Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-7JP8-WHJ2-J439

Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-22 15:34
VLAI
Details

Use after free in Browser Tag in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-26T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Browser Tag in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-7jp8-whj2-j439",
  "modified": "2025-05-22T15:34:42Z",
  "published": "2022-09-27T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3046"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1346245"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/40060350"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JQ8-3VQQ-QC62

Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

spi: fix use-after-free on controller registration failure

Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid use-after-free (of driver resources) and unclocked register accesses.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-03T16:16:36Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses.",
  "id": "GHSA-7jq8-3vqq-qc62",
  "modified": "2026-07-14T15:31:48Z",
  "published": "2026-04-03T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31389"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0e23f50086da7d0b183dfeac26021acfcdee086b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23b51bad2eb8787aa74324cfccefb258515ae5ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bbd385b30c7fb6c7ee0669e9ada91490938c051"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80f3e8cd2b4ad355b2ad2024cf423f6d183404f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8634e05b08ead636e926022f4a98416e13440df9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/afe27c1f43aa57530011f419be6ddf71306565d2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JQG-3J54-CPCR

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-02T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-7jqg-3j54-cpcr",
  "modified": "2022-05-24T19:06:49Z",
  "published": "2022-05-24T19:06:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30557"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1202102"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7JV2-7JQ5-C8VC

Vulnerability from github – Published: 2026-06-12 00:31 – Updated: 2026-06-12 03:31
VLAI
Details

Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T22:16:55Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-7jv2-7jq5-c8vc",
  "modified": "2026-06-12T03:31:28Z",
  "published": "2026-06-12T00:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12029"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/518002958"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JWJ-6G7W-4C9Q

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-10 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix use-after-free bug of ns_writer on remount

If a nilfs2 filesystem is downgraded to read-only due to metadata corruption on disk and is remounted read/write, or if emergency read-only remount is performed, detaching a log writer and synchronizing the filesystem can be done at the same time.

In these cases, use-after-free of the log writer (hereinafter nilfs->ns_writer) can happen as shown in the scenario below:

Task1 Task2 -------------------------------- ------------------------------ nilfs_construct_segment nilfs_segctor_sync init_wait init_waitqueue_entry add_wait_queue schedule nilfs_remount (R/W remount case) nilfs_attach_log_writer nilfs_detach_log_writer nilfs_segctor_destroy kfree finish_wait _raw_spin_lock_irqsave __raw_spin_lock_irqsave do_raw_spin_lock debug_spin_lock_before <-- use-after-free

While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 waked up, Task1 accesses nilfs->ns_writer which is already freed. This scenario diagram is based on the Shigeru Yoshida's post [1].

This patch fixes the issue by not detaching nilfs->ns_writer on remount so that this UAF race doesn't happen. Along with this change, this patch also inserts a few necessary read-only checks with superblock instance where only the ns_writer pointer was used to check if the filesystem is read-only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:06Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free bug of ns_writer on remount\n\nIf a nilfs2 filesystem is downgraded to read-only due to metadata\ncorruption on disk and is remounted read/write, or if emergency read-only\nremount is performed, detaching a log writer and synchronizing the\nfilesystem can be done at the same time.\n\nIn these cases, use-after-free of the log writer (hereinafter\nnilfs-\u003ens_writer) can happen as shown in the scenario below:\n\n Task1                               Task2\n --------------------------------    ------------------------------\n nilfs_construct_segment\n   nilfs_segctor_sync\n     init_wait\n     init_waitqueue_entry\n     add_wait_queue\n     schedule\n                                     nilfs_remount (R/W remount case)\n\t\t\t\t       nilfs_attach_log_writer\n                                         nilfs_detach_log_writer\n                                           nilfs_segctor_destroy\n                                             kfree\n     finish_wait\n       _raw_spin_lock_irqsave\n         __raw_spin_lock_irqsave\n           do_raw_spin_lock\n             debug_spin_lock_before  \u003c-- use-after-free\n\nWhile Task1 is sleeping, nilfs-\u003ens_writer is freed by Task2.  After Task1\nwaked up, Task1 accesses nilfs-\u003ens_writer which is already freed.  This\nscenario diagram is based on the Shigeru Yoshida\u0027s post [1].\n\nThis patch fixes the issue by not detaching nilfs-\u003ens_writer on remount so\nthat this UAF race doesn\u0027t happen.  Along with this change, this patch\nalso inserts a few necessary read-only checks with superblock instance\nwhere only the ns_writer pointer was used to check if the filesystem is\nread-only.",
  "id": "GHSA-7jwj-6g7w-4c9q",
  "modified": "2025-11-10T21:30:28Z",
  "published": "2025-05-01T15:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49834"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/39a3ed68270b079c6b874d4e4727a512b9b4882c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4feedde5486c07ea79787839153a71ca71329c7d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8cccf05fe857a18ee26e20d11a8455a73ffd4efd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b162e81045266a2d5b44df9dffdf05c54de9cca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/afbd1188382a75f6cfe22c0b68533f7f9664f182"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b152300d5a1ba4258dacf9916bff20e6a8c7603b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2fbf10040216ef5ee270773755fc2f5da65b749"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4736ab5542112fe0a40f140a0a0b072954f34da"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7M36-CVPV-MMFP

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ftrace: Fix invalid address access in lookup_rec() when index is 0

KASAN reported follow problem:

BUG: KASAN: use-after-free in lookup_rec Read of size 8 at addr ffff000199270ff0 by task modprobe CPU: 2 Comm: modprobe Call trace: kasan_report __asan_load8 lookup_rec ftrace_location arch_check_ftrace_location check_kprobe_address_safe register_kprobe

When checking pg->records[pg->index - 1].ip in lookup_rec(), it can get a pg which is newly added to ftrace_pages_start in ftrace_process_locs(). Before the first pg->index++, index is 0 and accessing pg->records[-1].ip will cause this problem.

Don't check the ip when pg->index is 0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:26Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix invalid address access in lookup_rec() when index is 0\n\nKASAN reported follow problem:\n\n BUG: KASAN: use-after-free in lookup_rec\n Read of size 8 at addr ffff000199270ff0 by task modprobe\n CPU: 2 Comm: modprobe\n Call trace:\n  kasan_report\n  __asan_load8\n  lookup_rec\n  ftrace_location\n  arch_check_ftrace_location\n  check_kprobe_address_safe\n  register_kprobe\n\nWhen checking pg-\u003erecords[pg-\u003eindex - 1].ip in lookup_rec(), it can get a\npg which is newly added to ftrace_pages_start in ftrace_process_locs().\nBefore the first pg-\u003eindex++, index is 0 and accessing pg-\u003erecords[-1].ip\nwill cause this problem.\n\nDon\u0027t check the ip when pg-\u003eindex is 0.",
  "id": "GHSA-7m36-cvpv-mmfp",
  "modified": "2025-11-12T21:31:00Z",
  "published": "2025-05-02T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53075"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a0d71fabfeb349216d33f001a6421b1768bd3a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2de28e5ce34b22b73b833a21e2c45ae3aade3964"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f84f31f63416b0f02fc146ffdc4ab32723eb7e8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7569ee04b0e3b32df79f64db3a7138573edad9bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83c3b2f4e7c61367c7b24551f4c6eb94bbdda283"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac58b88ccbbb8e9fb83e137cee04a856b1ea6635"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee92fa443358f4fc0017c1d0d325c27b37802504"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1bd8b7fd890d87d0dc4dedc6287ea34dd07c0b4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7M5M-PV6Q-79FJ

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: hsr: Fix potential use-after-free

The skb is delivered to netif_rx() which may free it, after calling this, dereferencing skb may trigger use-after-free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:12Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: Fix potential use-after-free\n\nThe skb is delivered to netif_rx() which may free it, after calling this,\ndereferencing skb may trigger use-after-free.",
  "id": "GHSA-7m5m-pv6q-79fj",
  "modified": "2024-10-24T21:31:02Z",
  "published": "2024-10-21T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49015"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b351609af4fdbc23f79ab2b12748f4403ea9af4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/53a62c5efe91665f7a41fad0f888a96f94dc59eb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ca81a161e406834a1fdc405fc83a572bd14b8d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e177d32442b7ed08a9fa61b61724abc548cb248"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8393ce5040803666bfa26a3a7bf41e44fab0ace9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b35d899854d5d5d58eb7d7e7c0f61afc60d3a9e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dca370e575d9b6c983f5015e8dc035e23e219ee6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f3add2b8cf620966de3ebfa07679ca12d33ec26f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7M6H-9635-GGWF

Vulnerability from github – Published: 2023-02-16 00:30 – Updated: 2023-02-24 18:30
VLAI
Details

Use After Free (UAF) vulnerability in ireader media-server before commit 3e0f63f1d3553f75c7d4eb32fa7c7a1976a9ff84 in librtmp, allows attackers to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-15T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use After Free (UAF) vulnerability in ireader media-server before commit 3e0f63f1d3553f75c7d4eb32fa7c7a1976a9ff84 in librtmp, allows attackers to cause a denial of service.",
  "id": "GHSA-7m6h-9635-ggwf",
  "modified": "2023-02-24T18:30:26Z",
  "published": "2023-02-16T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40016"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ireader/media-server/issues/235"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7M6M-78J4-H5P6

Vulnerability from github – Published: 2022-05-14 01:20 – Updated: 2024-09-11 18:30
VLAI
Details

Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-09T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF.",
  "id": "GHSA-7m6m-78j4-h5p6",
  "modified": "2024-09-11T18:30:58Z",
  "published": "2022-05-14T01:20:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000051"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=698825"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=698873"
    },
    {
      "type": "WEB",
      "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=321ba1de287016b0036bf4a56ce774ad11763384"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201811-15"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4152"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7M7P-885F-H8P5

Vulnerability from github – Published: 2025-08-27 00:31 – Updated: 2025-08-27 15:33
VLAI
Details

In process_service_attr_rsp of sdp_discovery.cc, there is a possible use after free due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-26T23:15:34Z",
    "severity": "HIGH"
  },
  "details": "In process_service_attr_rsp of sdp_discovery.cc, there is a possible use after free due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-7m7p-885f-h8p5",
  "modified": "2025-08-27T15:33:15Z",
  "published": "2025-08-27T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22411"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/806774b1cf641e0c0e7df8024e327febf23d7d7c"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2025-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.