Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9807 vulnerabilities reference this CWE, most recent first.

GHSA-65QG-FHGM-59FJ

Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-04-06 00:02
VLAI
Details

lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted Irz file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-28T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted Irz file.",
  "id": "GHSA-65qg-fhgm-59fj",
  "modified": "2022-04-06T00:02:04Z",
  "published": "2022-03-30T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckolivas/lrzip/issues/206"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5145"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65V5-RHMH-VVJR

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30
VLAI
Details

Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T18:16:59Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-65v5-rhmh-vvjr",
  "modified": "2026-04-14T18:30:38Z",
  "published": "2026-04-14T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27916"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27916"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65WW-5PR7-752V

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs: writeback: fix use-after-free in __mark_inode_dirty()

An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching.

CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198

Root cause is:

systemd-random-seed kworker

___mark_inode_dirty inode_switch_wbs_work_fn

spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue

Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-19T16:15:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed                         kworker\n----------------------------------------------------------------------\n___mark_inode_dirty                     inode_switch_wbs_work_fn\n\n  spin_lock(\u0026inode-\u003ei_lock);\n  inode_attach_wb\n  locked_inode_to_wb_and_lock_list\n     get inode-\u003ei_wb\n     spin_unlock(\u0026inode-\u003ei_lock);\n     spin_lock(\u0026wb-\u003elist_lock)\n  spin_lock(\u0026inode-\u003ei_lock)\n  inode_io_list_move_locked\n  spin_unlock(\u0026wb-\u003elist_lock)\n  spin_unlock(\u0026inode-\u003ei_lock)\n                                    spin_lock(\u0026old_wb-\u003elist_lock)\n                                      inode_do_switch_wbs\n                                        spin_lock(\u0026inode-\u003ei_lock)\n                                        inode-\u003ei_wb = new_wb\n                                        spin_unlock(\u0026inode-\u003ei_lock)\n                                    spin_unlock(\u0026old_wb-\u003elist_lock)\n                                    wb_put_many(old_wb, nr_switched)\n                                      cgwb_release\n                                      old wb released\n  wb_wakeup_delayed() accesses wb,\n  then trigger the use-after-free\n  issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished.",
  "id": "GHSA-65ww-5pr7-752v",
  "modified": "2026-07-14T15:31:27Z",
  "published": "2025-09-22T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39866"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1edc2feb9c759a9883dfe81cb5ed231412d8b2e4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b187c976111960e6e54a6b1fff724f6e3d39406c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf89b1f87c72df79cf76203f71fbf8349cd5c9de"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c8c14adf80bd1a6e4a1d7ee9c2a816881c26d17a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d02d2c98d25793902f65803ab853b592c7a96b29"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e2a14bbae5d8bacaa301362744a110e2be40a3a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e63052921f1b25a836feb1500b841bff7a4a0456"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65X4-MV56-GF8M

Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim

The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'.

Based on Martin KaFai Lau's suggestions, I have created a simple patch.

To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero.

Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger:

static void bpf_shim_tramp_link_release(struct bpf_link link) { / ... */ if (!shim_link->trampoline) return;

  • msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); }

Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T11:16:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when \u0027bpf_link_put\u0027 reduces the\nrefcount of \u0027shim_link-\u003elink.link\u0027 to zero, the resource is considered\nreleased but may still be referenced via \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027cgroup_shim_find\u0027. The actual cleanup of \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027bpf_shim_tramp_link_release\u0027 is deferred. During this window, another\nprocess can cause a use-after-free via \u0027bpf_trampoline_link_cgroup_shim\u0027.\n\nBased on Martin KaFai Lau\u0027s suggestions, I have created a simple patch.\n\nTo fix this:\n   Add an atomic non-zero check in \u0027bpf_trampoline_link_cgroup_shim\u0027.\n   Only increment the refcount if it is not already zero.\n\nTesting:\n   I verified the fix by adding a delay in\n   \u0027bpf_shim_tramp_link_release\u0027 to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link-\u003etrampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(\u0026shim_link-\u003elink,\n\t\tshim_link-\u003etrampoline, NULL));\n\tbpf_trampoline_put(shim_link-\u003etrampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM\u0027s report.\nAfter the patch, the bug no longer occurs even after millions of\niterations.",
  "id": "GHSA-65x4-mv56-gf8m",
  "modified": "2026-07-14T15:31:41Z",
  "published": "2026-03-25T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23319"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3eeddb80191f7626ec1ef742bfff51ec3b0fa5c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e8a0005d633a4adc98e3b65d5080f93b90d356b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/529e685e522b9d7fb379dbe6929dcdf520e34c8c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/56145d237385ca0e7ca9ff7b226aaf2eb8ef368b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b02c5c4147f8af8ed783c8deb5df927a55c3951"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cfcfa0ca0212162aa472551266038e8fd6768cff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65X6-QQ63-M88G

Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-09 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/siw: Fix a use after free in siw_alloc_mr

Our code analyzer reported a UAF.

In siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of siw_mr_add_mem(), mem is assigned to mr->mem and then mem is freed via kfree(mem) if xa_alloc_cyclic() failed. Here, mr->mem still point to a freed object. After, the execution continue up to the err_out branch of siw_alloc_mr, and the freed mr->mem is used in siw_mr_drop_mem(mr).

My patch moves "mr->mem = mem" behind the if (xa_alloc_cyclic(..)<0) {} section, to avoid the uaf.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-28T09:15:38Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix a use after free in siw_alloc_mr\n\nOur code analyzer reported a UAF.\n\nIn siw_alloc_mr(), it calls siw_mr_add_mem(mr,..). In the implementation of\nsiw_mr_add_mem(), mem is assigned to mr-\u003emem and then mem is freed via\nkfree(mem) if xa_alloc_cyclic() failed. Here, mr-\u003emem still point to a\nfreed object. After, the execution continue up to the err_out branch of\nsiw_alloc_mr, and the freed mr-\u003emem is used in siw_mr_drop_mem(mr).\n\nMy patch moves \"mr-\u003emem = mem\" behind the if (xa_alloc_cyclic(..)\u003c0) {}\nsection, to avoid the uaf.",
  "id": "GHSA-65x6-qq63-m88g",
  "modified": "2024-12-09T18:31:18Z",
  "published": "2024-02-28T09:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47012"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3093ee182f01689b89e9f8797b321603e5de4f63"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30b9e92d0b5e5d5dc1101ab856c17009537cbca4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e22b88e02c194f6c80867abfef5cc09383461f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/608a4b90ece039940e9425ee2b39c8beff27e00c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ad9ce7188432650469a6c7625bf479f5ed0b6155"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65X7-C272-7G7R

Vulnerability from github – Published: 2024-03-05 16:26 – Updated: 2024-03-06 21:57
VLAI
Summary
Use After Free in SixLabors.ImageSharp
Details

Impact

A heap-use-after-free flaw was found in ImageSharp's InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure.

Patches

The problem has been patched. All users are advised to upgrade to v3.1.3 or v2.1.7.

Workarounds

None

References

None

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "SixLabors.ImageSharp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "SixLabors.ImageSharp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-05T16:26:15Z",
    "nvd_published_at": "2024-03-05T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA heap-use-after-free flaw was found in ImageSharp\u0027s InitializeImage() function of PngDecoderCore.cs file. This vulnerability is triggered when an attacker passes a specially crafted PNG image file to ImageSharp for conversion, potentially leading to information disclosure.\n\n### Patches\nThe problem has been patched. All users are advised to upgrade to v3.1.3 or v2.1.7.\n\n### Workarounds\nNone\n\n### References\nNone\n",
  "id": "GHSA-65x7-c272-7g7r",
  "modified": "2024-03-06T21:57:21Z",
  "published": "2024-03-05T16:26:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-65x7-c272-7g7r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SixLabors/ImageSharp/pull/2688"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SixLabors/ImageSharp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use After Free in SixLabors.ImageSharp"
}

GHSA-65X9-X5M2-CP2G

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2025-04-20 03:37
VLAI
Details

In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-10T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.",
  "id": "GHSA-65x9-x5m2-cp2g",
  "modified": "2025-04-20T03:37:26Z",
  "published": "2022-05-13T01:07:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8895"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/42282"
    },
    {
      "type": "WEB",
      "url": "https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98386"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038561"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-662R-59MF-5FXR

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29
VLAI
Details

Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-763"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-01T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 81, Thunderbird \u003c 78.3, and Firefox ESR \u003c 78.3.",
  "id": "GHSA-662r-59mf-5fxr",
  "modified": "2022-05-24T17:29:55Z",
  "published": "2022-05-24T17:29:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15673"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1648493%2C1660800"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00020.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202010-02"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4770"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-42"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-43"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-44"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-663R-JP8J-QR4Q

Vulnerability from github – Published: 2022-11-30 00:30 – Updated: 2022-12-02 00:30
VLAI
Details

Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-30T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-663r-jp8j-qr4q",
  "modified": "2022-12-02T00:30:25Z",
  "published": "2022-11-30T00:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4194"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1370562"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-10"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202311-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-664H-5FQ8-8969

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Use after free in lzma_decompress_buf function in stream.c in Irzip 0.631 allows attackers to cause Denial of Service (DoS) via a crafted compressed file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27347"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-10T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Use after free in lzma_decompress_buf function in stream.c in Irzip 0.631 allows attackers to cause Denial of Service (DoS) via a crafted compressed file.",
  "id": "GHSA-664h-5fq8-8969",
  "modified": "2022-05-24T19:04:51Z",
  "published": "2022-05-24T19:04:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27347"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ckolivas/lrzip/issues/165"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.