Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-66P7-VQR8-2M3V

Vulnerability from github – Published: 2026-06-09 00:33 – Updated: 2026-06-09 03:31
VLAI
Details

Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T00:16:50Z",
    "severity": "HIGH"
  },
  "details": "Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)",
  "id": "GHSA-66p7-vqr8-2m3v",
  "modified": "2026-06-09T03:31:39Z",
  "published": "2026-06-09T00:33:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11670"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/515469283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66Q3-24GV-6744

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-24 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path

Unregister the hwrng to prevent new ->read() calls and flush the Atmel I2C workqueue before teardown to prevent a potential UAF if a queued callback runs while the device is being removed.

Drop the early return to ensure sysfs entries are removed and ->hwrng.priv is freed, preventing a memory leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-sha204a - Fix potential UAF and memory leak in remove path\n\nUnregister the hwrng to prevent new -\u003eread() calls and flush the Atmel\nI2C workqueue before teardown to prevent a potential UAF if a queued\ncallback runs while the device is being removed.\n\nDrop the early return to ensure sysfs entries are removed and\n-\u003ehwrng.priv is freed, preventing a memory leak.",
  "id": "GHSA-66q3-24gv-6744",
  "modified": "2026-06-24T18:32:30Z",
  "published": "2026-05-27T15:33:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46075"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1193c12126d39bf986a5a9214827b73707b193ab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31901371ccd16b42d2f167b1018ba9ae8bd5a6c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6dbeb0f788582e1ab5dfc3f41994eac0ec88c2b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/775c00d87c385b758da9504cf053acea00e2ed40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bab1adf3b87e4bfac92c4f5963c63db434d561c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c5a45d14234bf26e28a89e3a5dcc08336595cf11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66QH-R598-W33Q

Vulnerability from github – Published: 2024-01-08 12:30 – Updated: 2024-01-12 15:30
VLAI
Details

Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Driver: from r37p0 through r40p0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5091"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-08T10:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allows a\u00a0local non-privileged user to make improper GPU processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Driver: from r37p0 through r40p0.\n\n",
  "id": "GHSA-66qh-r598-w33q",
  "modified": "2024-01-12T15:30:25Z",
  "published": "2024-01-08T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5091"
    },
    {
      "type": "WEB",
      "url": "https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66R4-MRH6-VW83

Vulnerability from github – Published: 2022-05-17 03:04 – Updated: 2022-05-17 03:04
VLAI
Details

The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-11-16T05:59:00Z",
    "severity": "HIGH"
  },
  "details": "The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel before 4.3.3 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field.",
  "id": "GHSA-66r4-mrh6-vw83",
  "modified": "2022-05-17T03:04:55Z",
  "published": "2022-05-17T03:04:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8961"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/6934da9238da947628be83635e365df41064b09b"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2016-11-01.html"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6934da9238da947628be83635e365df41064b09b"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94135"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66WW-HH28-59JG

Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-09 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ath10k: Fix a use after free in ath10k_htc_send_bundle

In ath10k_htc_send_bundle, the bundle_skb could be freed by dev_kfree_skb_any(bundle_skb). But the bundle_skb is used later by bundle_skb->len.

As skb_len = bundle_skb->len, my patch replaces bundle_skb->len to skb_len after the bundle_skb was freed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-28T09:15:38Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: Fix a use after free in ath10k_htc_send_bundle\n\nIn ath10k_htc_send_bundle, the bundle_skb could be freed by\ndev_kfree_skb_any(bundle_skb). But the bundle_skb is used later\nby bundle_skb-\u003elen.\n\nAs skb_len = bundle_skb-\u003elen, my patch replaces bundle_skb-\u003elen to\nskb_len after the bundle_skb was freed.",
  "id": "GHSA-66ww-hh28-59jg",
  "modified": "2024-12-09T18:31:18Z",
  "published": "2024-02-28T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47017"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b1ac40c6012140828caa79e592a438a18ebf71b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e413c0831ff4700d1739db3fa3ae9f859744676"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8392df5d7e0b6a7d21440da1fc259f9938f4dec3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8bb054fb336f4250002fff4e0b075221c05c3c65"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-672F-VPW8-X67X

Vulnerability from github – Published: 2024-02-21 06:30 – Updated: 2024-08-01 15:31
VLAI
Details

Use after free in Accessibility in Google Chrome prior to 122.0.6261.57 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-21T04:15:08Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Accessibility in Google Chrome prior to 122.0.6261.57 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via specific UI gestures. (Chromium security severity: Medium)",
  "id": "GHSA-672f-vpw8-x67x",
  "modified": "2024-08-01T15:31:26Z",
  "published": "2024-02-21T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1673"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_20.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/41490491"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWWBMVQTSERVBXSXCZVUKIMEDNQUQ7O3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QDCMYQ3J45NHQ4EJREM3BJNNKB5BK4Y7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6765-2PWX-HV54

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows Media allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:35Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Media allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-6765-2pwx-hv54",
  "modified": "2026-07-14T18:32:17Z",
  "published": "2026-07-14T18:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50358"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-676F-4267-C5C3

Vulnerability from github – Published: 2022-05-17 03:44 – Updated: 2022-05-17 03:44
VLAI
Details

Use-after-free vulnerability in DBD::mysql before 4.029 allows attackers to cause a denial of service (program crash) or possibly execute arbitrary code via vectors related to a lost server connection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-9906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-19T21:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Use-after-free vulnerability in DBD::mysql before 4.029 allows attackers to cause a denial of service (program crash) or possibly execute arbitrary code via vectors related to a lost server connection.",
  "id": "GHSA-676f-4267-c5c3",
  "modified": "2022-05-17T03:44:59Z",
  "published": "2022-05-17T03:44:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9906"
    },
    {
      "type": "WEB",
      "url": "https://github.com/perl5-dbi/DBD-mysql/commit/a56ae87a4c1c1fead7d09c3653905841ccccf1cc"
    },
    {
      "type": "WEB",
      "url": "https://rt.cpan.org/Public/Bug/Display.html?id=97625"
    },
    {
      "type": "WEB",
      "url": "http://cpansearch.perl.org/src/CAPTTOFU/DBD-mysql-4.029/ChangeLog"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3635"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/07/27/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/07/27/6"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92149"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-677P-H2HJ-9J82

Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2025-04-17 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

can: vxcan: vxcan_xmit: fix use after free bug

After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the canfd_frame cfd which aliases skb memory is accessed after the netif_rx_ni().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-17T18:15:43Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: vxcan: vxcan_xmit: fix use after free bug\n\nAfter calling netif_rx_ni(skb), dereferencing skb is unsafe.\nEspecially, the canfd_frame cfd which aliases skb memory is accessed\nafter the netif_rx_ni().",
  "id": "GHSA-677p-h2hj-9j82",
  "modified": "2025-04-17T21:31:04Z",
  "published": "2025-04-17T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47669"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d6dcf2399cdd26f7f5426ca8dd8366b7f2ca105"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75854cad5d80976f6ea0f0431f8cedd3bcc475cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b820875a32a3443d67bfd368e93038354e98052"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a24476b37167816e6352ca1a2cf3769847774f70"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e771a874076115df8bff27d325edfd2340e4ec69"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6789-C3XJ-P7CQ

Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-05 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

dax: Fix dax_mapping_release() use after free

A CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region provider (like modprobe -r dax_hmem) yields:

kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000) [..] DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260 [..] RIP: 0010:__lock_acquire+0x9fc/0x2260 [..] Call Trace: [..] lock_acquire+0xd4/0x2c0 ? ida_free+0x62/0x130 _raw_spin_lock_irqsave+0x47/0x70 ? ida_free+0x62/0x130 ida_free+0x62/0x130 dax_mapping_release+0x1f/0x30 device_release+0x36/0x90 kobject_delayed_cleanup+0x46/0x150

Due to attempting ida_free() on an ida object that has already been freed. Devices typically only hold a reference on their parent while registered. If a child needs a parent object to complete its release it needs to hold a reference that it drops from its release callback. Arrange for a dax_mapping to pin its parent dev_dax instance until dax_mapping_release().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:58Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndax: Fix dax_mapping_release() use after free\n\nA CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region\nprovider (like modprobe -r dax_hmem) yields:\n\n kobject: \u0027mapping0\u0027 (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000)\n [..]\n DEBUG_LOCKS_WARN_ON(1)\n WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260\n [..]\n RIP: 0010:__lock_acquire+0x9fc/0x2260\n [..]\n Call Trace:\n  \u003cTASK\u003e\n [..]\n  lock_acquire+0xd4/0x2c0\n  ? ida_free+0x62/0x130\n  _raw_spin_lock_irqsave+0x47/0x70\n  ? ida_free+0x62/0x130\n  ida_free+0x62/0x130\n  dax_mapping_release+0x1f/0x30\n  device_release+0x36/0x90\n  kobject_delayed_cleanup+0x46/0x150\n\nDue to attempting ida_free() on an ida object that has already been\nfreed. Devices typically only hold a reference on their parent while\nregistered. If a child needs a parent object to complete its release it\nneeds to hold a reference that it drops from its release callback.\nArrange for a dax_mapping to pin its parent dev_dax instance until\ndax_mapping_release().",
  "id": "GHSA-6789-c3xj-p7cq",
  "modified": "2026-02-05T18:30:29Z",
  "published": "2025-10-04T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53613"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03859868ab82d57bfdd0cea1bf31f9319a5dded0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d24b170a9db0456f577b1ab01226a2254c016a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7310b84821f043dcf77d5e6aa0ad55dc1e10a11d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94a85474f5e3e518bdbf8c9f51cb343d734a04f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9c2f993b6ca903c030d58451b5bf9ea27d0d17fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f76db6781d76d8464ec2faa9752cc3fb2e4f6923"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.