address belongs to the object at c00000024eb48a00 which belongs to the cache skbuff_head_cache of size 224 ==================================================================
{
"affected": [],
"aliases": [
"CVE-2025-21855"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-12T10:15:18Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Don\u0027t reference skb after sending to VIOS\n\nPreviously, after successfully flushing the xmit buffer to VIOS,\nthe tx_bytes stat was incremented by the length of the skb.\n\nIt is invalid to access the skb memory after sending the buffer to\nthe VIOS because, at any point after sending, the VIOS can trigger\nan interrupt to free this memory. A race between reading skb-\u003elen\nand freeing the skb is possible (especially during LPM) and will\nresult in use-after-free:\n ==================================================================\n BUG: KASAN: slab-use-after-free in ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n Read of size 4 at addr c00000024eb48a70 by task hxecom/14495\n \u003c...\u003e\n Call Trace:\n [c000000118f66cf0] [c0000000018cba6c] dump_stack_lvl+0x84/0xe8 (unreliable)\n [c000000118f66d20] [c0000000006f0080] print_report+0x1a8/0x7f0\n [c000000118f66df0] [c0000000006f08f0] kasan_report+0x128/0x1f8\n [c000000118f66f00] [c0000000006f2868] __asan_load4+0xac/0xe0\n [c000000118f66f20] [c0080000046eac84] ibmvnic_xmit+0x75c/0x1808 [ibmvnic]\n [c000000118f67340] [c0000000014be168] dev_hard_start_xmit+0x150/0x358\n \u003c...\u003e\n Freed by task 0:\n kasan_save_stack+0x34/0x68\n kasan_save_track+0x2c/0x50\n kasan_save_free_info+0x64/0x108\n __kasan_mempool_poison_object+0x148/0x2d4\n napi_skb_cache_put+0x5c/0x194\n net_tx_action+0x154/0x5b8\n handle_softirqs+0x20c/0x60c\n do_softirq_own_stack+0x6c/0x88\n \u003c...\u003e\n The buggy address belongs to the object at c00000024eb48a00 which\n belongs to the cache skbuff_head_cache of size 224\n==================================================================",
"id": "GHSA-5jpx-997x-jhrp",
"modified": "2025-11-03T21:33:10Z",
"published": "2025-03-12T12:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21855"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/093b0e5c90592773863f300b908b741622eef597"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25dddd01dcc8ef3acff964dbb32eeb0d89f098e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/501ac6a7e21b82e05207c6b4449812d82820f306"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/abaff2717470e4b5b7c0c3a90e128b211a23da09"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bdf5d13aa05ec314d4385b31ac974d6c7e0997c9"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5JQR-8VWQ-W36C
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
drbd: add missing kref_get in handle_write_conflicts
With two-primaries enabled, DRBD tries to detect "concurrent" writes
and handle write conflicts, so that even if you write to the same sector
simultaneously on both nodes, they end up with the identical data once
the writes are completed.
In handling "superseeded" writes, we forgot a kref_get, resulting in a premature drbd_destroy_device and use after free, and further to kernel crashes with symptoms.
Relevance: No one should use DRBD as a random data generator, and apparently all users of "two-primaries" handle concurrent writes correctly on layer up. That is cluster file systems use some distributed lock manager, and live migration in virtualization environments stops writes on one node before starting writes on the other node.
Which means that other than for "test cases", this code path is never taken in real life.
FYI, in DRBD 9, things are handled differently nowadays. We still detect "write conflicts", but no longer try to be smart about them. We decided to disconnect hard instead: upper layers must not submit concurrent writes. If they do, that's their fault.
{
"affected": [],
"aliases": [
"CVE-2025-38708"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:39Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrbd: add missing kref_get in handle_write_conflicts\n\nWith `two-primaries` enabled, DRBD tries to detect \"concurrent\" writes\nand handle write conflicts, so that even if you write to the same sector\nsimultaneously on both nodes, they end up with the identical data once\nthe writes are completed.\n\nIn handling \"superseeded\" writes, we forgot a kref_get,\nresulting in a premature drbd_destroy_device and use after free,\nand further to kernel crashes with symptoms.\n\nRelevance: No one should use DRBD as a random data generator, and apparently\nall users of \"two-primaries\" handle concurrent writes correctly on layer up.\nThat is cluster file systems use some distributed lock manager,\nand live migration in virtualization environments stops writes on one node\nbefore starting writes on the other node.\n\nWhich means that other than for \"test cases\",\nthis code path is never taken in real life.\n\nFYI, in DRBD 9, things are handled differently nowadays. We still detect\n\"write conflicts\", but no longer try to be smart about them.\nWe decided to disconnect hard instead: upper layers must not submit concurrent\nwrites. If they do, that\u0027s their fault.",
"id": "GHSA-5jqr-8vwq-w36c",
"modified": "2026-05-12T15:31:01Z",
"published": "2025-09-05T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38708"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/00c9c9628b49e368d140cfa61d7df9b8922ec2a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0336bfe9c237476bd7c45605a36ca79c2bca62e5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a896498f6f577e57bf26aaa93b48c22b6d20c20"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/46e3763dcae0ffcf8fcfaff4fc10a90a92ffdd89"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/57418de35420cedab035aa1da8a26c0499b7f575"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d483ad300fc0a06f69b019dda8f74970714baf8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/810cd546a29bfac90ed1328ea01d693d4bd11cb1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84ef8dd3238330d1795745ece83b19f0295751bf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f53b2433ad248cd3342cc345f56f5c7904bd8c4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5JRP-52F4-5FH9
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-49703"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T17:15:57Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.",
"id": "GHSA-5jrp-52f4-5fh9",
"modified": "2025-07-08T18:31:48Z",
"published": "2025-07-08T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49703"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49703"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5JXW-J59V-XHXG
Vulnerability from github – Published: 2024-02-02 03:30 – Updated: 2024-02-02 03:30Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21399"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-02T01:15:08Z",
"severity": "HIGH"
},
"details": "Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability",
"id": "GHSA-5jxw-j59v-xhxg",
"modified": "2024-02-02T03:30:32Z",
"published": "2024-02-02T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21399"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21399"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5M23-P78P-XGRG
Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-20870"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T18:16:16Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-5m23-p78p-xgrg",
"modified": "2026-01-13T18:31:09Z",
"published": "2026-01-13T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20870"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20870"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.