CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9805 vulnerabilities reference this CWE, most recent first.
GHSA-69M3-G558-7XX3
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2023-01-09 18:30A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.6 and iPadOS 14.6. Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination.
{
"affected": [],
"aliases": [
"CVE-2021-30741"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T14:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.6 and iPadOS 14.6. Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination.",
"id": "GHSA-69m3-g558-7xx3",
"modified": "2023-01-09T18:30:28Z",
"published": "2022-05-24T19:13:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30741"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212528"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69MG-VW3H-XM3V
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
Input: edt-ft5x06 - fix use-after-free in debugfs teardown
The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory") removed the manual debugfs teardown, relying on the I2C core to handle it. However, this creates a window where debugfs files are still accessible after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer.
To prevent a use-after-free, protect the freeing of raw_buffer with the device mutex and set raw_buffer to NULL. The debugfs read function already checks if raw_buffer is NULL under the same mutex, so this safely avoids the use-after-free.
{
"affected": [],
"aliases": [
"CVE-2026-46097"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:31Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: edt-ft5x06 - fix use-after-free in debugfs teardown\n\nThe commit 68743c500c6e (\"Input: edt-ft5x06 - use per-client debugfs\ndirectory\") removed the manual debugfs teardown, relying on the I2C core\nto handle it. However, this creates a window where debugfs files are\nstill accessible after edt_ft5x06_ts_teardown_debugfs() frees\ntsdata-\u003eraw_buffer.\n\nTo prevent a use-after-free, protect the freeing of raw_buffer with the\ndevice mutex and set raw_buffer to NULL. The debugfs read function\nalready checks if raw_buffer is NULL under the same mutex, so this\nsafely avoids the use-after-free.",
"id": "GHSA-69mg-vw3h-xm3v",
"modified": "2026-06-25T21:31:21Z",
"published": "2026-05-27T15:33:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46097"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f6c5e7b747d40e1c65cbfcb975857d25154c075"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a516d43886623e3cca5fa3446bed8fc7c7982be2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f5f9e07060519e2287e99019a6de1eb3ebb65c37"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69PX-R2HQ-HMW3
Vulnerability from github – Published: 2022-05-14 01:04 – Updated: 2022-05-14 01:04Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.
{
"affected": [],
"aliases": [
"CVE-2014-0131"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-03-24T16:40:00Z",
"severity": "LOW"
},
"details": "Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.",
"id": "GHSA-69px-r2hq-hmw3",
"modified": "2022-05-14T01:04:04Z",
"published": "2022-05-14T01:04:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0131"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/1fd819ecb90cc9b822cd84d3056ddba315d3340f"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1074589"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=1fd819ecb90cc9b822cd84d3056ddba315d3340f"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1fd819ecb90cc9b822cd84d3056ddba315d3340f"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/03/10/4"
},
{
"type": "WEB",
"url": "http://www.spinics.net/lists/netdev/msg274250.html"
},
{
"type": "WEB",
"url": "http://www.spinics.net/lists/netdev/msg274316.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-69Q2-QMCC-6RH3
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-49677"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T17:15:52Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-69q2-qmcc-6rh3",
"modified": "2025-07-08T18:31:46Z",
"published": "2025-07-08T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49677"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69Q9-9JGH-W2QC
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01A possible use-after-free occurrence in audio driver can happen when pointers are not properly handled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
{
"affected": [],
"aliases": [
"CVE-2021-1891"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-07T09:15:00Z",
"severity": "HIGH"
},
"details": "A possible use-after-free occurrence in audio driver can happen when pointers are not properly handled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking",
"id": "GHSA-69q9-9jgh-w2qc",
"modified": "2022-05-24T19:01:48Z",
"published": "2022-05-24T19:01:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1891"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/may-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-69VJ-962M-HMHV
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2019-8846"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-27T21:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.",
"id": "GHSA-69vj-962m-hmhv",
"modified": "2022-05-24T17:32:27Z",
"published": "2022-05-24T17:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8846"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210785"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210790"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210792"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210793"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210794"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210795"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-69VV-8R9H-G8X5
Vulnerability from github – Published: 2022-10-21 12:00 – Updated: 2022-10-24 19:00A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-3625"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-21T06:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability.",
"id": "GHSA-69vv-8r9h-g8x5",
"modified": "2022-10-24T19:00:17Z",
"published": "2022-10-21T12:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3625"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git/commit/?id=6b4db2e528f650c7fb712961aac36455468d5902"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.211929"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69W2-8RXH-W4M7
Vulnerability from github – Published: 2024-08-21 00:30 – Updated: 2025-09-29 18:33In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix CT entry update leaks of modify header context
The cited commit allocates a new modify header to replace the old one when updating CT entry. But if failed to allocate a new one, eg. exceed the max number firmware can support, modify header will be an error pointer that will trigger a panic when deallocating it. And the old modify header point is copied to old attr. When the old attr is freed, the old modify header is lost.
Fix it by restoring the old attr to attr when failed to allocate a new modify header context. So when the CT entry is freed, the right modify header context will be freed. And the panic of accessing error pointer is also fixed.
{
"affected": [],
"aliases": [
"CVE-2024-43864"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T00:15:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix CT entry update leaks of modify header context\n\nThe cited commit allocates a new modify header to replace the old\none when updating CT entry. But if failed to allocate a new one, eg.\nexceed the max number firmware can support, modify header will be\nan error pointer that will trigger a panic when deallocating it. And\nthe old modify header point is copied to old attr. When the old\nattr is freed, the old modify header is lost.\n\nFix it by restoring the old attr to attr when failed to allocate a\nnew modify header context. So when the CT entry is freed, the right\nmodify header context will be freed. And the panic of accessing\nerror pointer is also fixed.",
"id": "GHSA-69w2-8rxh-w4m7",
"modified": "2025-09-29T18:33:08Z",
"published": "2024-08-21T00:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43864"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/025f2b85a5e5a46df14ecf162c3c80a957a36d0b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89064d09c56b44c668509bf793c410484f63f5ad"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/daab2cc17b6b6ab158566bba037e9551fd432b59"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69W4-9W32-V3QH
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2026-02-25 18:31A flaw was found in the Linux kernel’s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
{
"affected": [],
"aliases": [
"CVE-2020-14381"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-03T17:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in the Linux kernel\u2019s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
"id": "GHSA-69w4-9w32-v3qh",
"modified": "2026-02-25T18:31:18Z",
"published": "2022-05-24T22:28:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14381"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874311"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8019ad13ef7f64be44d4f892af9c840179009254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-69W7-5X2M-P8CP
Vulnerability from github – Published: 2024-03-01 00:30 – Updated: 2024-12-10 18:31In the Linux kernel, the following vulnerability has been resolved:
regmap: set debugfs_name to NULL after it is freed
There is a upstream commit cffa4b2122f5("regmap:debugfs: Fix a memory leak when calling regmap_attach_dev") that adds a if condition when create name for debugfs_name. With below function invoking logical, debugfs_name is freed in regmap_debugfs_exit(), but it is not created again because of the if condition introduced by above commit. regmap_reinit_cache() regmap_debugfs_exit() ... regmap_debugfs_init() So, set debugfs_name to NULL after it is freed.
{
"affected": [],
"aliases": [
"CVE-2021-47058"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T23:15:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: set debugfs_name to NULL after it is freed\n\nThere is a upstream commit cffa4b2122f5(\"regmap:debugfs:\nFix a memory leak when calling regmap_attach_dev\") that\nadds a if condition when create name for debugfs_name.\nWith below function invoking logical, debugfs_name is\nfreed in regmap_debugfs_exit(), but it is not created again\nbecause of the if condition introduced by above commit.\nregmap_reinit_cache()\n\tregmap_debugfs_exit()\n\t...\n\tregmap_debugfs_init()\nSo, set debugfs_name to NULL after it is freed.",
"id": "GHSA-69w7-5x2m-p8cp",
"modified": "2024-12-10T18:31:06Z",
"published": "2024-03-01T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47058"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2dc1554d5f0fdaf47cc5bea442b84b9226fea867"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9e569ae1da3a113b3acee8703c94777fd20938a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c764e375ae647832de1ee73d43a4bb3ef8a8f43d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d8897f7b2283a500666c85ef06e820df38ed7b52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e41a962f82e7afb5b1ee644f48ad0b3aee656268"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb949f891226c012138ffd9df90d1e509f428ae6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.