Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-7W6P-6WQM-42HR

Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59
VLAI
Details

Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-17T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .",
  "id": "GHSA-7w6p-6wqm-42hr",
  "modified": "2022-05-24T16:59:25Z",
  "published": "2022-05-24T16:59:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8220"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb19-49.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7W6X-PFMG-76XX

Vulnerability from github – Published: 2026-04-23 12:31 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

can: raw: fix ro->uniq use-after-free in raw_rcv()

raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage.

Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained.

[mkl: applied manually]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-23T12:17:01Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: raw: fix ro-\u003euniq use-after-free in raw_rcv()\n\nraw_release() unregisters raw CAN receive filters via can_rx_unregister(),\nbut receiver deletion is deferred with call_rcu(). This leaves a window\nwhere raw_rcv() may still be running in an RCU read-side critical section\nafter raw_release() frees ro-\u003euniq, leading to a use-after-free of the\npercpu uniq storage.\n\nMove free_percpu(ro-\u003euniq) out of raw_release() and into a raw-specific\nsocket destructor. can_rx_unregister() takes an extra reference to the\nsocket and only drops it from the RCU callback, so freeing uniq from\nsk_destruct ensures the percpu area is not released until the relevant\ncallbacks have drained.\n\n[mkl: applied manually]",
  "id": "GHSA-7w6x-pfmg-76xx",
  "modified": "2026-06-01T18:31:25Z",
  "published": "2026-04-23T12:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31532"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f43f12fde34737fba091b7e3ab391e14ddbb0be"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64c8553decf5a5f2417bd54761ea0a832c56c4ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7W79-MX3M-6R57

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12
VLAI
Details

Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-23T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-7w79-mx3m-6r57",
  "modified": "2022-05-24T17:12:14Z",
  "published": "2022-05-24T17:12:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6424"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1031142"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DDNOAGIX5D77TTHT6YPMVJ5WTXTCQEI"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWANFIR3PYAL5RJQ4AO3ZS2DYMSF2ZGZ"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-53"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4645"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00037.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7W96-3V7R-6G9J

Vulnerability from github – Published: 2022-05-14 03:56 – Updated: 2022-05-14 03:56
VLAI
Details

php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-07T10:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.",
  "id": "GHSA-7w96-3v7r-6g9j",
  "modified": "2022-05-14T03:56:18Z",
  "published": "2022-05-14T03:56:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5773"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=72434"
    },
    {
      "type": "WEB",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207170"
    },
    {
      "type": "WEB",
      "url": "http://github.com/php/php-src/commit/f6aef68089221c5ea047d4a74224ee3deead99a6?w=1"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://php.net/ChangeLog-5.php"
    },
    {
      "type": "WEB",
      "url": "http://php.net/ChangeLog-7.php"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2750.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3618"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/06/23/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91397"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WC3-342X-7QJV

Vulnerability from github – Published: 2022-02-19 00:00 – Updated: 2022-03-02 00:00
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15861.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-18T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15861.",
  "id": "GHSA-7wc3-342x-7qjv",
  "modified": "2022-03-02T00:00:39Z",
  "published": "2022-02-19T00:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24363"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-274"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7WC4-MX57-5W73

Vulnerability from github – Published: 2025-06-03 21:30 – Updated: 2025-06-04 21:31
VLAI
Details

An issue was discovered in Samsung Mobile Processor Exynos 980, 990, 1080, 2100, 1280, 2200, 1380. A Use-After-Free in the mobile processor leads to privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-03T20:15:21Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Samsung Mobile Processor Exynos 980, 990, 1080, 2100, 1280, 2200, 1380. A Use-After-Free in the mobile processor leads to privilege escalation.",
  "id": "GHSA-7wc4-mx57-5w73",
  "modified": "2025-06-04T21:31:13Z",
  "published": "2025-06-03T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23098"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23098"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WCQ-H796-G66P

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-02 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write

During the sysfs firmware write process, a use-after-free read warning is logged from the lpfc_wr_object() routine:

BUG: KFENCE: use-after-free read in lpfc_wr_object+0x235/0x310 [lpfc] Use-after-free read at 0x0000000000cf164d (in kfence-#111): lpfc_wr_object+0x235/0x310 [lpfc] lpfc_write_firmware.cold+0x206/0x30d [lpfc] lpfc_sli4_request_firmware_update+0xa6/0x100 [lpfc] lpfc_request_firmware_upgrade_store+0x66/0xb0 [lpfc] kernfs_fop_write_iter+0x121/0x1b0 new_sync_write+0x11c/0x1b0 vfs_write+0x1ef/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x59/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The driver accessed wr_object pointer data, which was initialized into mailbox payload memory, after the mailbox object was released back to the mailbox pool.

Fix by moving the mailbox free calls to the end of the routine ensuring that we don't reference internal mailbox memory after release.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T08:15:37Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write\n\nDuring the sysfs firmware write process, a use-after-free read warning is\nlogged from the lpfc_wr_object() routine:\n\n  BUG: KFENCE: use-after-free read in lpfc_wr_object+0x235/0x310 [lpfc]\n  Use-after-free read at 0x0000000000cf164d (in kfence-#111):\n  lpfc_wr_object+0x235/0x310 [lpfc]\n  lpfc_write_firmware.cold+0x206/0x30d [lpfc]\n  lpfc_sli4_request_firmware_update+0xa6/0x100 [lpfc]\n  lpfc_request_firmware_upgrade_store+0x66/0xb0 [lpfc]\n  kernfs_fop_write_iter+0x121/0x1b0\n  new_sync_write+0x11c/0x1b0\n  vfs_write+0x1ef/0x280\n  ksys_write+0x5f/0xe0\n  do_syscall_64+0x59/0x90\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe driver accessed wr_object pointer data, which was initialized into\nmailbox payload memory, after the mailbox object was released back to the\nmailbox pool.\n\nFix by moving the mailbox free calls to the end of the routine ensuring\nthat we don\u0027t reference internal mailbox memory after release.",
  "id": "GHSA-7wcq-h796-g66p",
  "modified": "2025-12-02T21:31:26Z",
  "published": "2025-09-16T15:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53282"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21681b81b9ae548c5dae7ae00d931197a27f480c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51ab4eb1a25e73c7fc2ad9026520c4d8369c93cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8becb97918f04bb177bc9c4e00c2bdb302e00944"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8dfefa8f424ab208e552df1bfd008b732f3d0ad1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WFP-W5XF-G7MM

Vulnerability from github – Published: 2024-11-06 18:31 – Updated: 2024-11-06 18:31
VLAI
Details

Use after free in Family Experiences in Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-06T17:15:13Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Family Experiences in Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-7wfp-w5xf-g7mm",
  "modified": "2024-11-06T18:31:11Z",
  "published": "2024-11-06T18:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10826"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/370217726"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WFR-865W-3MVG

Vulnerability from github – Published: 2025-04-29 03:30 – Updated: 2025-11-07 18:30
VLAI
Details

A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to corrupt process memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-29T03:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to corrupt process memory.",
  "id": "GHSA-7wfr-865w-3mvg",
  "modified": "2025-11-07T18:30:25Z",
  "published": "2025-04-29T03:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cakescats/airborn-IOS-CVE-2025-24252/blob/main/airborn_arts_CVE-2025-24252_extractor.sh"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122371"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122372"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122374"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122375"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122377"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122378"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WV9-8C5X-6HMC

Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-10 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ring-buffer: Sync IRQ works before buffer destruction

If something was written to the buffer just before destruction, it may be possible (maybe not in a real system, but it did happen in ARCH=um with time-travel) to destroy the ringbuffer before the IRQ work ran, leading this KASAN report (or a crash without KASAN):

BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a
Read of size 8 at addr 000000006d640a48 by task swapper/0

CPU: 0 PID: 0 Comm: swapper Tainted: G        W  O       6.3.0-rc1 #7
Stack:
 60c4f20f 0c203d48 41b58ab3 60f224fc
 600477fa 60f35687 60c4f20f 601273dd
 00000008 6101eb00 6101eab0 615be548
Call Trace:
 [<60047a58>] show_stack+0x25e/0x282
 [<60c609e0>] dump_stack_lvl+0x96/0xfd
 [<60c50d4c>] print_report+0x1a7/0x5a8
 [<603078d3>] kasan_report+0xc1/0xe9
 [<60308950>] __asan_report_load8_noabort+0x1b/0x1d
 [<60232844>] irq_work_run_list+0x11a/0x13a
 [<602328b4>] irq_work_tick+0x24/0x34
 [<6017f9dc>] update_process_times+0x162/0x196
 [<6019f335>] tick_sched_handle+0x1a4/0x1c3
 [<6019fd9e>] tick_sched_timer+0x79/0x10c
 [<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695
 [<60182913>] hrtimer_interrupt+0x16c/0x2c4
 [<600486a3>] um_timer+0x164/0x183
 [...]

Allocated by task 411:
 save_stack_trace+0x99/0xb5
 stack_trace_save+0x81/0x9b
 kasan_save_stack+0x2d/0x54
 kasan_set_track+0x34/0x3e
 kasan_save_alloc_info+0x25/0x28
 ____kasan_kmalloc+0x8b/0x97
 __kasan_kmalloc+0x10/0x12
 __kmalloc+0xb2/0xe8
 load_elf_phdrs+0xee/0x182
 [...]

The buggy address belongs to the object at 000000006d640800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 584 bytes inside of
 freed 1024-byte region [000000006d640800, 000000006d640c00)

Add the appropriate irq_work_sync() so the work finishes before the buffers are destroyed.

Prior to the commit in the Fixes tag below, there was only a single global IRQ work, so this issue didn't exist.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:55Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Sync IRQ works before buffer destruction\n\nIf something was written to the buffer just before destruction,\nit may be possible (maybe not in a real system, but it did\nhappen in ARCH=um with time-travel) to destroy the ringbuffer\nbefore the IRQ work ran, leading this KASAN report (or a crash\nwithout KASAN):\n\n    BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a\n    Read of size 8 at addr 000000006d640a48 by task swapper/0\n\n    CPU: 0 PID: 0 Comm: swapper Tainted: G        W  O       6.3.0-rc1 #7\n    Stack:\n     60c4f20f 0c203d48 41b58ab3 60f224fc\n     600477fa 60f35687 60c4f20f 601273dd\n     00000008 6101eb00 6101eab0 615be548\n    Call Trace:\n     [\u003c60047a58\u003e] show_stack+0x25e/0x282\n     [\u003c60c609e0\u003e] dump_stack_lvl+0x96/0xfd\n     [\u003c60c50d4c\u003e] print_report+0x1a7/0x5a8\n     [\u003c603078d3\u003e] kasan_report+0xc1/0xe9\n     [\u003c60308950\u003e] __asan_report_load8_noabort+0x1b/0x1d\n     [\u003c60232844\u003e] irq_work_run_list+0x11a/0x13a\n     [\u003c602328b4\u003e] irq_work_tick+0x24/0x34\n     [\u003c6017f9dc\u003e] update_process_times+0x162/0x196\n     [\u003c6019f335\u003e] tick_sched_handle+0x1a4/0x1c3\n     [\u003c6019fd9e\u003e] tick_sched_timer+0x79/0x10c\n     [\u003c601812b9\u003e] __hrtimer_run_queues.constprop.0+0x425/0x695\n     [\u003c60182913\u003e] hrtimer_interrupt+0x16c/0x2c4\n     [\u003c600486a3\u003e] um_timer+0x164/0x183\n     [...]\n\n    Allocated by task 411:\n     save_stack_trace+0x99/0xb5\n     stack_trace_save+0x81/0x9b\n     kasan_save_stack+0x2d/0x54\n     kasan_set_track+0x34/0x3e\n     kasan_save_alloc_info+0x25/0x28\n     ____kasan_kmalloc+0x8b/0x97\n     __kasan_kmalloc+0x10/0x12\n     __kmalloc+0xb2/0xe8\n     load_elf_phdrs+0xee/0x182\n     [...]\n\n    The buggy address belongs to the object at 000000006d640800\n     which belongs to the cache kmalloc-1k of size 1024\n    The buggy address is located 584 bytes inside of\n     freed 1024-byte region [000000006d640800, 000000006d640c00)\n\nAdd the appropriate irq_work_sync() so the work finishes before\nthe buffers are destroyed.\n\nPrior to the commit in the Fixes tag below, there was only a\nsingle global IRQ work, so this issue didn\u0027t exist.",
  "id": "GHSA-7wv9-8c5x-6hmc",
  "modified": "2026-02-10T15:30:21Z",
  "published": "2025-10-04T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53587"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a65165bd24ee9231191597b7c232376fcd70cdb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c99f65d6af2a454bfd5207b4f6a97c8474a1191"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2399b1fda025e939b6fb1ac94505bcf718534e65"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2702b67f59d455072a08dc40312f9b090d4dec04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/372c5ee537b8366b64b691ba29e9335525e1655e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/675751bb20634f981498c7d66161584080cc061e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c63741e872fcfb10e153517750f7908f0c00f60d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9834abd8b24d1fe8092859e436fe1e0fd467c61"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc6858b7f8e1221f62ce8c6ff8a13a349c32cd76"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.