CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-5P3J-XXV6-8526
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Acrobat Reader DC versions versions 2021.001.20155 (and earlier), 2020.001.30025 (and earlier) and 2017.011.30196 (and earlier) are affected by an Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-28632"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-24T18:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC versions versions 2021.001.20155 (and earlier), 2020.001.30025 (and earlier) and 2017.011.30196 (and earlier) are affected by an Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-5p3j-xxv6-8526",
"modified": "2022-05-24T19:12:01Z",
"published": "2022-05-24T19:12:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28632"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-37.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5P6F-33WG-988Q
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
{
"affected": [],
"aliases": [
"CVE-2019-8214"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-17T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .",
"id": "GHSA-5p6f-33wg-988q",
"modified": "2022-05-24T16:59:25Z",
"published": "2022-05-24T16:59:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8214"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-49.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5P7P-JGVJ-4V95
Vulnerability from github – Published: 2026-06-05 12:31 – Updated: 2026-07-13 12:34A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.
{
"affected": [],
"aliases": [
"CVE-2026-50257"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T12:16:38Z",
"severity": "HIGH"
},
"details": "A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.",
"id": "GHSA-5p7p-jgvj-4v95",
"modified": "2026-07-13T12:34:55Z",
"published": "2026-06-05T12:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50257"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50257.json"
},
{
"type": "WEB",
"url": "https://redhat.atlassian.net/browse/PSIRTSUPT-16950"
},
{
"type": "WEB",
"url": "https://lists.x.org/archives/xorg-announce/2026-June/003702.html"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/xorg/xserver/-/commit/f5abfb61994471023d8c6470428c8e30c411cc0b"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485382"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-50257"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38810"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38502"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36798"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36792"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36791"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36768"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36634"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36633"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36632"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36087"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36086"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36085"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29844"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28923"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26709"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26610"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26590"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26566"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26562"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5P8J-PQXG-FFP7
Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-08-16 00:00Use after free in web apps in Google Chrome prior to 96.0.4664.93 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
{
"affected": [],
"aliases": [
"CVE-2021-4052"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-23T01:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in web apps in Google Chrome prior to 96.0.4664.93 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.",
"id": "GHSA-5p8j-pqxg-ffp7",
"modified": "2022-08-16T00:00:41Z",
"published": "2021-12-24T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4052"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1267661"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5046"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5P8M-JG9J-6Q8G
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2026-32200"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:17:26Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.",
"id": "GHSA-5p8m-jg9j-6q8g",
"modified": "2026-04-14T18:30:42Z",
"published": "2026-04-14T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32200"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32200"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5P99-HCG9-J3M3
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-11-06 21:30In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix htt pktlog locking
The ath11k active pdevs are protected by RCU but the htt pktlog handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section.
Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues.
Compile tested only.
{
"affected": [],
"aliases": [
"CVE-2023-52800"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix htt pktlog locking\n\nThe ath11k active pdevs are protected by RCU but the htt pktlog handling\ncode calling ath11k_mac_get_ar_by_pdev_id() was not marked as a\nread-side critical section.\n\nMark the code in question as an RCU read-side critical section to avoid\nany potential use-after-free issues.\n\nCompile tested only.",
"id": "GHSA-5p99-hcg9-j3m3",
"modified": "2024-11-06T21:30:54Z",
"published": "2024-05-21T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52800"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/03ed26935bebf6b6fd8a656490bf3dcc71b72679"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a51e6b4da71fdfa43ec006d6abc020f3e22d14e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f77c7d605b29df277d77e9ee75d96e7ad145d2d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/423762f021825b5e57c3d6f01ff96a9ff19cdcd8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/69cede2a5a5f60e3f5602b901b52cb64edd2ea6c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3199b3fac65c9f103055390b6fd07c5cffa5961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5PC4-M6CR-G3JJ
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05In memory management driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185193931
{
"affected": [],
"aliases": [
"CVE-2021-0527"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-21T17:15:00Z",
"severity": "HIGH"
},
"details": "In memory management driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185193931",
"id": "GHSA-5pc4-m6cr-g3jj",
"modified": "2022-05-24T19:05:42Z",
"published": "2022-05-24T19:05:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0527"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-06-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5PFQ-57JV-XGM6
Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30SQL Server Native Client Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43459"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T18:15:23Z",
"severity": "HIGH"
},
"details": "SQL Server Native Client Remote Code Execution Vulnerability",
"id": "GHSA-5pfq-57jv-xgm6",
"modified": "2024-11-12T18:30:58Z",
"published": "2024-11-12T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43459"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43459"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5PG7-FR46-JX8J
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-06-19 15:33In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference.
The concurrent scenario that triggers the panic is as follows:
F2FS_WB_CP_DATA write callback umount - f2fs_write_checkpoint - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA) - blk_mq_end_request - bio_endio - f2fs_write_end_io : dec_page_count(sbi, F2FS_WB_CP_DATA) : wake_up(&sbi->cp_wait) - kill_f2fs_super - kill_block_super - f2fs_put_super : iput(sbi->node_inode) : sbi->node_inode = NULL : f2fs_in_warm_node_list - is_node_folio // sbi->node_inode is NULL and panic
The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is decremented to zero. As a result, f2fs_in_warm_node_list() may dereference a NULL node_inode when checking whether a folio belongs to the node inode, leading to a panic.
This patch fixes the issue by calling f2fs_in_warm_node_list() before decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the use-after-free condition.
{
"affected": [],
"aliases": [
"CVE-2026-31715"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T14:16:21Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix UAF caused by decrementing sbi-\u003enr_pages[] in f2fs_write_end_io()\n\nThe xfstests case \"generic/107\" and syzbot have both reported a NULL\npointer dereference.\n\nThe concurrent scenario that triggers the panic is as follows:\n\nF2FS_WB_CP_DATA write callback umount\n - f2fs_write_checkpoint\n - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)\n- blk_mq_end_request\n - bio_endio\n - f2fs_write_end_io\n : dec_page_count(sbi, F2FS_WB_CP_DATA)\n : wake_up(\u0026sbi-\u003ecp_wait)\n - kill_f2fs_super\n - kill_block_super\n - f2fs_put_super\n : iput(sbi-\u003enode_inode)\n : sbi-\u003enode_inode = NULL\n : f2fs_in_warm_node_list\n - is_node_folio // sbi-\u003enode_inode is NULL and panic\n\nThe root cause is that f2fs_put_super() calls iput(sbi-\u003enode_inode) and\nsets sbi-\u003enode_inode to NULL after sbi-\u003enr_pages[F2FS_WB_CP_DATA] is\ndecremented to zero. As a result, f2fs_in_warm_node_list() may\ndereference a NULL node_inode when checking whether a folio belongs to\nthe node inode, leading to a panic.\n\nThis patch fixes the issue by calling f2fs_in_warm_node_list() before\ndecrementing sbi-\u003enr_pages[F2FS_WB_CP_DATA], thus preventing the\nuse-after-free condition.",
"id": "GHSA-5pg7-fr46-jx8j",
"modified": "2026-06-19T15:33:09Z",
"published": "2026-05-01T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31715"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d40b26377f891e6dcb6efaf8ef9374c99be1b1d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1171f329cf1c175321251ac40fd126150d7ad1e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7be222de96c0f9eee6e65eeb017ef855ee185cfa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7dbdab4430e4654db9aacef12b9b3b8b29ca25cb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffb94770dbdfb5411be5d9f44a960b010ec890ad"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5PGR-2GF9-WH94
Vulnerability from github – Published: 2023-09-04 15:30 – Updated: 2025-11-03 21:30Use After Free in GitHub repository vim/vim prior to 9.0.1858.
{
"affected": [],
"aliases": [
"CVE-2023-4752"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T14:15:08Z",
"severity": "HIGH"
},
"details": "Use After Free in GitHub repository vim/vim prior to 9.0.1858.",
"id": "GHSA-5pgr-2gf9-wh94",
"modified": "2025-11-03T21:30:54Z",
"published": "2023-09-04T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4752"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/85f62dd7-ed84-4fa2-b265-8a369a318757"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00023.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213984"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.