Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9812 vulnerabilities reference this CWE, most recent first.

GHSA-5W5G-2R2H-2CJ2

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2023-05-24 15:30
VLAI
Details

libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may encounter a use after free when using malicious package names. This is related to uci_parse_package in file.c and uci_strdup in util.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-19T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may encounter a use after free when using malicious package names. This is related to uci_parse_package in file.c and uci_strdup in util.c.",
  "id": "GHSA-5w5g-2r2h-2cj2",
  "modified": "2023-05-24T15:30:26Z",
  "published": "2022-05-24T17:34:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28951"
    },
    {
      "type": "WEB",
      "url": "https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=5625f5bc36954d644cb80adf8de47854c65d91c3"
    },
    {
      "type": "WEB",
      "url": "https://git.openwrt.org/?p=openwrt/openwrt.git;a=log;h=refs/tags/v18.06.9"
    },
    {
      "type": "WEB",
      "url": "https://git.openwrt.org/?p=project/uci.git;a=commit;h=a3e650911f5e6f67dcff09974df3775dfd615da6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W7P-6C8W-PJ5Q

Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24
VLAI
Details

Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-1486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-02-06T05:44:00Z",
    "severity": "CRITICAL"
  },
  "details": "Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data.",
  "id": "GHSA-5w7p-6c8w-pj5q",
  "modified": "2022-05-13T01:24:14Z",
  "published": "2022-05-13T01:24:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1486"
    },
    {
      "type": "WEB",
      "url": "https://8pecxstudios.com/?page_id=44080"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=942164"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90890"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201504-01"
    },
    {
      "type": "WEB",
      "url": "http://download.novell.com/Download?buildid=VYQsgaFpQ2k"
    },
    {
      "type": "WEB",
      "url": "http://download.novell.com/Download?buildid=Y2fux-JW1Qc"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/102872"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0132.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0133.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56706"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56761"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56763"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56767"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56787"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56858"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56888"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56922"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2858"
    },
    {
      "type": "WEB",
      "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-08.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/65334"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1029717"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1029720"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1029721"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2102-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2102-2"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2119-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W85-M7VR-R7MX

Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-14 21:30
VLAI
Details

Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T20:17:11Z",
    "severity": "CRITICAL"
  },
  "details": "Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)",
  "id": "GHSA-5w85-m7vr-r7mx",
  "modified": "2026-05-14T21:30:44Z",
  "published": "2026-05-14T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8511"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/495108488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W86-J94C-54Q5

Vulnerability from github – Published: 2023-08-17 15:30 – Updated: 2024-04-04 07:01
VLAI
Details

A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-17T13:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw allows a local attacker with special privileges to cause a system crash or leak internal kernel information",
  "id": "GHSA-5w86-j94c-54q5",
  "modified": "2024-04-04T07:01:41Z",
  "published": "2023-08-17T15:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4394"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4394"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219263"
    },
    {
      "type": "WEB",
      "url": "https://patchwork.kernel.org/project/linux-btrfs/patch/20220815151606.3479183-1-r33s3n6@gmail.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W8M-6WWQ-MM8M

Vulnerability from github – Published: 2024-10-21 15:32 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()

The kref_put() function will call nport->release if the refcount drops to zero. The nport->release release function is _efc_nport_free() which frees "nport". But then we dereference "nport" on the next line which is a use after free. Re-order these lines to avoid the use after free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T13:15:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()\n\nThe kref_put() function will call nport-\u003erelease if the refcount drops to\nzero.  The nport-\u003erelease release function is _efc_nport_free() which frees\n\"nport\".  But then we dereference \"nport\" on the next line which is a use\nafter free.  Re-order these lines to avoid the use after free.",
  "id": "GHSA-5w8m-6wwq-mm8m",
  "modified": "2025-11-04T00:31:39Z",
  "published": "2024-10-21T15:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49852"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16a570f07d870a285b0c0b0d1ca4dff79e8aa5ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e4b02fad094976763af08fec2c620f4f8edd9ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c2908985e4ae0ea1b526b3916de9e5351650908"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98752fcd076a8cbc978016eae7125b4971be1eec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/abc71e89170ed32ecf0a5a29f31aa711e143e941"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/baeb8628ab7f4577740f00e439d3fdf7c876b0ff"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WCQ-2M8R-Q254

Vulnerability from github – Published: 2022-09-03 00:00 – Updated: 2022-09-08 00:00
VLAI
Details

Use after free in the synx driver issue while performing other functions during multiple invocation of synx release calls in Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-02T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Use after free in the synx driver issue while performing other functions during multiple invocation of synx release calls in Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile",
  "id": "GHSA-5wcq-2m8r-q254",
  "modified": "2022-09-08T00:00:28Z",
  "published": "2022-09-03T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35133"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/july-2022-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WHJ-QQ2V-9WMC

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 18:31
VLAI
Details

Use after free in XR in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T23:16:46Z",
    "severity": "HIGH"
  },
  "details": "Use after free in XR in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)",
  "id": "GHSA-5whj-qq2v-9wmc",
  "modified": "2026-05-29T18:31:23Z",
  "published": "2026-05-29T00:38:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9890"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/513135985"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WHM-5CF2-VVC2

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-11T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-5whm-5cf2-vvc2",
  "modified": "2022-05-24T17:41:56Z",
  "published": "2022-05-24T17:41:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21021"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb21-09.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5WM3-RHR5-RWMM

Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2022-09-01 00:00
VLAI
Details

A vulnerability was found in rizin. The bug involves an ELF64 binary for the HPPA architecture. When a specially crafted binarygets analysed by rizin, it causes rizin to crash by freeing an uninitialized (and potentially user controlled, depending on the build) memory address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-25T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in rizin. The bug involves an ELF64 binary for the HPPA architecture. When a specially crafted binarygets analysed by rizin, it causes rizin to crash by freeing an uninitialized (and potentially user controlled, depending on the build) memory address.",
  "id": "GHSA-5wm3-rhr5-rwmm",
  "modified": "2022-09-01T00:00:22Z",
  "published": "2022-08-26T00:03:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rizinorg/rizin/issues/2015"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WPF-JXV5-J2RG

Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-02-27 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: Fix use after free in hci_send_acl

This fixes the following trace caused by receiving HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without first checking if conn->type is in fact AMP_LINK and in case it is do properly cleanup upper layers with hci_disconn_cfm:

================================================================== BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50 Read of size 8 at addr ffff88800e404818 by task bluetoothd/142

CPU: 0 PID: 142 Comm: bluetoothd Not tainted
5.17.0-rc5-00006-gda4022eeac1a #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x45/0x59
 print_address_description.constprop.0+0x1f/0x150
 kasan_report.cold+0x7f/0x11b
 hci_send_acl+0xaba/0xc50
 l2cap_do_send+0x23f/0x3d0
 l2cap_chan_send+0xc06/0x2cc0
 l2cap_sock_sendmsg+0x201/0x2b0
 sock_sendmsg+0xdc/0x110
 sock_write_iter+0x20f/0x370
 do_iter_readv_writev+0x343/0x690
 do_iter_write+0x132/0x640
 vfs_writev+0x198/0x570
 do_writev+0x202/0x280
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3
0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05
<48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015
RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77
R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580
RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001
</TASK>
R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0

Allocated by task 45:
    kasan_save_stack+0x1e/0x40
    __kasan_kmalloc+0x81/0xa0
    hci_chan_create+0x9a/0x2f0
    l2cap_conn_add.part.0+0x1a/0xdc0
    l2cap_connect_cfm+0x236/0x1000
    le_conn_complete_evt+0x15a7/0x1db0
    hci_le_conn_complete_evt+0x226/0x2c0
    hci_le_meta_evt+0x247/0x450
    hci_event_packet+0x61b/0xe90
    hci_rx_work+0x4d5/0xc50
    process_one_work+0x8fb/0x15a0
    worker_thread+0x576/0x1240
    kthread+0x29d/0x340
    ret_from_fork+0x1f/0x30

Freed by task 45:
    kasan_save_stack+0x1e/0x40
    kasan_set_track+0x21/0x30
    kasan_set_free_info+0x20/0x30
    __kasan_slab_free+0xfb/0x130
    kfree+0xac/0x350
    hci_conn_cleanup+0x101/0x6a0
    hci_conn_del+0x27e/0x6c0
    hci_disconn_phylink_complete_evt+0xe0/0x120
    hci_event_packet+0x812/0xe90
    hci_rx_work+0x4d5/0xc50
    process_one_work+0x8fb/0x15a0
    worker_thread+0x576/0x1240
    kthread+0x29d/0x340
    ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff88800c0f0500
The buggy address is located 24 bytes inside of
which belongs to the cache kmalloc-128 of size 128
The buggy address belongs to the page:
128-byte region [ffff88800c0f0500, ffff88800c0f0580)
flags: 0x100000000000200(slab|node=0|zone=1)
page:00000000fe45cd86 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0xc0f0
raw: 0000000000000000 0000000080100010 00000001ffffffff
0000000000000000
raw: 0100000000000200 ffffea00003a2c80 dead000000000004
ffff8880078418c0
page dumped because: kasan: bad access detected
ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
Memory state around the buggy address:
>ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:48Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use after free in hci_send_acl\n\nThis fixes the following trace caused by receiving\nHCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without\nfirst checking if conn-\u003etype is in fact AMP_LINK and in case it is\ndo properly cleanup upper layers with hci_disconn_cfm:\n\n ==================================================================\n    BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50\n    Read of size 8 at addr ffff88800e404818 by task bluetoothd/142\n\n    CPU: 0 PID: 142 Comm: bluetoothd Not tainted\n    5.17.0-rc5-00006-gda4022eeac1a #7\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n    rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n    Call Trace:\n     \u003cTASK\u003e\n     dump_stack_lvl+0x45/0x59\n     print_address_description.constprop.0+0x1f/0x150\n     kasan_report.cold+0x7f/0x11b\n     hci_send_acl+0xaba/0xc50\n     l2cap_do_send+0x23f/0x3d0\n     l2cap_chan_send+0xc06/0x2cc0\n     l2cap_sock_sendmsg+0x201/0x2b0\n     sock_sendmsg+0xdc/0x110\n     sock_write_iter+0x20f/0x370\n     do_iter_readv_writev+0x343/0x690\n     do_iter_write+0x132/0x640\n     vfs_writev+0x198/0x570\n     do_writev+0x202/0x280\n     do_syscall_64+0x38/0x90\n     entry_SYSCALL_64_after_hwframe+0x44/0xae\n    RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014\n    Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3\n    0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05\n    \u003c48\u003e 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10\n    RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015\n    RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77\n    R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580\n    RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001\n    \u003c/TASK\u003e\n    R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0\n\n    Allocated by task 45:\n        kasan_save_stack+0x1e/0x40\n        __kasan_kmalloc+0x81/0xa0\n        hci_chan_create+0x9a/0x2f0\n        l2cap_conn_add.part.0+0x1a/0xdc0\n        l2cap_connect_cfm+0x236/0x1000\n        le_conn_complete_evt+0x15a7/0x1db0\n        hci_le_conn_complete_evt+0x226/0x2c0\n        hci_le_meta_evt+0x247/0x450\n        hci_event_packet+0x61b/0xe90\n        hci_rx_work+0x4d5/0xc50\n        process_one_work+0x8fb/0x15a0\n        worker_thread+0x576/0x1240\n        kthread+0x29d/0x340\n        ret_from_fork+0x1f/0x30\n\n    Freed by task 45:\n        kasan_save_stack+0x1e/0x40\n        kasan_set_track+0x21/0x30\n        kasan_set_free_info+0x20/0x30\n        __kasan_slab_free+0xfb/0x130\n        kfree+0xac/0x350\n        hci_conn_cleanup+0x101/0x6a0\n        hci_conn_del+0x27e/0x6c0\n        hci_disconn_phylink_complete_evt+0xe0/0x120\n        hci_event_packet+0x812/0xe90\n        hci_rx_work+0x4d5/0xc50\n        process_one_work+0x8fb/0x15a0\n        worker_thread+0x576/0x1240\n        kthread+0x29d/0x340\n        ret_from_fork+0x1f/0x30\n\n    The buggy address belongs to the object at ffff88800c0f0500\n    The buggy address is located 24 bytes inside of\n    which belongs to the cache kmalloc-128 of size 128\n    The buggy address belongs to the page:\n    128-byte region [ffff88800c0f0500, ffff88800c0f0580)\n    flags: 0x100000000000200(slab|node=0|zone=1)\n    page:00000000fe45cd86 refcount:1 mapcount:0\n    mapping:0000000000000000 index:0x0 pfn:0xc0f0\n    raw: 0000000000000000 0000000080100010 00000001ffffffff\n    0000000000000000\n    raw: 0100000000000200 ffffea00003a2c80 dead000000000004\n    ffff8880078418c0\n    page dumped because: kasan: bad access detected\n    ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc\n    Memory state around the buggy address:\n    \u003effff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n    ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n    ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n                   \n---truncated---",
  "id": "GHSA-5wpf-jxv5-j2rg",
  "modified": "2025-02-27T21:32:12Z",
  "published": "2025-02-27T21:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49111"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2cc803804ec9a296b3156855d6c8c4ca1c6b84be"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3803d896ddd97c7c16689a5381c0960040727647"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4da302b90b96c309987eb9b37c8547f939f042d2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/643a6c26bd32e339d00ad97b8822b6db009e803c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/684e505406abaeabe0058e9776f9210bf2747953"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3c2ea1fd444b3bb7b82bfd2c3a45418f85c2502"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c41de54b0a963e59e4dd04c029a4a6d73f45ef9c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d404765dffdbd8dcd14758695d0c96c52fb2e624"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f63d24baff787e13b723d86fe036f84bdbc35045"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.