Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-7CJC-HVXF-GQH7

Vulnerability from github – Published: 2021-08-25 20:47 – Updated: 2021-08-19 21:18
VLAI
Summary
Use after free and double free in bitvec
Details

An issue was discovered in the bitvec crate before 0.17.4 for Rust. BitVec to BitBox conversion leads to a use-after-free or double free.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "bitvec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.17.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-35862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:18:16Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the bitvec crate before 0.17.4 for Rust. BitVec to BitBox conversion leads to a use-after-free or double free.",
  "id": "GHSA-7cjc-hvxf-gqh7",
  "modified": "2021-08-19T21:18:16Z",
  "published": "2021-08-25T20:47:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35862"
    },
    {
      "type": "WEB",
      "url": "https://github.com/myrrlyn/bitvec/issues/55"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/myrrlyn/bitvec"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use after free and double free in bitvec"
}

GHSA-7CJR-CQ2M-2QQH

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30
VLAI
Details

After Effects versions 25.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T18:16:30Z",
    "severity": "HIGH"
  },
  "details": "After Effects versions 25.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-7cjr-cq2m-2qqh",
  "modified": "2026-02-10T18:30:42Z",
  "published": "2026-02-10T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21329"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/after_effects/apsb26-15.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CM5-Q323-XW5F

Vulnerability from github – Published: 2022-05-17 03:46 – Updated: 2022-05-17 03:46
VLAI
Details

Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with the render tree, related to the FrameView::updateLayoutAndStyleForPainting function in core/frame/FrameView.cpp and the RenderLayerScrollableArea::setScrollOffset function in core/rendering/RenderLayerScrollableArea.cpp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-3191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-10-08T10:55:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with the render tree, related to the FrameView::updateLayoutAndStyleForPainting function in core/frame/FrameView.cpp and the RenderLayerScrollableArea::setScrollOffset function in core/rendering/RenderLayerScrollableArea.cpp.",
  "id": "GHSA-7cm5-q323-xw5f",
  "modified": "2022-05-17T03:46:11Z",
  "published": "2022-05-17T03:46:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3191"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/402407"
    },
    {
      "type": "WEB",
      "url": "https://src.chromium.org/viewvc/blink?revision=180681\u0026view=revision"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2014/10/stable-channel-update.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1626.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70273"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7CM7-H4C7-279H

Vulnerability from github – Published: 2025-10-14 21:30 – Updated: 2025-10-14 21:30
VLAI
Details

Adobe Framemaker versions 2020.9, 2022.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T20:15:38Z",
    "severity": "HIGH"
  },
  "details": "Adobe Framemaker versions 2020.9, 2022.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-7cm7-h4c7-279h",
  "modified": "2025-10-14T21:30:47Z",
  "published": "2025-10-14T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54281"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/framemaker/apsb25-101.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CQ3-9CVJ-9M69

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2022-05-24 16:55
VLAI
Details

In the Android kernel in the FingerTipS touchscreen driver there is a possible use-after-free due to improper locking. This could lead to a local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-06T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Android kernel in the FingerTipS touchscreen driver there is a possible use-after-free due to improper locking. This could lead to a local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-7cq3-9cvj-9m69",
  "modified": "2022-05-24T16:55:37Z",
  "published": "2022-05-24T16:55:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9447"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2019-09-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7CRJ-GRWH-6247

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()

We got a syzkaller problem because of aarch64 alignment fault if KFENCE enabled. When the size from user bpf program is an odd number, like 399, 407, etc, it will cause the struct skb_shared_info's unaligned access. As seen below:

BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032

Use-after-free read at 0xffff6254fffac077 (in kfence-#213): __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline] arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline] arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline] __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032 skb_clone+0xf4/0x214 net/core/skbuff.c:1481 _bpfclone_redirect net/core/filter.c:2433 [inline] bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420 bpf_prog_d3839dd9068ceb51+0x80/0x330 bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline] bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53 bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381

kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512

allocated by task 15074 on cpu 0 at 1342.585390s: kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:675 [inline] bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191 bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512 bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline] __do_sys_bpf kernel/bpf/syscall.c:4441 [inline] __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381 __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381

To fix the problem, we adjust @size so that (@size + @hearoom) is a multiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info is aligned to a cache line.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:07Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Fix alignment problem in bpf_prog_test_run_skb()\n\nWe got a syzkaller problem because of aarch64 alignment fault\nif KFENCE enabled. When the size from user bpf program is an odd\nnumber, like 399, 407, etc, it will cause the struct skb_shared_info\u0027s\nunaligned access. As seen below:\n\n  BUG: KFENCE: use-after-free read in __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032\n\n  Use-after-free read at 0xffff6254fffac077 (in kfence-#213):\n   __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:26 [inline]\n   arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]\n   arch_atomic_inc include/linux/atomic-arch-fallback.h:270 [inline]\n   atomic_inc include/asm-generic/atomic-instrumented.h:241 [inline]\n   __skb_clone+0x23c/0x2a0 net/core/skbuff.c:1032\n   skb_clone+0xf4/0x214 net/core/skbuff.c:1481\n   ____bpf_clone_redirect net/core/filter.c:2433 [inline]\n   bpf_clone_redirect+0x78/0x1c0 net/core/filter.c:2420\n   bpf_prog_d3839dd9068ceb51+0x80/0x330\n   bpf_dispatcher_nop_func include/linux/bpf.h:728 [inline]\n   bpf_test_run+0x3c0/0x6c0 net/bpf/test_run.c:53\n   bpf_prog_test_run_skb+0x638/0xa7c net/bpf/test_run.c:594\n   bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]\n   __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]\n   __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381\n\n  kfence-#213: 0xffff6254fffac000-0xffff6254fffac196, size=407, cache=kmalloc-512\n\n  allocated by task 15074 on cpu 0 at 1342.585390s:\n   kmalloc include/linux/slab.h:568 [inline]\n   kzalloc include/linux/slab.h:675 [inline]\n   bpf_test_init.isra.0+0xac/0x290 net/bpf/test_run.c:191\n   bpf_prog_test_run_skb+0x11c/0xa7c net/bpf/test_run.c:512\n   bpf_prog_test_run kernel/bpf/syscall.c:3148 [inline]\n   __do_sys_bpf kernel/bpf/syscall.c:4441 [inline]\n   __se_sys_bpf+0xad0/0x1634 kernel/bpf/syscall.c:4381\n   __arm64_sys_bpf+0x50/0x60 kernel/bpf/syscall.c:4381\n\nTo fix the problem, we adjust @size so that (@size + @hearoom) is a\nmultiple of SMP_CACHE_BYTES. So we make sure the struct skb_shared_info\nis aligned to a cache line.",
  "id": "GHSA-7crj-grwh-6247",
  "modified": "2025-05-07T15:31:24Z",
  "published": "2025-05-01T15:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49840"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/047824a730699c6c66df43306b80f700c9dfc2fd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b597f2d6a55e9f549989913860ad5170da04964"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/730fb1ef974a13915bc7651364d8b3318891cd70"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7a704dbfd3735304e261f2787c52fbc7c3884736"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3fd203f36d46aa29600a72d57a1b61af80e4a25"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e60f37a1d379c821c17b08f366412dce9ef3d99f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eaa8edd86514afac9deb9bf9a5053e74f37edf40"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CW3-HMGQ-847V

Vulnerability from github – Published: 2025-11-03 15:30 – Updated: 2025-11-04 18:31
VLAI
Details

NetSurf 3.11 is vulnerable to Use After Free in dom_node_set_text_content function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-03T15:15:35Z",
    "severity": "MODERATE"
  },
  "details": "NetSurf 3.11 is vulnerable to Use After Free in dom_node_set_text_content function.",
  "id": "GHSA-7cw3-hmgq-847v",
  "modified": "2025-11-04T18:31:47Z",
  "published": "2025-11-03T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29699"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fysac/netsurf-disclosure/tree/main/CVE-2025-29699"
    },
    {
      "type": "WEB",
      "url": "https://www.netsurf-browser.org"
    },
    {
      "type": "WEB",
      "url": "http://netsurf.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CWQ-2XV8-7CQW

Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-06-30 03:35
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Enforce that teql can only be used as root qdisc

Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint.

Although not important, I will describe the scenario that unearthed this issue for the curious.

GangMin Kim km.kim1503@gmail.com managed to concot a scenario as follows:

ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql

GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-04T17:16:18Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Enforce that teql can only be used as root qdisc\n\nDesign intent of teql is that it is only supposed to be used as root qdisc.\nWe need to check for that constraint.\n\nAlthough not important, I will describe the scenario that unearthed this\nissue for the curious.\n\nGangMin Kim \u003ckm.kim1503@gmail.com\u003e managed to concot a scenario as follows:\n\nROOT qdisc 1:0 (QFQ)\n  \u251c\u2500\u2500 class 1:1 (weight=15, lmax=16384) netem with delay 6.4s\n  \u2514\u2500\u2500 class 1:2 (weight=1, lmax=1514) teql\n\nGangMin sends a packet which is enqueued to 1:1 (netem).\nAny invocation of dequeue by QFQ from this class will not return a packet\nuntil after 6.4s. In the meantime, a second packet is sent and it lands on\n1:2. teql\u0027s enqueue will return success and this will activate class 1:2.\nMain issue is that teql only updates the parent visible qlen (sch-\u003eq.qlen)\nat dequeue. Since QFQ will only call dequeue if peek succeeds (and teql\u0027s\npeek always returns NULL), dequeue will never be called and thus the qlen\nwill remain as 0. With that in mind, when GangMin updates 1:2\u0027s lmax value,\nthe qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc\u0027s\nqlen was not incremented, qfq fails to deactivate the class, but still\nfrees its pointers from the aggregate. So when the first packet is\nrescheduled after 6.4 seconds (netem\u0027s delay), a dangling pointer is\naccessed causing GangMin\u0027s causing a UAF.",
  "id": "GHSA-7cwq-2xv8-7cqw",
  "modified": "2026-06-30T03:35:32Z",
  "published": "2026-02-04T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23074"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23074.json"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436791"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-23074"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3810"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3685"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3634"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3388"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3360"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3277"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3268"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3110"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7F37-MH9R-45HR

Vulnerability from github – Published: 2022-02-15 00:02 – Updated: 2022-03-25 00:01
VLAI
Details

njs through 0.7.0, used in NGINX, was discovered to contain a heap use-after-free in njs_await_fulfilled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-14T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "njs through 0.7.0, used in NGINX, was discovered to contain a heap use-after-free in njs_await_fulfilled.",
  "id": "GHSA-7f37-mh9r-45hr",
  "modified": "2022-03-25T00:01:06Z",
  "published": "2022-02-15T00:02:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25139"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nginx/njs/issues/451"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nginx/njs/commit/6a07c2156a07ef307b6dcf3c2ca8571a5f1af7a6"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220303-0007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7F66-V639-C98W

Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-08-03 00:00
VLAI
Details

Use after free in Tab Groups in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension and specific user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-27T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Tab Groups in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension and specific user interaction.",
  "id": "GHSA-7f66-v639-c98w",
  "modified": "2022-08-03T00:00:52Z",
  "published": "2022-07-28T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1863"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_24.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1292870"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.