CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-8467-F3PR-377C
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14023.
{
"affected": [],
"aliases": [
"CVE-2021-34833"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-04T16:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.0.0.49893. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14023.",
"id": "GHSA-8467-f3pr-377c",
"modified": "2022-05-24T19:09:58Z",
"published": "2022-05-24T19:09:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34833"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-915"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8492-V5JH-M4R5
Vulnerability from github – Published: 2024-09-02 06:30 – Updated: 2024-09-02 06:30in OpenHarmony v4.1.0 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.
{
"affected": [],
"aliases": [
"CVE-2024-41157"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-02T05:15:16Z",
"severity": "HIGH"
},
"details": "in OpenHarmony v4.1.0 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.",
"id": "GHSA-8492-v5jh-m4r5",
"modified": "2024-09-02T06:30:49Z",
"published": "2024-09-02T06:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41157"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-09.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-849G-HFFP-Q3MH
Vulnerability from github – Published: 2022-05-14 03:04 – Updated: 2022-05-14 03:04In the FastRPC driver in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a Use After Free condition can occur when mapping on the remote processor fails.
{
"affected": [],
"aliases": [
"CVE-2018-3564"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-06T17:29:00Z",
"severity": "HIGH"
},
"details": "In the FastRPC driver in Android releases from CAF using the linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-06-05, a Use After Free condition can occur when mapping on the remote processor fails.",
"id": "GHSA-849g-hffp-q3mh",
"modified": "2022-05-14T03:04:21Z",
"published": "2022-05-14T03:04:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3564"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2018-06-01#qualcomm-components"
},
{
"type": "WEB",
"url": "https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=782cd411398e3cf2aca1615ab2649df0c46920ee"
},
{
"type": "WEB",
"url": "https://www.codeaurora.org/security-bulletin/2018/07/02/july-2018-code-aurora-security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-849R-JPQC-FM29
Vulnerability from github – Published: 2024-08-16 21:32 – Updated: 2024-08-16 21:32Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43472"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-16T20:15:13Z",
"severity": "MODERATE"
},
"details": "Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability",
"id": "GHSA-849r-jpqc-fm29",
"modified": "2024-08-16T21:32:36Z",
"published": "2024-08-16T21:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43472"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43472"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-84C6-X9X8-7Q38
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2025-05-02 18:31A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. Processing web content may lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2023-39434"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:18:56Z",
"severity": "HIGH"
},
"details": "A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. Processing web content may lead to arbitrary code execution.",
"id": "GHSA-84c6-x9x8-7q38",
"modified": "2025-05-02T18:31:25Z",
"published": "2023-09-27T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39434"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-33"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213937"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213938"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213940"
},
{
"type": "WEB",
"url": "https://webkitgtk.org/security/WSA-2023-0009.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/3"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/8"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Oct/9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/28/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84FP-H279-GGMW
Vulnerability from github – Published: 2024-02-22 18:30 – Updated: 2024-06-27 12:30In the Linux kernel, the following vulnerability has been resolved:
media: pvrusb2: fix use after free on context disconnection
Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.
{
"affected": [],
"aliases": [
"CVE-2023-52445"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-22T17:15:08Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix use after free on context disconnection\n\nUpon module load, a kthread is created targeting the\npvr2_context_thread_func function, which may call pvr2_context_destroy\nand thus call kfree() on the context object. However, that might happen\nbefore the usb hub_event handler is able to notify the driver. This\npatch adds a sanity check before the invalid read reported by syzbot,\nwithin the context disconnection call stack.",
"id": "GHSA-84fp-h279-ggmw",
"modified": "2024-06-27T12:30:43Z",
"published": "2024-02-22T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52445"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2cf0005d315549b8d2b940ff96a66c2a889aa795"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30773ea47d41773f9611ffb4ebc9bda9d19a9e7e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3233d8bf7893550045682192cb227af7fa3defeb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/437b5f57732bb4cc32cc9f8895d2010ee9ff521c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47aa8fcd5e8b5563af4042a00f25ba89bef8f33d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ded85b0c0edd8f45fec88783d7555a5b982449c1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec3634ebe23fc3c44ebc67c6d25917300bc68c08"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec36c134dd020d28e312c2f1766f85525e747aab"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84GC-MWWX-2X6J
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allows attackers to execute arbitrary code via a crafted WillSave document action, a different vulnerability than CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6687, CVE-2015-6688, CVE-2015-6690, CVE-2015-6691, CVE-2015-7615, CVE-2015-7617, and CVE-2015-7621.
{
"affected": [],
"aliases": [
"CVE-2015-6689"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-10-14T23:59:00Z",
"severity": "MODERATE"
},
"details": "Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allows attackers to execute arbitrary code via a crafted WillSave document action, a different vulnerability than CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6687, CVE-2015-6688, CVE-2015-6690, CVE-2015-6691, CVE-2015-7615, CVE-2015-7617, and CVE-2015-7621.",
"id": "GHSA-84gc-mwwx-2x6j",
"modified": "2022-05-13T01:06:42Z",
"published": "2022-05-13T01:06:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6689"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb15-24.html"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1033796"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-15-470"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-84HG-9FJM-PCR7
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31In the Linux kernel, the following vulnerability has been resolved:
net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets
When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task may still be running or pending, leading to use-after-free bugs when the already freed fst_card_info is accessed in fst_process_tx_work_q() or fst_process_int_work_q().
A typical race condition is depicted below:
CPU 0 (cleanup) | CPU 1 (tasklet) | fst_start_xmit() fst_remove_one() | tasklet_schedule() unregister_hdlc_device()| | fst_process_tx_work_q() //handler kfree(card) //free | do_bottom_half_tx() | card-> //use
The following KASAN trace was captured:
================================================================== BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcb/0x5d0 ? do_bottom_half_tx+0xb88/0xd00 kasan_report+0xb8/0xf0 ? do_bottom_half_tx+0xb88/0xd00 do_bottom_half_tx+0xb88/0xd00 ? _raw_spin_lock_irqsave+0x85/0xe0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfxhrtimerrun_queues+0x10/0x10 fst_process_tx_work_q+0x67/0x90 tasklet_action_common+0x1fa/0x720 ? hrtimer_interrupt+0x31f/0x780 handle_softirqs+0x176/0x530 irq_exit_rcu+0xab/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ...
Allocated by task 41 on cpu 3 at 72.330843s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x7f/0x90 fst_add_one+0x1a5/0x1cd0 local_pci_probe+0xdd/0x190 pci_device_probe+0x341/0x480 really_probe+0x1c6/0x6a0 __driver_probe_device+0x248/0x310 driver_probe_device+0x48/0x210 __device_attach_driver+0x160/0x320 bus_for_each_drv+0x101/0x190 __device_attach+0x198/0x3a0 device_initial_probe+0x78/0xa0 pci_bus_add_device+0x81/0xc0 pci_bus_add_devices+0x7e/0x190 enable_slot+0x9b9/0x1130 acpiphp_check_bridge.part.0+0x2e1/0x460 acpiphp_hotplug_notify+0x36c/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ...
Freed by task 41 on cpu 1 at 75.138639s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x135/0x410 fst_remove_one+0x2ca/0x540 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0x364/0x530 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device+0xd/0x20 disable_slot+0x116/0x260 acpiphp_disable_and_eject_slot+0x4b/0x190 acpiphp_hotplug_notify+0x230/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ...
The buggy address belongs to the object at ffff88800aad1000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 28 bytes inside of freed 1024-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800aad1000: fa fb ---truncated---
{
"affected": [],
"aliases": [
"CVE-2026-43232"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets\n\nWhen the FarSync T-series card is being detached, the fst_card_info is\ndeallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task\nmay still be running or pending, leading to use-after-free bugs when the\nalready freed fst_card_info is accessed in fst_process_tx_work_q() or\nfst_process_int_work_q().\n\nA typical race condition is depicted below:\n\nCPU 0 (cleanup) | CPU 1 (tasklet)\n | fst_start_xmit()\nfst_remove_one() | tasklet_schedule()\n unregister_hdlc_device()|\n | fst_process_tx_work_q() //handler\n kfree(card) //free | do_bottom_half_tx()\n | card-\u003e //use\n\nThe following KASAN trace was captured:\n\n==================================================================\n BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00\n Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32\n ...\n Call Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_report+0xcb/0x5d0\n ? do_bottom_half_tx+0xb88/0xd00\n kasan_report+0xb8/0xf0\n ? do_bottom_half_tx+0xb88/0xd00\n do_bottom_half_tx+0xb88/0xd00\n ? _raw_spin_lock_irqsave+0x85/0xe0\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? __pfx___hrtimer_run_queues+0x10/0x10\n fst_process_tx_work_q+0x67/0x90\n tasklet_action_common+0x1fa/0x720\n ? hrtimer_interrupt+0x31f/0x780\n handle_softirqs+0x176/0x530\n __irq_exit_rcu+0xab/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n ...\n\n Allocated by task 41 on cpu 3 at 72.330843s:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x17/0x60\n __kasan_kmalloc+0x7f/0x90\n fst_add_one+0x1a5/0x1cd0\n local_pci_probe+0xdd/0x190\n pci_device_probe+0x341/0x480\n really_probe+0x1c6/0x6a0\n __driver_probe_device+0x248/0x310\n driver_probe_device+0x48/0x210\n __device_attach_driver+0x160/0x320\n bus_for_each_drv+0x101/0x190\n __device_attach+0x198/0x3a0\n device_initial_probe+0x78/0xa0\n pci_bus_add_device+0x81/0xc0\n pci_bus_add_devices+0x7e/0x190\n enable_slot+0x9b9/0x1130\n acpiphp_check_bridge.part.0+0x2e1/0x460\n acpiphp_hotplug_notify+0x36c/0x3c0\n acpi_device_hotplug+0x203/0xb10\n acpi_hotplug_work_fn+0x59/0x80\n ...\n\n Freed by task 41 on cpu 1 at 75.138639s:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x17/0x60\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x43/0x70\n kfree+0x135/0x410\n fst_remove_one+0x2ca/0x540\n pci_device_remove+0xa6/0x1d0\n device_release_driver_internal+0x364/0x530\n pci_stop_bus_device+0x105/0x150\n pci_stop_and_remove_bus_device+0xd/0x20\n disable_slot+0x116/0x260\n acpiphp_disable_and_eject_slot+0x4b/0x190\n acpiphp_hotplug_notify+0x230/0x3c0\n acpi_device_hotplug+0x203/0xb10\n acpi_hotplug_work_fn+0x59/0x80\n ...\n\n The buggy address belongs to the object at ffff88800aad1000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 28 bytes inside of\n freed 1024-byte region\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x100000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\n head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000\n head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\n head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff\n head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n \u003effff88800aad1000: fa fb\n---truncated---",
"id": "GHSA-84hg-9fjm-pcr7",
"modified": "2026-05-08T15:31:18Z",
"published": "2026-05-06T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43232"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/04edfdfdfcdefc02408ab670607261b0a0a9a02e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/086131807d119238cd464e5b0845e48d938dfd79"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/200bdb8d367ca9b478f9c56ebe56411604d55c81"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/21d341fe514fd07e345ed264c9eee21cb2061ca2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/337d7b4112a47984ee319171b75b73bab47e7924"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bae8a5d2e759da2e0cba33ab2080deee96a09373"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cac048ebfbb92d91d719f74b59177cb70a7633b8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84HR-Q2HC-2M5C
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-05-02 09:30In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI
If lpfc_issue_els_flogi() fails and returns non-zero status, the node reference count is decremented to trigger the release of the nodelist structure. However, if there is a prior registration or dev-loss-evt work pending, the node may be released prematurely. When dev-loss-evt completes, the released node is referenced causing a use-after-free null pointer dereference.
Similarly, when processing non-zero ELS PLOGI completion status in lpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport registration before triggering node removal. If dev-loss-evt work is pending, the node may be released prematurely and a subsequent call to lpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.
Add test for pending dev-loss before decrementing the node reference count for FLOGI, PLOGI, PRLI, and ADISC handling.
{
"affected": [],
"aliases": [
"CVE-2022-49535"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:29Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI\n\nIf lpfc_issue_els_flogi() fails and returns non-zero status, the node\nreference count is decremented to trigger the release of the nodelist\nstructure. However, if there is a prior registration or dev-loss-evt work\npending, the node may be released prematurely. When dev-loss-evt\ncompletes, the released node is referenced causing a use-after-free null\npointer dereference.\n\nSimilarly, when processing non-zero ELS PLOGI completion status in\nlpfc_cmpl_els_plogi(), the ndlp flags are checked for a transport\nregistration before triggering node removal. If dev-loss-evt work is\npending, the node may be released prematurely and a subsequent call to\nlpfc_dev_loss_tmo_handler() results in a use after free ndlp dereference.\n\nAdd test for pending dev-loss before decrementing the node reference count\nfor FLOGI, PLOGI, PRLI, and ADISC handling.",
"id": "GHSA-84hr-q2hc-2m5c",
"modified": "2025-05-02T09:30:30Z",
"published": "2025-02-27T21:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49535"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/10663ebec0ad5c78493a0dd34c9ee4d73d7ca0df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/577a942df3de2666f6947bdd3a5c9e8d30073424"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c7dc74ab7975c9b96284abfe4cca756d75fa4604"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84P5-CQQQ-H4GR
Vulnerability from github – Published: 2025-01-26 06:30 – Updated: 2025-11-03 21:32xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
{
"affected": [],
"aliases": [
"CVE-2022-49043"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-26T06:15:21Z",
"severity": "HIGH"
},
"details": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.",
"id": "GHSA-84p5-cqqq-h4gr",
"modified": "2025-11-03T21:32:23Z",
"published": "2025-01-26T06:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49043"
},
{
"type": "WEB",
"url": "https://github.com/php/php-src/issues/17467"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.