Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9811 vulnerabilities reference this CWE, most recent first.

GHSA-6VRV-79WJ-RMVJ

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31
VLAI
Details

PDF-XChange Editor mailForm Use-After-Free Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the mailForm method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20663.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:37Z",
    "severity": "HIGH"
  },
  "details": "PDF-XChange Editor mailForm Use-After-Free Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the mailForm method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20663.",
  "id": "GHSA-6vrv-79wj-rmvj",
  "modified": "2024-05-03T03:31:00Z",
  "published": "2024-05-03T03:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42040"
    },
    {
      "type": "WEB",
      "url": "https://www.tracker-software.com/support/security-bulletins.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1391"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6VW3-QJC8-X8J8

Vulnerability from github – Published: 2023-03-10 12:30 – Updated: 2023-03-14 18:30
VLAI
Details

The kernel subsystem function check_permission_for_set_tokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-10T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The kernel subsystem function check_permission_for_set_tokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root.",
  "id": "GHSA-6vw3-qjc8-x8j8",
  "modified": "2023-03-14T18:30:21Z",
  "published": "2023-03-10T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22436"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-02.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6VW4-WCWF-H6G7

Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2024-04-04 00:54
VLAI
Details

An invalid read of 8 bytes due to a use-after-free vulnerability during a "NULL test" in the mg_http_get_proto_data function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-10T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An invalid read of 8 bytes due to a use-after-free vulnerability during a \"NULL test\" in the mg_http_get_proto_data function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.",
  "id": "GHSA-6vw4-wcwf-h6g7",
  "modified": "2024-04-04T00:54:46Z",
  "published": "2022-05-24T16:47:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/insi2304/mongoose-6.13-fuzz/blob/master/Simplest_Web_Server_Use_After_Free-read-mg_http_get_proto_data5932.png"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6VWF-M72Q-CW8H

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2025-04-17 15:32
VLAI
Details

A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the Curl_close() function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-31T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an \u0027easy\u0027 handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.",
  "id": "GHSA-6vwf-m72q-cw8h",
  "modified": "2025-04-17T15:32:25Z",
  "published": "2022-05-13T01:34:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16840"
    },
    {
      "type": "WEB",
      "url": "https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16840"
    },
    {
      "type": "WEB",
      "url": "https://curl.haxx.se/docs/CVE-2018-16840.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201903-03"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3805-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1042013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6VWM-9RMV-MWWV

Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2024-09-03 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()

irq_find_at_or_after() dereferences the interrupt descriptor which is returned by mt_find() while neither holding sparse_irq_lock nor RCU read lock, which means the descriptor can be freed between mt_find() and the dereference:

CPU0                            CPU1
desc = mt_find()
                                delayed_free_desc(desc)
irq_desc_get_irq(desc)

The use-after-free is reported by KASAN:

Call trace:
 irq_get_next_irq+0x58/0x84
 show_stat+0x638/0x824
 seq_read_iter+0x158/0x4ec
 proc_reg_read_iter+0x94/0x12c
 vfs_read+0x1e0/0x2c8

Freed by task 4471:
 slab_free_freelist_hook+0x174/0x1e0
 __kmem_cache_free+0xa4/0x1dc
 kfree+0x64/0x128
 irq_kobj_release+0x28/0x3c
 kobject_put+0xcc/0x1e0
 delayed_free_desc+0x14/0x2c
 rcu_do_batch+0x214/0x720

Guard the access with a RCU read lock section.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38385"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-25T15:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()\n\nirq_find_at_or_after() dereferences the interrupt descriptor which is\nreturned by mt_find() while neither holding sparse_irq_lock nor RCU read\nlock, which means the descriptor can be freed between mt_find() and the\ndereference:\n\n    CPU0                            CPU1\n    desc = mt_find()\n                                    delayed_free_desc(desc)\n    irq_desc_get_irq(desc)\n\nThe use-after-free is reported by KASAN:\n\n    Call trace:\n     irq_get_next_irq+0x58/0x84\n     show_stat+0x638/0x824\n     seq_read_iter+0x158/0x4ec\n     proc_reg_read_iter+0x94/0x12c\n     vfs_read+0x1e0/0x2c8\n\n    Freed by task 4471:\n     slab_free_freelist_hook+0x174/0x1e0\n     __kmem_cache_free+0xa4/0x1dc\n     kfree+0x64/0x128\n     irq_kobj_release+0x28/0x3c\n     kobject_put+0xcc/0x1e0\n     delayed_free_desc+0x14/0x2c\n     rcu_do_batch+0x214/0x720\n\nGuard the access with a RCU read lock section.",
  "id": "GHSA-6vwm-9rmv-mwwv",
  "modified": "2024-09-03T18:31:31Z",
  "published": "2024-06-25T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38385"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c7891812d85500ae2ca4051fa5683fcf29930d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b84a8aba806261d2f759ccedf4a2a6a80a5e55ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d084aa022f84319f8079e30882cbcbc026af9f21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6W26-HV7H-WWFQ

Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2022-05-24 17:06
VLAI
Details

An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-16T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software\u0027s Foxit PDF Reader version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
  "id": "GHSA-6w26-hv7h-wwfq",
  "modified": "2022-05-24T17:06:50Z",
  "published": "2022-05-24T17:06:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5130"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0935"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6W2C-2WM7-V55G

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

Use after free in Performance APIs in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Performance APIs in Google Chrome prior to 101.0.4951.64 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-6w2c-2wm7-v55g",
  "modified": "2022-07-29T00:00:33Z",
  "published": "2022-07-27T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1636"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_10.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1297283"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6W35-C59M-GF96

Vulnerability from github – Published: 2024-11-18 18:30 – Updated: 2024-12-10 15:32
VLAI
Details

A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0018), Tecnomatix Plant Simulation V2404 (All versions < V2404.0007). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted WRL files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-24244)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions \u003c V2302.0018), Tecnomatix Plant Simulation V2404 (All versions \u003c V2404.0007). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted WRL files.\nAn attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-24244)",
  "id": "GHSA-6w35-c59m-gf96",
  "modified": "2024-12-10T15:32:31Z",
  "published": "2024-11-18T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52568"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-645131.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-824503.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6W3P-5V24-HP57

Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

Use after free in window manager in Google Chrome on ChromeOS prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-23T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in window manager in Google Chrome on ChromeOS prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-6w3p-5v24-hp57",
  "modified": "2022-08-16T00:00:40Z",
  "published": "2021-12-24T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4067"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1274641"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5046"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6W48-V89V-CP2G

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31
VLAI
Details

Use after free in Compositing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:18Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Compositing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-6w48-v89v-cp2g",
  "modified": "2026-06-05T03:31:33Z",
  "published": "2026-06-05T00:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11125"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/501517520"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.