CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-624F-82HJ-X6PC
Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30Memory corruption when kernel driver attempts to trigger hardware fences.
{
"affected": [],
"aliases": [
"CVE-2024-23383"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T15:15:47Z",
"severity": "HIGH"
},
"details": "Memory corruption when kernel driver attempts to trigger hardware fences.",
"id": "GHSA-624f-82hj-x6pc",
"modified": "2024-08-05T15:30:53Z",
"published": "2024-08-05T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23383"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-626C-C4R3-VMJG
Vulnerability from github – Published: 2024-08-21 18:31 – Updated: 2024-08-21 18:31Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23928.
{
"affected": [],
"aliases": [
"CVE-2024-7725"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T16:15:11Z",
"severity": "HIGH"
},
"details": "Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23928.",
"id": "GHSA-626c-c4r3-vmjg",
"modified": "2024-08-21T18:31:28Z",
"published": "2024-08-21T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7725"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-628X-VQ4W-VW68
Vulnerability from github – Published: 2025-03-04 06:30 – Updated: 2025-03-04 06:30in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
{
"affected": [],
"aliases": [
"CVE-2025-20091"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T04:15:13Z",
"severity": "LOW"
},
"details": "in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.",
"id": "GHSA-628x-vq4w-vw68",
"modified": "2025-03-04T06:30:33Z",
"published": "2025-03-04T06:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20091"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62C2-HMJM-MPM6
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-49173"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:16:52Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-62c2-hmjm-mpm6",
"modified": "2026-07-14T18:32:00Z",
"published": "2026-07-14T18:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49173"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62CC-G9F4-2R2G
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2026-05-28 21:31Use after free in PDFium in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2019-13721"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-25T15:15:00Z",
"severity": "MODERATE"
},
"details": "Use after free in PDFium in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-62cc-g9f4-2r2g",
"modified": "2026-05-28T21:31:57Z",
"published": "2022-05-24T17:01:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13721"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1013868"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62F2-58PP-Q2WG
Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2026-04-02 21:32A use-after-free issue was addressed with improved memory management. This issue is fixed in visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.
{
"affected": [],
"aliases": [
"CVE-2025-30427"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T23:15:25Z",
"severity": "CRITICAL"
},
"details": "A use-after-free issue was addressed with improved memory management. This issue is fixed in visionOS 2.4, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, Safari 18.4. Processing maliciously crafted web content may lead to an unexpected Safari crash.",
"id": "GHSA-62f2-58pp-q2wg",
"modified": "2026-04-02T21:32:17Z",
"published": "2025-04-01T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30427"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00016.html"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122371"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122372"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122376"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122377"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122378"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122379"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/13"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/2"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/4"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/5"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62J3-36WR-4GW5
Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-12 21:31In the Linux kernel, the following vulnerability has been resolved:
PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
Struct pcie_link_state->downstream is a pointer to the pci_dev of function 0. Previously we retained that pointer when removing function 0, and subsequent ASPM policy changes dereferenced it, resulting in a use-after-free warning from KASAN, e.g.:
# echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove # echo powersave > /sys/module/pcie_aspm/parameters/policy
BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500 Call Trace: kasan_report+0xae/0xe0 pcie_config_aspm_link+0x42d/0x500 pcie_aspm_set_policy+0x8e/0x1a0 param_attr_store+0x162/0x2c0 module_attr_store+0x3e/0x80
PCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM Control value in all functions of multi-function devices.
Disable ASPM and free the pcie_link_state when any child function is removed so we can discard the dangling pcie_link_state->downstream pointer and maintain the same ASPM Control configuration for all functions.
[bhelgaas: commit log and comment]
{
"affected": [],
"aliases": [
"CVE-2023-53446"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T16:15:48Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free\n\nStruct pcie_link_state-\u003edownstream is a pointer to the pci_dev of function\n0. Previously we retained that pointer when removing function 0, and\nsubsequent ASPM policy changes dereferenced it, resulting in a\nuse-after-free warning from KASAN, e.g.:\n\n # echo 1 \u003e /sys/bus/pci/devices/0000:03:00.0/remove\n # echo powersave \u003e /sys/module/pcie_aspm/parameters/policy\n\n BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500\n Call Trace:\n kasan_report+0xae/0xe0\n pcie_config_aspm_link+0x42d/0x500\n pcie_aspm_set_policy+0x8e/0x1a0\n param_attr_store+0x162/0x2c0\n module_attr_store+0x3e/0x80\n\nPCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM\nControl value in all functions of multi-function devices.\n\nDisable ASPM and free the pcie_link_state when any child function is\nremoved so we can discard the dangling pcie_link_state-\u003edownstream pointer\nand maintain the same ASPM Control configuration for all functions.\n\n[bhelgaas: commit log and comment]",
"id": "GHSA-62j3-36wr-4gw5",
"modified": "2025-12-12T21:31:32Z",
"published": "2025-09-18T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53446"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4203722d51afe3d239e03f15cc73efdf023a7103"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/456d8aa37d0f56fc9e985e812496e861dcd6f2f2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/666e7f9d60cee23077ea3e6331f6f8a19f7ea03f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7aecdd47910c51707696e8b0e045b9f88bd4230f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7badf4d6f49a358a01ab072bbff88d3ee886c33b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9856c0de49052174ab474113f4ba40c02aaee086"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d51d2eeae4ce54d542909c4d9d07bf371a78592c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62JH-GHQ5-2F65
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Use after free in WebSockets in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11068"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:11Z",
"severity": "HIGH"
},
"details": "Use after free in WebSockets in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-62jh-ghq5-2f65",
"modified": "2026-06-05T03:31:33Z",
"published": "2026-06-05T00:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11068"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/499194333"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62JP-JVC3-7HH9
Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
As Paolo said earlier [1]:
"Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet."
act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact).
[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
{
"affected": [],
"aliases": [
"CVE-2026-23270"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-18T18:16:26Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\n\nAs Paolo said earlier [1]:\n\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\n\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it\u0027s still possible to attach act_ct to\negress (albeit only with clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/",
"id": "GHSA-62jp-jvc3-7hh9",
"modified": "2026-07-14T15:31:40Z",
"published": "2026-03-18T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23270"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/11cb63b0d1a0685e0831ae3c77223e002ef18189"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/380ad8b7c65ea7aa10ef2258297079ed5ac1f5b6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/524ce8b4ea8f64900b6c52b6a28df74f6bc0801e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a110ddcc99bda77a28598b3555fe009eaab3828"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9deda0fcda5c1f388c5e279541850b71a2ccfcf4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bc4e5bb529823a09f02dbe96169de679a9db26e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb3c380a54e33d1fd272cc342faa906d787d7ef1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-62M5-M548-5V5F
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on conn->async_requests via setup_async_work(), with cancel_fn = smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.
When the request is cancelled, the worker frees the file_lock with locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never reaches release_async_work() -- the only site that unlinks the work from conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays matchable on async_requests with a live cancel_fn pointing at the freed file_lock, until connection teardown finally runs release_async_work().
smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:
BUG: KASAN: slab-use-after-free in __locks_delete_block __locks_delete_block locks_delete_block ksmbd_vfs_posix_lock_unblock smb2_remove_blocked_lock smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn handle_ksmbd_work Allocated by ...: locks_alloc_lock <- smb2_lock Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) ... cache file_lock_cache of size 192
Reproduced on mainline with KASAN by an authenticated SMB client.
Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback cannot be fired a second time.
{
"affected": [],
"aliases": [
"CVE-2026-53198"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:37Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL\n\nA deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on\nconn-\u003easync_requests via setup_async_work(), with cancel_fn =\nsmb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.\n\nWhen the request is cancelled, the worker frees the file_lock with\nlocks_free_lock() and takes the cancelled early-exit, which \"goto out\"s and never\nreaches release_async_work() -- the only site that unlinks the work from\nconn-\u003easync_requests and clears cancel_fn/cancel_argv. The work therefore stays\nmatchable on async_requests with a live cancel_fn pointing at the freed file_lock,\nuntil connection teardown finally runs release_async_work().\n\nsmb2_cancel() fires cancel_fn unconditionally with no state guard, so a second\nSMB2_CANCEL for the same AsyncId, arriving in that window, re-runs\nsmb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free:\n\n BUG: KASAN: slab-use-after-free in __locks_delete_block\n __locks_delete_block\n locks_delete_block\n ksmbd_vfs_posix_lock_unblock\n smb2_remove_blocked_lock\n smb2_cancel \u003c- 2nd SMB2_CANCEL fires cancel_fn\n handle_ksmbd_work\n Allocated by ...: locks_alloc_lock \u003c- smb2_lock\n Freed by ...: locks_free_lock \u003c- smb2_lock (cancelled branch)\n ... cache file_lock_cache of size 192\n\nReproduced on mainline with KASAN by an authenticated SMB client.\n\nSkip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback\ncannot be fired a second time.",
"id": "GHSA-62m5-m548-5v5f",
"modified": "2026-06-28T09:31:43Z",
"published": "2026-06-25T09:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53198"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0da2e073f9cbf4985a0fd9acb71bc5ff599f8afd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14d2eee0193ac3cd1bf3d014373449f0b8d35d6d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2b2eda2821cff1d1b5a423b6ee7d8fc6fbc8e694"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89ae9df09d2c1fb4a4eb495c113a7ce1dca34147"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7063c7426ea5a4d15e01b60538718765392f49d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f580d27e8928828693df44ba2db0fffdbe11dfea"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.