Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9813 vulnerabilities reference this CWE, most recent first.

GHSA-5QM2-PPW6-VQGQ

Vulnerability from github – Published: 2026-02-06 09:30 – Updated: 2026-02-06 09:30
VLAI
Details

UAF concurrency vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-06T09:15:51Z",
    "severity": "HIGH"
  },
  "details": "UAF concurrency vulnerability in the graphics module.\nImpact: Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-5qm2-ppw6-vqgq",
  "modified": "2026-02-06T09:30:29Z",
  "published": "2026-02-06T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24930"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2026/2"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QMP-W6RV-24WF

Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ax25: rcu protect dev->ax25_ptr

syzbot found a lockdep issue [1].

We should remove ax25 RTNL dependency in ax25_setsockopt()

This should also fix a variety of possible UAF in ax25.

[1]

WARNING: possible circular locking dependency detected 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted


syz.5.1818/12806 is trying to acquire lock: ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680

but task is already holding lock: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (sk_lock-AF_AX25){+.+.}-{0:0}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 lock_sock_nested+0x48/0x100 net/core/sock.c:3642 lock_sock include/net/sock.h:1618 [inline] ax25_kill_by_device net/ax25/af_ax25.c:101 [inline] ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x207/0x400 dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026 dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563 dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820 sock_do_ioctl+0x240/0x460 net/socket.c:1234 sock_ioctl+0x626/0x8e0 net/socket.c:1339 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (rtnl_mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735 ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680 do_sock_setsockopt+0x3af/0x720 net/socket.c:2324 __sys_setsockopt net/socket.c:2349 [inline] __do_sys_setsockopt net/socket.c:2355 [inline] __se_sys_setsockopt net/socket.c:2352 [inline] __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Possible unsafe locking scenario:

   CPU0                    CPU1
   ----                    ----

lock(sk_lock-AF_AX25); lock(rtnl_mutex); lock(sk_lock-AF_AX25); lock(rtnl_mutex);

*** DEADLOCK ***

1 lock held by syz.5.1818/12806: #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline] #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574

stack backtrace: CPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/lockin ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T20:16:03Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: rcu protect dev-\u003eax25_ptr\n\nsyzbot found a lockdep issue [1].\n\nWe should remove ax25 RTNL dependency in ax25_setsockopt()\n\nThis should also fix a variety of possible UAF in ax25.\n\n[1]\n\nWARNING: possible circular locking dependency detected\n6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0 Not tainted\n------------------------------------------------------\nsyz.5.1818/12806 is trying to acquire lock:\n ffffffff8fcb3988 (rtnl_mutex){+.+.}-{4:4}, at: ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680\n\nbut task is already holding lock:\n ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline]\n ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #1 (sk_lock-AF_AX25){+.+.}-{0:0}:\n        lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849\n        lock_sock_nested+0x48/0x100 net/core/sock.c:3642\n        lock_sock include/net/sock.h:1618 [inline]\n        ax25_kill_by_device net/ax25/af_ax25.c:101 [inline]\n        ax25_device_event+0x24d/0x580 net/ax25/af_ax25.c:146\n        notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85\n       __dev_notify_flags+0x207/0x400\n        dev_change_flags+0xf0/0x1a0 net/core/dev.c:9026\n        dev_ifsioc+0x7c8/0xe70 net/core/dev_ioctl.c:563\n        dev_ioctl+0x719/0x1340 net/core/dev_ioctl.c:820\n        sock_do_ioctl+0x240/0x460 net/socket.c:1234\n        sock_ioctl+0x626/0x8e0 net/socket.c:1339\n        vfs_ioctl fs/ioctl.c:51 [inline]\n        __do_sys_ioctl fs/ioctl.c:906 [inline]\n        __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n        do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-\u003e #0 (rtnl_mutex){+.+.}-{4:4}:\n        check_prev_add kernel/locking/lockdep.c:3161 [inline]\n        check_prevs_add kernel/locking/lockdep.c:3280 [inline]\n        validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904\n        __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226\n        lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849\n        __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n        __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735\n        ax25_setsockopt+0xa55/0xe90 net/ax25/af_ax25.c:680\n        do_sock_setsockopt+0x3af/0x720 net/socket.c:2324\n        __sys_setsockopt net/socket.c:2349 [inline]\n        __do_sys_setsockopt net/socket.c:2355 [inline]\n        __se_sys_setsockopt net/socket.c:2352 [inline]\n        __x64_sys_setsockopt+0x1ee/0x280 net/socket.c:2352\n        do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n       CPU0                    CPU1\n       ----                    ----\n  lock(sk_lock-AF_AX25);\n                               lock(rtnl_mutex);\n                               lock(sk_lock-AF_AX25);\n  lock(rtnl_mutex);\n\n *** DEADLOCK ***\n\n1 lock held by syz.5.1818/12806:\n  #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1618 [inline]\n  #0: ffff8880617ac258 (sk_lock-AF_AX25){+.+.}-{0:0}, at: ax25_setsockopt+0x209/0xe90 net/ax25/af_ax25.c:574\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 12806 Comm: syz.5.1818 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074\n  check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206\n  check_prev_add kernel/locking/lockdep.c:3161 [inline]\n  check_prevs_add kernel/lockin\n---truncated---",
  "id": "GHSA-5qmp-w6rv-24wf",
  "modified": "2025-11-03T21:33:02Z",
  "published": "2025-02-27T21:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21812"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2802ed4ced27ebd474828fc67ffd7d66f11e3605"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7705d8a7f2c26c80973c81093db07c6022b2b30e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8937f5e38a218531dce2a89fae60e3adcc2311e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95fc45d1dea8e1253f8ec58abc5befb71553d666"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2531db6de3c95551be58878f859c6a053b7eb2e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QPG-RH4J-QP35

Vulnerability from github – Published: 2025-06-16 16:09 – Updated: 2025-06-16 16:09
VLAI
Summary
pycares has a Use-After-Free Vulnerability
Details

Summary

pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.

Details

Root Cause

The vulnerability stems from improper handling of callback references when the Channel object is destroyed:

  1. When a DNS query is initiated, pycares stores a callback reference using ffi.new_handle()
  2. If the Channel object is garbage collected while queries are pending, the callback references become invalid
  3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error

This issue was much more likely to occur when using event_thread=True but could happen without it under the right circumstances.

Technical Details

The core issue is a race condition between Python's garbage collector and c-ares's callback execution:

  1. When __del__ is called from within a c-ares callback context, we cannot immediately call ares_destroy() because c-ares is still executing code after the callback returns
  2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)
  3. If we destroy the channel too quickly, c-ares accesses freed memory

Impact

Applications using pycares can be crashed remotely by triggering DNS queries that result in Channel objects being garbage collected before query completion. This is particularly problematic in scenarios where:

  • Channel objects are created per-request
  • Multiple failed DNS queries are processed rapidly
  • The application doesn't properly manage Channel lifecycle

The error manifests as:

Fatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage

Fix

The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism

Mitigation

For Application Developers

  1. Upgrade to pycares >= 4.9.0 - This version includes the fix and requires no code changes
  2. Best practices (optional but recommended): ```python # Explicit cleanup channel.close()

# Or use context manager with pycares.Channel() as channel: # ... use channel ... # Automatically closed ``` 3. Avoid creating Channel objects per-request - Prefer long-lived instances for better performance and safety

The fix is completely transparent - no API changes or code modifications are required.

Credit

This vulnerability was reported by @vEpiphyte through the aio-libs security program.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.8.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pycares"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-16T16:09:47Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\npycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash.\n\n## Details\n\n### Root Cause\n\nThe vulnerability stems from improper handling of callback references when the Channel object is destroyed:\n\n1. When a DNS query is initiated, pycares stores a callback reference using `ffi.new_handle()`\n2. If the Channel object is garbage collected while queries are pending, the callback references become invalid\n3. When c-ares attempts to invoke the callback, it accesses freed memory, causing a fatal error\n\nThis issue was much more likely to occur when using `event_thread=True` but could happen without it under the right circumstances.\n\n### Technical Details\n\nThe core issue is a race condition between Python\u0027s garbage collector and c-ares\u0027s callback execution:\n\n1. When `__del__` is called from within a c-ares callback context, we cannot immediately call `ares_destroy()` because c-ares is still executing code after the callback returns\n2. c-ares needs to execute cleanup code after our Python callback returns (specifically at lines 1422-1429 in ares_process.c)\n3. If we destroy the channel too quickly, c-ares accesses freed memory\n\n### Impact\n\nApplications using `pycares` can be crashed remotely by triggering DNS queries that result in `Channel` objects being garbage collected before query completion. This is particularly problematic in scenarios where:\n\n- Channel objects are created per-request\n- Multiple failed DNS queries are processed rapidly\n- The application doesn\u0027t properly manage Channel lifecycle\n\nThe error manifests as:\n```\nFatal Python error: b_from_handle: ffi.from_handle() detected that the address passed points to garbage\n```\n\n## Fix\n\nThe vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism\n\n## Mitigation\n\n### For Application Developers\n\n1. **Upgrade to pycares \u003e= 4.9.0** - This version includes the fix and requires no code changes\n2. **Best practices** (optional but recommended):\n   ```python\n   # Explicit cleanup\n   channel.close()\n   \n   # Or use context manager\n   with pycares.Channel() as channel:\n       # ... use channel ...\n   # Automatically closed\n   ```\n3. **Avoid creating Channel objects per-request** - Prefer long-lived instances for better performance and safety\n\nThe fix is completely transparent - no API changes or code modifications are required.\n\n## Credit\n\nThis vulnerability was reported by @vEpiphyte through the aio-libs security program.",
  "id": "GHSA-5qpg-rh4j-qp35",
  "modified": "2025-06-16T16:09:47Z",
  "published": "2025-06-16T16:09:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saghul/pycares/security/advisories/GHSA-5qpg-rh4j-qp35"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saghul/pycares/commit/ebfd7d71eb8e74bc1057a361ea79a5906db510d4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saghul/pycares"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "pycares has a Use-After-Free Vulnerability"
}

GHSA-5QR3-RCX6-W4H5

Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-12 00:01
VLAI
Details

Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-5qr3-rcx6-w4h5",
  "modified": "2022-08-12T00:01:23Z",
  "published": "2022-08-12T00:01:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35665"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb22-39.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QRG-P9JR-4M22

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-03 09:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free

Currently we execute SET_NETDEV_DEV(dev, &priv->lowerdev->dev) for the virt_wifi net devices. However, unregistering a virt_wifi device in netdev_run_todo() can happen together with the device referenced by SET_NETDEV_DEV().

It can result in use-after-free during the ethtool operations performed on a virt_wifi device that is currently being unregistered. Such a net device can have the dev.parent field pointing to the freed memory, but ethnl_ops_begin() calls pm_runtime_get_sync(dev->dev.parent).

Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:

================================================================== BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0 Read of size 2 at addr ffff88810cfc46f8 by task pm/606

Call Trace: dump_stack_lvl+0x4d/0x70 print_report+0x170/0x4f3 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kasan_report+0xda/0x110 ? __pm_runtime_resume+0xe2/0xf0 ? __pm_runtime_resume+0xe2/0xf0 __pm_runtime_resume+0xe2/0xf0 ethnl_ops_begin+0x49/0x270 ethnl_set_features+0x23c/0xab0 ? __pfx_ethnl_set_features+0x10/0x10 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xf/0xf0 ? local_clock+0x10/0x30 ? kasan_save_track+0x25/0x60 ? __kasan_kmalloc+0x7f/0x90 ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0 genl_family_rcv_msg_doit+0x1e7/0x2c0 ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 ? __pfx_cred_has_capability.isra.0+0x10/0x10 ? stack_trace_save+0x8e/0xc0 genl_rcv_msg+0x411/0x660 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_ethnl_set_features+0x10/0x10 netlink_rcv_skb+0x121/0x380 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_down_read+0x10/0x10 genl_rcv+0x23/0x30 netlink_unicast+0x60f/0x830 ? __pfx_netlink_unicast+0x10/0x10 ? __pfxallocskb+0x10/0x10 netlink_sendmsg+0x6ea/0xbc0 ? pfx_netlink_sendmsg+0x10/0x10 ? __futex_queue+0x10b/0x1f0 _syssendmsg+0x7a2/0x950 ? copy_msghdr_from_user+0x26b/0x430 ? pfx_sys_sendmsg+0x10/0x10 ? pfx_copy_msghdr_from_user+0x10/0x10 syssendmsg+0xf8/0x180 ? pfx_syssendmsg+0x10/0x10 ? pfx_futex_wait+0x10/0x10 ? fdget+0x2e4/0x4a0 __sys_sendmsg+0x11f/0x1c0 ? __pfx___sys_sendmsg+0x10/0x10 do_syscall_64+0xe2/0x570 ? exc_page_fault+0x66/0xb0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

This fix may be combined with another one in the ethtool subsystem: https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T14:16:19Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free\n\nCurrently we execute `SET_NETDEV_DEV(dev, \u0026priv-\u003elowerdev-\u003edev)` for\nthe virt_wifi net devices. However, unregistering a virt_wifi device in\nnetdev_run_todo() can happen together with the device referenced by\nSET_NETDEV_DEV().\n\nIt can result in use-after-free during the ethtool operations performed\non a virt_wifi device that is currently being unregistered. Such a net\ndevice can have the `dev.parent` field pointing to the freed memory,\nbut ethnl_ops_begin() calls `pm_runtime_get_sync(dev-\u003edev.parent)`.\n\nLet\u0027s remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0\n Read of size 2 at addr ffff88810cfc46f8 by task pm/606\n\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x4d/0x70\n  print_report+0x170/0x4f3\n  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n  kasan_report+0xda/0x110\n  ? __pm_runtime_resume+0xe2/0xf0\n  ? __pm_runtime_resume+0xe2/0xf0\n  __pm_runtime_resume+0xe2/0xf0\n  ethnl_ops_begin+0x49/0x270\n  ethnl_set_features+0x23c/0xab0\n  ? __pfx_ethnl_set_features+0x10/0x10\n  ? kvm_sched_clock_read+0x11/0x20\n  ? local_clock_noinstr+0xf/0xf0\n  ? local_clock+0x10/0x30\n  ? kasan_save_track+0x25/0x60\n  ? __kasan_kmalloc+0x7f/0x90\n  ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0\n  genl_family_rcv_msg_doit+0x1e7/0x2c0\n  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10\n  ? __pfx_cred_has_capability.isra.0+0x10/0x10\n  ? stack_trace_save+0x8e/0xc0\n  genl_rcv_msg+0x411/0x660\n  ? __pfx_genl_rcv_msg+0x10/0x10\n  ? __pfx_ethnl_set_features+0x10/0x10\n  netlink_rcv_skb+0x121/0x380\n  ? __pfx_genl_rcv_msg+0x10/0x10\n  ? __pfx_netlink_rcv_skb+0x10/0x10\n  ? __pfx_down_read+0x10/0x10\n  genl_rcv+0x23/0x30\n  netlink_unicast+0x60f/0x830\n  ? __pfx_netlink_unicast+0x10/0x10\n  ? __pfx___alloc_skb+0x10/0x10\n  netlink_sendmsg+0x6ea/0xbc0\n  ? __pfx_netlink_sendmsg+0x10/0x10\n  ? __futex_queue+0x10b/0x1f0\n  ____sys_sendmsg+0x7a2/0x950\n  ? copy_msghdr_from_user+0x26b/0x430\n  ? __pfx_____sys_sendmsg+0x10/0x10\n  ? __pfx_copy_msghdr_from_user+0x10/0x10\n  ___sys_sendmsg+0xf8/0x180\n  ? __pfx____sys_sendmsg+0x10/0x10\n  ? __pfx_futex_wait+0x10/0x10\n  ? fdget+0x2e4/0x4a0\n  __sys_sendmsg+0x11f/0x1c0\n  ? __pfx___sys_sendmsg+0x10/0x10\n  do_syscall_64+0xe2/0x570\n  ? exc_page_fault+0x66/0xb0\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  \u003c/TASK\u003e\n\nThis fix may be combined with another one in the ethtool subsystem:\nhttps://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u",
  "id": "GHSA-5qrg-p9jr-4m22",
  "modified": "2026-05-03T09:33:09Z",
  "published": "2026-05-01T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31695"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5adc01506da94dfaab76f3d1b8410a8ca7bfc59d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5bbadf60b121065ffb267ec92018607b9c1c7524"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/789b06f9f39cdc7e895bdab2c034e39c41c8f8d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c5fa98842783ed227365d1303785de6a67020c8d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d1e3aa80e6e04410ba89eaaba4441a0d749d181d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dcb5915696bd7b32b6404a897c24ee47cb23e772"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e90f3e74e1ebc26c461a74be490d322716bcdcb4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QVW-R534-XCM4

Vulnerability from github – Published: 2022-05-14 03:14 – Updated: 2025-04-12 13:04
VLAI
Details

statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-6309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-09-26T19:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.",
  "id": "GHSA-5qvw-r534-xcm4",
  "modified": "2025-04-12T13:04:47Z",
  "published": "2022-05-14T03:14:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6309"
    },
    {
      "type": "WEB",
      "url": "https://bto.bluecoat.com/security-advisory/sa132"
    },
    {
      "type": "WEB",
      "url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=acacbfa7565c78d2273c0b2a2e5e803f44afefeb"
    },
    {
      "type": "WEB",
      "url": "https://git.openssl.org/?p=openssl.git;a=commit;h=acacbfa7565c78d2273c0b2a2e5e803f44afefeb"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03856en_us"
    },
    {
      "type": "WEB",
      "url": "https://www.openssl.org/news/secadv/20160926.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2016-16"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2016-20"
    },
    {
      "type": "WEB",
      "url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21995039"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93177"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036885"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QXJ-7C6X-X6PF

Vulnerability from github – Published: 2026-07-02 00:31 – Updated: 2026-07-02 03:31
VLAI
Details

Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T23:16:51Z",
    "severity": "HIGH"
  },
  "details": "Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-5qxj-7c6x-x6pf",
  "modified": "2026-07-02T03:31:26Z",
  "published": "2026-07-02T00:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14426"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/517981277"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R4C-4WM4-C532

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:54Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-5r4c-4wm4-c532",
  "modified": "2025-10-14T18:30:32Z",
  "published": "2025-10-14T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58728"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58728"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R4M-496R-7WQM

Vulnerability from github – Published: 2023-01-17 18:30 – Updated: 2025-04-07 18:30
VLAI
Details

A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-17T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.",
  "id": "GHSA-5r4m-496r-7wqm",
  "modified": "2025-04-07T18:30:34Z",
  "published": "2023-01-17T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41858"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/ec4eb8a86ade4d22633e1da2a7d85a846b7d1798"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230223-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R4M-4Q9J-5JHH

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2023-09-06 03:30
VLAI
Details

aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-02T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use-after-free.",
  "id": "GHSA-5r4m-4q9j-5jhh",
  "modified": "2023-09-06T03:30:18Z",
  "published": "2022-05-24T19:03:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30474"
    },
    {
      "type": "WEB",
      "url": "https://aomedia.googlesource.com/aom/+/6e31957b6dc62dbc7d1bb70cd84902dd14c4bf2e"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/aomedia/issues/detail?id=3000"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-32"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5490"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.