CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-7W6P-6WQM-42HR
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
{
"affected": [],
"aliases": [
"CVE-2019-8220"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-17T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .",
"id": "GHSA-7w6p-6wqm-42hr",
"modified": "2022-05-24T16:59:25Z",
"published": "2022-05-24T16:59:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8220"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-49.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7W6X-PFMG-76XX
Vulnerability from github – Published: 2026-04-23 12:31 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
can: raw: fix ro->uniq use-after-free in raw_rcv()
raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rcv() may still be running in an RCU read-side critical section after raw_release() frees ro->uniq, leading to a use-after-free of the percpu uniq storage.
Move free_percpu(ro->uniq) out of raw_release() and into a raw-specific socket destructor. can_rx_unregister() takes an extra reference to the socket and only drops it from the RCU callback, so freeing uniq from sk_destruct ensures the percpu area is not released until the relevant callbacks have drained.
[mkl: applied manually]
{
"affected": [],
"aliases": [
"CVE-2026-31532"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T12:17:01Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: raw: fix ro-\u003euniq use-after-free in raw_rcv()\n\nraw_release() unregisters raw CAN receive filters via can_rx_unregister(),\nbut receiver deletion is deferred with call_rcu(). This leaves a window\nwhere raw_rcv() may still be running in an RCU read-side critical section\nafter raw_release() frees ro-\u003euniq, leading to a use-after-free of the\npercpu uniq storage.\n\nMove free_percpu(ro-\u003euniq) out of raw_release() and into a raw-specific\nsocket destructor. can_rx_unregister() takes an extra reference to the\nsocket and only drops it from the RCU callback, so freeing uniq from\nsk_destruct ensures the percpu area is not released until the relevant\ncallbacks have drained.\n\n[mkl: applied manually]",
"id": "GHSA-7w6x-pfmg-76xx",
"modified": "2026-06-01T18:31:25Z",
"published": "2026-04-23T12:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31532"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a0f2de81f7fbdc538fc72d7d74609b79bc83cc0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1de30576a6dfeaaa27ef91fa272e6b9240b6fbd3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/34c1741254ff972e8375faf176678a248826fe3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f43f12fde34737fba091b7e3ab391e14ddbb0be"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/572f0bf536ebc14f6e7da3d21a85cf076de8358e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e9cfffad898bbeaafd0ea608a6d267362f050fc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64c8553decf5a5f2417bd54761ea0a832c56c4ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7201a531b9a5ed892bfda5ded9194ef622de8ffa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a535a9217ca3f2fccedaafb2fddb4c48f27d36dc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7W79-MX3M-6R57
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-6424"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-23T16:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-7w79-mx3m-6r57",
"modified": "2022-05-24T17:12:14Z",
"published": "2022-05-24T17:12:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6424"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1031142"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2DDNOAGIX5D77TTHT6YPMVJ5WTXTCQEI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWANFIR3PYAL5RJQ4AO3ZS2DYMSF2ZGZ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-53"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4645"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00028.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00037.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7W96-3V7R-6G9J
Vulnerability from github – Published: 2022-05-14 03:56 – Updated: 2022-05-14 03:56php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.
{
"affected": [],
"aliases": [
"CVE-2016-5773"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-08-07T10:59:00Z",
"severity": "CRITICAL"
},
"details": "php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.",
"id": "GHSA-7w96-3v7r-6g9j",
"modified": "2022-05-14T03:56:18Z",
"published": "2022-05-14T03:56:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5773"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=72434"
},
{
"type": "WEB",
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207170"
},
{
"type": "WEB",
"url": "http://github.com/php/php-src/commit/f6aef68089221c5ea047d4a74224ee3deead99a6?w=1"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00004.html"
},
{
"type": "WEB",
"url": "http://php.net/ChangeLog-5.php"
},
{
"type": "WEB",
"url": "http://php.net/ChangeLog-7.php"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2750.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3618"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/23/4"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91397"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7WC3-342X-7QJV
Vulnerability from github – Published: 2022-02-19 00:00 – Updated: 2022-03-02 00:00This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15861.
{
"affected": [],
"aliases": [
"CVE-2022-24363"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T20:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15861.",
"id": "GHSA-7wc3-342x-7qjv",
"modified": "2022-03-02T00:00:39Z",
"published": "2022-02-19T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24363"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-274"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7WC4-MX57-5W73
Vulnerability from github – Published: 2025-06-03 21:30 – Updated: 2025-06-04 21:31An issue was discovered in Samsung Mobile Processor Exynos 980, 990, 1080, 2100, 1280, 2200, 1380. A Use-After-Free in the mobile processor leads to privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-23098"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-03T20:15:21Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Samsung Mobile Processor Exynos 980, 990, 1080, 2100, 1280, 2200, 1380. A Use-After-Free in the mobile processor leads to privilege escalation.",
"id": "GHSA-7wc4-mx57-5w73",
"modified": "2025-06-04T21:31:13Z",
"published": "2025-06-03T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23098"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23098"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7WCQ-H796-G66P
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-02 21:31In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write
During the sysfs firmware write process, a use-after-free read warning is logged from the lpfc_wr_object() routine:
BUG: KFENCE: use-after-free read in lpfc_wr_object+0x235/0x310 [lpfc] Use-after-free read at 0x0000000000cf164d (in kfence-#111): lpfc_wr_object+0x235/0x310 [lpfc] lpfc_write_firmware.cold+0x206/0x30d [lpfc] lpfc_sli4_request_firmware_update+0xa6/0x100 [lpfc] lpfc_request_firmware_upgrade_store+0x66/0xb0 [lpfc] kernfs_fop_write_iter+0x121/0x1b0 new_sync_write+0x11c/0x1b0 vfs_write+0x1ef/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x59/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
The driver accessed wr_object pointer data, which was initialized into mailbox payload memory, after the mailbox object was released back to the mailbox pool.
Fix by moving the mailbox free calls to the end of the routine ensuring that we don't reference internal mailbox memory after release.
{
"affected": [],
"aliases": [
"CVE-2023-53282"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T08:15:37Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write\n\nDuring the sysfs firmware write process, a use-after-free read warning is\nlogged from the lpfc_wr_object() routine:\n\n BUG: KFENCE: use-after-free read in lpfc_wr_object+0x235/0x310 [lpfc]\n Use-after-free read at 0x0000000000cf164d (in kfence-#111):\n lpfc_wr_object+0x235/0x310 [lpfc]\n lpfc_write_firmware.cold+0x206/0x30d [lpfc]\n lpfc_sli4_request_firmware_update+0xa6/0x100 [lpfc]\n lpfc_request_firmware_upgrade_store+0x66/0xb0 [lpfc]\n kernfs_fop_write_iter+0x121/0x1b0\n new_sync_write+0x11c/0x1b0\n vfs_write+0x1ef/0x280\n ksys_write+0x5f/0xe0\n do_syscall_64+0x59/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe driver accessed wr_object pointer data, which was initialized into\nmailbox payload memory, after the mailbox object was released back to the\nmailbox pool.\n\nFix by moving the mailbox free calls to the end of the routine ensuring\nthat we don\u0027t reference internal mailbox memory after release.",
"id": "GHSA-7wcq-h796-g66p",
"modified": "2025-12-02T21:31:26Z",
"published": "2025-09-16T15:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53282"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/21681b81b9ae548c5dae7ae00d931197a27f480c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/51ab4eb1a25e73c7fc2ad9026520c4d8369c93cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8becb97918f04bb177bc9c4e00c2bdb302e00944"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8dfefa8f424ab208e552df1bfd008b732f3d0ad1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7WFP-W5XF-G7MM
Vulnerability from github – Published: 2024-11-06 18:31 – Updated: 2024-11-06 18:31Use after free in Family Experiences in Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2024-10826"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-06T17:15:13Z",
"severity": "HIGH"
},
"details": "Use after free in Family Experiences in Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-7wfp-w5xf-g7mm",
"modified": "2024-11-06T18:31:11Z",
"published": "2024-11-06T18:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10826"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/370217726"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7WFR-865W-3MVG
Vulnerability from github – Published: 2025-04-29 03:30 – Updated: 2025-11-07 18:30A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to corrupt process memory.
{
"affected": [],
"aliases": [
"CVE-2025-24252"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T03:15:34Z",
"severity": "CRITICAL"
},
"details": "A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4. An attacker on the local network may be able to corrupt process memory.",
"id": "GHSA-7wfr-865w-3mvg",
"modified": "2025-11-07T18:30:25Z",
"published": "2025-04-29T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24252"
},
{
"type": "WEB",
"url": "https://github.com/cakescats/airborn-IOS-CVE-2025-24252/blob/main/airborn_arts_CVE-2025-24252_extractor.sh"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122371"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122372"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122374"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122375"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122377"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122378"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7WV9-8C5X-6HMC
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-10 15:30In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Sync IRQ works before buffer destruction
If something was written to the buffer just before destruction, it may be possible (maybe not in a real system, but it did happen in ARCH=um with time-travel) to destroy the ringbuffer before the IRQ work ran, leading this KASAN report (or a crash without KASAN):
BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a
Read of size 8 at addr 000000006d640a48 by task swapper/0
CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7
Stack:
60c4f20f 0c203d48 41b58ab3 60f224fc
600477fa 60f35687 60c4f20f 601273dd
00000008 6101eb00 6101eab0 615be548
Call Trace:
[<60047a58>] show_stack+0x25e/0x282
[<60c609e0>] dump_stack_lvl+0x96/0xfd
[<60c50d4c>] print_report+0x1a7/0x5a8
[<603078d3>] kasan_report+0xc1/0xe9
[<60308950>] __asan_report_load8_noabort+0x1b/0x1d
[<60232844>] irq_work_run_list+0x11a/0x13a
[<602328b4>] irq_work_tick+0x24/0x34
[<6017f9dc>] update_process_times+0x162/0x196
[<6019f335>] tick_sched_handle+0x1a4/0x1c3
[<6019fd9e>] tick_sched_timer+0x79/0x10c
[<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695
[<60182913>] hrtimer_interrupt+0x16c/0x2c4
[<600486a3>] um_timer+0x164/0x183
[...]
Allocated by task 411:
save_stack_trace+0x99/0xb5
stack_trace_save+0x81/0x9b
kasan_save_stack+0x2d/0x54
kasan_set_track+0x34/0x3e
kasan_save_alloc_info+0x25/0x28
____kasan_kmalloc+0x8b/0x97
__kasan_kmalloc+0x10/0x12
__kmalloc+0xb2/0xe8
load_elf_phdrs+0xee/0x182
[...]
The buggy address belongs to the object at 000000006d640800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 584 bytes inside of
freed 1024-byte region [000000006d640800, 000000006d640c00)
Add the appropriate irq_work_sync() so the work finishes before the buffers are destroyed.
Prior to the commit in the Fixes tag below, there was only a single global IRQ work, so this issue didn't exist.
{
"affected": [],
"aliases": [
"CVE-2023-53587"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:55Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Sync IRQ works before buffer destruction\n\nIf something was written to the buffer just before destruction,\nit may be possible (maybe not in a real system, but it did\nhappen in ARCH=um with time-travel) to destroy the ringbuffer\nbefore the IRQ work ran, leading this KASAN report (or a crash\nwithout KASAN):\n\n BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a\n Read of size 8 at addr 000000006d640a48 by task swapper/0\n\n CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7\n Stack:\n 60c4f20f 0c203d48 41b58ab3 60f224fc\n 600477fa 60f35687 60c4f20f 601273dd\n 00000008 6101eb00 6101eab0 615be548\n Call Trace:\n [\u003c60047a58\u003e] show_stack+0x25e/0x282\n [\u003c60c609e0\u003e] dump_stack_lvl+0x96/0xfd\n [\u003c60c50d4c\u003e] print_report+0x1a7/0x5a8\n [\u003c603078d3\u003e] kasan_report+0xc1/0xe9\n [\u003c60308950\u003e] __asan_report_load8_noabort+0x1b/0x1d\n [\u003c60232844\u003e] irq_work_run_list+0x11a/0x13a\n [\u003c602328b4\u003e] irq_work_tick+0x24/0x34\n [\u003c6017f9dc\u003e] update_process_times+0x162/0x196\n [\u003c6019f335\u003e] tick_sched_handle+0x1a4/0x1c3\n [\u003c6019fd9e\u003e] tick_sched_timer+0x79/0x10c\n [\u003c601812b9\u003e] __hrtimer_run_queues.constprop.0+0x425/0x695\n [\u003c60182913\u003e] hrtimer_interrupt+0x16c/0x2c4\n [\u003c600486a3\u003e] um_timer+0x164/0x183\n [...]\n\n Allocated by task 411:\n save_stack_trace+0x99/0xb5\n stack_trace_save+0x81/0x9b\n kasan_save_stack+0x2d/0x54\n kasan_set_track+0x34/0x3e\n kasan_save_alloc_info+0x25/0x28\n ____kasan_kmalloc+0x8b/0x97\n __kasan_kmalloc+0x10/0x12\n __kmalloc+0xb2/0xe8\n load_elf_phdrs+0xee/0x182\n [...]\n\n The buggy address belongs to the object at 000000006d640800\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 584 bytes inside of\n freed 1024-byte region [000000006d640800, 000000006d640c00)\n\nAdd the appropriate irq_work_sync() so the work finishes before\nthe buffers are destroyed.\n\nPrior to the commit in the Fixes tag below, there was only a\nsingle global IRQ work, so this issue didn\u0027t exist.",
"id": "GHSA-7wv9-8c5x-6hmc",
"modified": "2026-02-10T15:30:21Z",
"published": "2025-10-04T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53587"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a65165bd24ee9231191597b7c232376fcd70cdb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c99f65d6af2a454bfd5207b4f6a97c8474a1191"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2399b1fda025e939b6fb1ac94505bcf718534e65"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2702b67f59d455072a08dc40312f9b090d4dec04"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/372c5ee537b8366b64b691ba29e9335525e1655e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/675751bb20634f981498c7d66161584080cc061e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c63741e872fcfb10e153517750f7908f0c00f60d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9834abd8b24d1fe8092859e436fe1e0fd467c61"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc6858b7f8e1221f62ce8c6ff8a13a349c32cd76"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.