CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-84QC-CGRR-M4WP
Vulnerability from github – Published: 2022-05-01 18:18 – Updated: 2025-04-09 03:44Use-after-free vulnerability in the BitTorrent support in Opera before 9.22 allows user-assisted remote attackers to execute arbitrary code via a crafted header in a torrent file, which leaves a dangling pointer to an invalid object.
{
"affected": [],
"aliases": [
"CVE-2007-3929"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-07-21T00:30:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in the BitTorrent support in Opera before 9.22 allows user-assisted remote attackers to execute arbitrary code via a crafted header in a torrent file, which leaves a dangling pointer to an invalid object.",
"id": "GHSA-84qc-cgrr-m4wp",
"modified": "2025-04-09T03:44:16Z",
"published": "2022-05-01T18:18:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3929"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35509"
},
{
"type": "WEB",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=564"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26138"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26545"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200708-17.xml"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"
},
{
"type": "WEB",
"url": "http://www.opera.com/support/search/view/862"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/24970"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1018431"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/2584"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-84R7-X76R-M562
Vulnerability from github – Published: 2022-05-14 00:52 – Updated: 2022-05-14 00:52Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2018-15920"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-12T18:29:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-84r7-x76r-m562",
"modified": "2022-05-14T00:52:43Z",
"published": "2022-05-14T00:52:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15920"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb18-30.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105441"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84RJ-W682-G977
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35A use-after-free vulnerability exists in a way Pixar OpenUSD 20.08 processes reference paths textual USD files. A specially crafted file can trigger the reuse of a freed memory which can result in further memory corruption and arbitrary code execution. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.
{
"affected": [],
"aliases": [
"CVE-2020-13531"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-03T17:15:00Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability exists in a way Pixar OpenUSD 20.08 processes reference paths textual USD files. A specially crafted file can trigger the reuse of a freed memory which can result in further memory corruption and arbitrary code execution. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.",
"id": "GHSA-84rj-w682-g977",
"modified": "2022-05-24T17:35:06Z",
"published": "2022-05-24T17:35:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13531"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1145"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84V6-6VMQ-3V62
Vulnerability from github – Published: 2025-09-11 18:35 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
mm/debug_vm_pgtable: clear page table entries at destroy_args()
The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also its manually allocated mm_struct. That in itself is ok, but when it exits, at destroy_args() it fails to clear those entries with the *_clear functions.
The problem is that leaves stale entries. If another process allocates an mm_struct with a pgd at the same address, it may end up running into the stale entry. This is happening in practice on a debug kernel with CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra debugging I added (it prints a warning trace if pgtables_bytes goes negative, in addition to the warning at check_mm() function):
[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000 [ 2.539366] kmem_cache info [ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508 [ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e (...) [ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0 [ 2.552816] Modules linked in: [ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY [ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries [ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90 [ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug) [ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a [ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0 [ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001 [ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff [ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000 [ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb [ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0 [ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000 [ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001 [ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760 [ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0 [ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0 [ 2.553199] Call Trace: [ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable) [ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0 [ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570 [ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650 [ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290 [ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0 [ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870 [ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150 [ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50 [ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0 [ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec (...) [ 2.558892] ---[ end trace 0000000000000000 ]--- [ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1 [ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144
Here the modprobe process ended up with an allocated mm_struct from the mm_struct slab that was used before by the debug_vm_pgtable test. That is not a problem, since the mm_stru ---truncated---
{
"affected": [],
"aliases": [
"CVE-2025-39776"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-11T17:15:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/debug_vm_pgtable: clear page table entries at destroy_args()\n\nThe mm/debug_vm_pagetable test allocates manually page table entries for\nthe tests it runs, using also its manually allocated mm_struct. That in\nitself is ok, but when it exits, at destroy_args() it fails to clear those\nentries with the *_clear functions.\n\nThe problem is that leaves stale entries. If another process allocates an\nmm_struct with a pgd at the same address, it may end up running into the\nstale entry. This is happening in practice on a debug kernel with\nCONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra\ndebugging I added (it prints a warning trace if pgtables_bytes goes\nnegative, in addition to the warning at check_mm() function):\n\n[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000\n[ 2.539366] kmem_cache info\n[ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508\n[ 2.539447] debug_vm_pgtable: [init_args ]: args-\u003emm is 0x000000002267cc9e\n(...)\n[ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0\n[ 2.552816] Modules linked in:\n[ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY\n[ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries\n[ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90\n[ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)\n[ 2.552899] MSR: 800000000282b033 \u003cSF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e CR: 24002822 XER: 0000000a\n[ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0\n[ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001\n[ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff\n[ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000\n[ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb\n[ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0\n[ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000\n[ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001\n[ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760\n[ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0\n[ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0\n[ 2.553199] Call Trace:\n[ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)\n[ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0\n[ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570\n[ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650\n[ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290\n[ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0\n[ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870\n[ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150\n[ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50\n[ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0\n[ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\n(...)\n[ 2.558892] ---[ end trace 0000000000000000 ]---\n[ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1\n[ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144\n\nHere the modprobe process ended up with an allocated mm_struct from the\nmm_struct slab that was used before by the debug_vm_pgtable test. That is\nnot a problem, since the mm_stru\n---truncated---",
"id": "GHSA-84v6-6vmq-3v62",
"modified": "2026-05-12T15:31:07Z",
"published": "2025-09-11T18:35:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39776"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47d2a149611b8a94d24add9868c442a4af278658"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/561171db3b3eb759ba3f284dba7a76f4476ade03"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/61a9f2e5c49f05e3ea2c16674540a075a1b4be6f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/63962ff932ef359925b94be2a88df6b4fd4fed0a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7bf57a0709cd7c9088cea8de023d6f4fbf2518b0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dde30854bddfb5d69f30022b53c5955a41088b33"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84XM-R438-86PX
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 22:54Note: This vulnerability was originally reported to the Google OSS VRP (Issue ID: 477542544). The Google Security Team requested that I coordinate directly with the Envoy maintainers for triage and remediation. I am submitting this report here to facilitate that process.
Technical Details
I have identified a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up.
Mechanism:
The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method.
When an HTTP/2 stream encounters a reset condition (e.g., StreamIdleTimeout, OverloadManager limits, or a local reset triggered by a filter), Envoy calls onResetStream. This method:
1. Sets the internal state state_.saw_downstream_reset_ = true.
2. Invokes onDestroy() on all filters in the chain (allowing them to release resources/pointers).
3. Schedules the ActiveStream object for deferred deletion (cleanup happens later in the event loop).
The Flaw:
The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData.
FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy().
Root Cause Code Location:
File: source/common/http/filter_manager.cc
Function: FilterManager::decodeData
void FilterManager::decodeData(...) {
if (stopDecoderFilterChain()) { return; }
// Vulnerability: Missing check for state_.saw_downstream_reset_
// Execution proceeds into the loop even if the stream is logically dead.
auto trailers_added_entry = decoder_filters_.end();
for (; entry != decoder_filters_.end(); entry++) {
// ... calls (*entry)->handle_->decodeData(data) on destroyed filters ...
}
}
Suggested Fix:
Add an explicit state check at the beginning of FilterManager::decodeData.
// Prevent execution on streams that have been reset but not yet destroyed.
if (state_.saw_downstream_reset_) {
return;
}
Impact Analysis
Who can exploit this: Any remote attacker capable of establishing an HTTP/2 or HTTP/3 connection. No privileges/authentication required.
Impact & Gain:
1. Memory Corruption & Potential Remote Code Execution:
While the immediate symptom is a crash (DoS), the underlying primitive is a Use-After-Free (CWE-416).
* Mechanism: When onDestroy() is called on filters (e.g., Lua, Wasm, or complex native filters), they release internal structures and invalidate pointers.
* Exploitation: By forcing decodeData() to execute on these now-freed objects, an attacker triggers undefined behavior. In a heap-groomed environment, an attacker could potentially replace the freed filter object with a malicious payload before the "Zombie" decodeData call occurs. This would allow for vtable hijacking or arbitrary write-what-where primitives, leading to Remote Code Execution (RCE).
* Risk Amplification: This is particularly dangerous for Envoy deployments using memory-unsafe extensions or third-party filters (C++ extensions), where onDestroy logic is relied upon for safety.
2. Security Control Bypass:
The vulnerability defeats Envoy's "Fail-Closed" security architecture.
* Scenario: If a stream is reset due to a security violation (e.g., StreamIdleTimeout, OverloadManager rejection, or WAF triggering), this vulnerability allows the attacker to bypass the termination.
* Result: The attacker can force the processing of "Data" frames on a connection that the security policy explicitly attempted to close, allowing malicious payloads to reach deeper into the filter chain or backend services despite the rejection.
Proof of Concept (Unit Test)
Description:
The attached C++ unit test (zombie_stream_poc_test.cc) deterministically reproduces the vulnerability. It creates a stream, manually triggers a reset (simulating an Overload), and then immediately injects a DATA frame. The test asserts that the filter's decodeData callback is invoked on the reset stream.
#include "test/common/http/conn_manager_impl_test_base.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
using testing::_;
using testing::Invoke;
using testing::NiceMock;
using testing::Return;
namespace Envoy {
namespace Http {
/**
* Proof of Concept for "Zombie Stream Filter Execution" (HTTP/2 Reset Re-entrancy)
* * Logic flow:
* 1. Open a stream with HEADERS.
* 2. Force a stream reset (simulating an Overload or Timeout).
* 3. Immediately inject DATA into the stream.
* 4. ASSERT that the filter's decodeData is called despite the stream being reset.
*/
class ZombieStreamPocTest : public HttpConnectionManagerImplTest {
};
TEST_F(ZombieStreamPocTest, ReproducedZombieFilterExecution) {
setup(SetupOpts().setTracing(false));
// 1. Setup a mock filter
std::shared_ptr<MockStreamDecoderFilter> filter(new NiceMock<MockStreamDecoderFilter>());
// Vuln confirmation:
// We expect decodeData to be called on this filter even though the stream is reset.
// In a secure/patched implementation, this EXPECT_CALL should fail (Times(0)).
EXPECT_CALL(*filter, decodeData(_, _))
.Times(1)
.WillOnce(Invoke([&](Buffer::Instance&, bool) -> FilterDataStatus {
ENVOY_LOG_MISC(error, "!!! VULNERABILITY REPRODUCED: decodeData called on a reset stream !!!");
return FilterDataStatus::Continue;
}));
EXPECT_CALL(*filter, decodeHeaders(_, false))
.WillOnce(Return(FilterHeadersStatus::StopIteration));
// Register the filter
EXPECT_CALL(filter_factory_, createFilterChain(_))
.WillOnce(Invoke([&](FilterChainFactoryCallbacks& callbacks) -> bool {
auto factory = createDecoderFilterFactoryCb(filter);
callbacks.setFilterConfigName("vulnerable_filter");
factory(callbacks);
return true;
}));
// 2. Start the stream
EXPECT_CALL(*codec_, dispatch(_))
.WillOnce(Invoke([&](Buffer::Instance&) -> Http::Status {
decoder_ = &conn_manager_->newStream(response_encoder_);
RequestHeaderMapPtr headers{new TestRequestHeaderMapImpl{
{":authority", "host"}, {":path", "/"}, {":method", "POST"}}};
decoder_->decodeHeaders(std::move(headers), false);
return Http::okStatus();
}));
// Dispatch headers
Buffer::OwnedImpl header_buffer("headers");
conn_manager_->onData(header_buffer, false);
// 3. Trigger a Reset on the ActiveStream
// This simulates Envoy terminating the stream due to an external event (Overload, Timeout).
auto* active_stream = dynamic_cast<ConnectionManagerImpl::ActiveStream*>(decoder_);
// This sets state_.saw_downstream_reset_ = true and triggers filter->onDestroy()
active_stream->onResetStream(StreamResetReason::LocalReset, "simulated_overload");
// 4. Attack: Send DATA to the "Zombie" stream
// The ActiveStream object is still alive in the deferred delete list.
Buffer::OwnedImpl malicious_payload("attacker_data");
// This call reaches the filter because FilterManager::decodeData misses the check!
active_stream->decodeData(malicious_payload, false);
}
} // namespace Http
} // namespace Envoy
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"versions": [
"1.37.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.36.0"
},
{
"last_affected": "1.36.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.35.0"
},
{
"last_affected": "1.35.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.34.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26311"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-10T18:31:23Z",
"nvd_published_at": "2026-03-10T20:16:36Z",
"severity": "MODERATE"
},
"details": "**Note:**\nThis vulnerability was originally reported to the Google OSS VRP (Issue ID: [477542544](https://issuetracker.google.com/issues/477542544)). The Google Security Team requested that I coordinate directly with the Envoy maintainers for triage and remediation. I am submitting this report here to facilitate that process.\n\n**Technical Details**\nI have identified a logic vulnerability in Envoy\u0027s HTTP connection manager (`FilterManager`) that allows for **Zombie Stream Filter Execution**. This issue creates a \"Use-After-Free\" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up.\n\n**Mechanism:**\nThe vulnerability resides in `source/common/http/filter_manager.cc` within the `FilterManager::decodeData` method.\n\nWhen an HTTP/2 stream encounters a reset condition (e.g., `StreamIdleTimeout`, `OverloadManager` limits, or a local reset triggered by a filter), Envoy calls `onResetStream`. This method:\n1. Sets the internal state `state_.saw_downstream_reset_ = true`.\n2. Invokes `onDestroy()` on all filters in the chain (allowing them to release resources/pointers).\n3. Schedules the `ActiveStream` object for **deferred deletion** (cleanup happens later in the event loop).\n\n**The Flaw:**\nThe `ActiveStream` object remains valid in memory during the deferred deletion window. If a `DATA` frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes `ActiveStream::decodeData`, which cascades to `FilterManager::decodeData`.\n\n`FilterManager::decodeData` **fails to check the `saw_downstream_reset_` flag**. It iterates over the `decoder_filters_` list and invokes `decodeData()` on filters that have already received `onDestroy()`.\n\n**Root Cause Code Location:**\nFile: `source/common/http/filter_manager.cc`\nFunction: `FilterManager::decodeData`\n\n```cpp\nvoid FilterManager::decodeData(...) {\n if (stopDecoderFilterChain()) { return; }\n\n // Vulnerability: Missing check for state_.saw_downstream_reset_\n // Execution proceeds into the loop even if the stream is logically dead.\n\n auto trailers_added_entry = decoder_filters_.end();\n for (; entry != decoder_filters_.end(); entry++) {\n // ... calls (*entry)-\u003ehandle_-\u003edecodeData(data) on destroyed filters ...\n }\n}\n```\n\n**Suggested Fix:**\nAdd an explicit state check at the beginning of `FilterManager::decodeData`.\n\n```cpp\n// Prevent execution on streams that have been reset but not yet destroyed.\nif (state_.saw_downstream_reset_) {\n return;\n}\n```\n\n---\n\n## Impact Analysis\n\n**Who can exploit this:**\nAny remote attacker capable of establishing an HTTP/2 or HTTP/3 connection. No privileges/authentication required.\n\n**Impact \u0026 Gain:**\n**1. Memory Corruption \u0026 Potential Remote Code Execution:**\nWhile the immediate symptom is a crash (DoS), the underlying primitive is a **Use-After-Free (CWE-416)**.\n* **Mechanism:** When `onDestroy()` is called on filters (e.g., Lua, Wasm, or complex native filters), they release internal structures and invalidate pointers.\n* **Exploitation:** By forcing `decodeData()` to execute on these now-freed objects, an attacker triggers undefined behavior. In a heap-groomed environment, an attacker could potentially replace the freed filter object with a malicious payload before the \"Zombie\" `decodeData` call occurs. This would allow for vtable hijacking or arbitrary write-what-where primitives, leading to **Remote Code Execution (RCE)**.\n* **Risk Amplification:** This is particularly dangerous for Envoy deployments using memory-unsafe extensions or third-party filters (C++ extensions), where `onDestroy` logic is relied upon for safety.\n\n**2. Security Control Bypass:**\nThe vulnerability defeats Envoy\u0027s \"Fail-Closed\" security architecture.\n* **Scenario:** If a stream is reset due to a security violation (e.g., `StreamIdleTimeout`, `OverloadManager` rejection, or WAF triggering), this vulnerability allows the attacker to **bypass the termination**.\n* **Result:** The attacker can force the processing of \"Data\" frames on a connection that the security policy explicitly attempted to close, allowing malicious payloads to reach deeper into the filter chain or backend services despite the rejection.\n\n---\n\n## Proof of Concept (Unit Test)\n\n**Description:**\nThe attached C++ unit test (`zombie_stream_poc_test.cc`) deterministically reproduces the vulnerability. It creates a stream, manually triggers a reset (simulating an Overload), and then immediately injects a DATA frame. The test asserts that the filter\u0027s `decodeData` callback is invoked on the reset stream.\n\n```cpp\n#include \"test/common/http/conn_manager_impl_test_base.h\"\n#include \"gmock/gmock.h\"\n#include \"gtest/gtest.h\"\n\nusing testing::_;\nusing testing::Invoke;\nusing testing::NiceMock;\nusing testing::Return;\n\nnamespace Envoy {\nnamespace Http {\n\n/**\n * Proof of Concept for \"Zombie Stream Filter Execution\" (HTTP/2 Reset Re-entrancy)\n * * Logic flow:\n * 1. Open a stream with HEADERS.\n * 2. Force a stream reset (simulating an Overload or Timeout).\n * 3. Immediately inject DATA into the stream.\n * 4. ASSERT that the filter\u0027s decodeData is called despite the stream being reset.\n */\nclass ZombieStreamPocTest : public HttpConnectionManagerImplTest {\n};\n\nTEST_F(ZombieStreamPocTest, ReproducedZombieFilterExecution) {\n setup(SetupOpts().setTracing(false));\n\n // 1. Setup a mock filter\n std::shared_ptr\u003cMockStreamDecoderFilter\u003e filter(new NiceMock\u003cMockStreamDecoderFilter\u003e());\n \n // Vuln confirmation:\n // We expect decodeData to be called on this filter even though the stream is reset.\n // In a secure/patched implementation, this EXPECT_CALL should fail (Times(0)).\n EXPECT_CALL(*filter, decodeData(_, _))\n .Times(1)\n .WillOnce(Invoke([\u0026](Buffer::Instance\u0026, bool) -\u003e FilterDataStatus {\n ENVOY_LOG_MISC(error, \"!!! VULNERABILITY REPRODUCED: decodeData called on a reset stream !!!\");\n return FilterDataStatus::Continue;\n }));\n\n EXPECT_CALL(*filter, decodeHeaders(_, false))\n .WillOnce(Return(FilterHeadersStatus::StopIteration));\n\n // Register the filter\n EXPECT_CALL(filter_factory_, createFilterChain(_))\n .WillOnce(Invoke([\u0026](FilterChainFactoryCallbacks\u0026 callbacks) -\u003e bool {\n auto factory = createDecoderFilterFactoryCb(filter);\n callbacks.setFilterConfigName(\"vulnerable_filter\");\n factory(callbacks);\n return true;\n }));\n\n // 2. Start the stream\n EXPECT_CALL(*codec_, dispatch(_))\n .WillOnce(Invoke([\u0026](Buffer::Instance\u0026) -\u003e Http::Status {\n decoder_ = \u0026conn_manager_-\u003enewStream(response_encoder_);\n RequestHeaderMapPtr headers{new TestRequestHeaderMapImpl{\n {\":authority\", \"host\"}, {\":path\", \"/\"}, {\":method\", \"POST\"}}};\n decoder_-\u003edecodeHeaders(std::move(headers), false);\n return Http::okStatus();\n }));\n\n // Dispatch headers\n Buffer::OwnedImpl header_buffer(\"headers\");\n conn_manager_-\u003eonData(header_buffer, false);\n\n // 3. Trigger a Reset on the ActiveStream\n // This simulates Envoy terminating the stream due to an external event (Overload, Timeout).\n auto* active_stream = dynamic_cast\u003cConnectionManagerImpl::ActiveStream*\u003e(decoder_);\n \n // This sets state_.saw_downstream_reset_ = true and triggers filter-\u003eonDestroy()\n active_stream-\u003eonResetStream(StreamResetReason::LocalReset, \"simulated_overload\");\n\n // 4. Attack: Send DATA to the \"Zombie\" stream\n // The ActiveStream object is still alive in the deferred delete list.\n Buffer::OwnedImpl malicious_payload(\"attacker_data\");\n \n // This call reaches the filter because FilterManager::decodeData misses the check!\n active_stream-\u003edecodeData(malicious_payload, false);\n}\n\n} // namespace Http\n} // namespace Envoy\n```",
"id": "GHSA-84xm-r438-86px",
"modified": "2026-03-10T22:54:46Z",
"published": "2026-03-10T18:31:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-84xm-r438-86px"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26311"
},
{
"type": "PACKAGE",
"url": "https://github.com/envoyproxy/envoy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Envoy: HTTP - filter chain execution on reset streams causing UAF crash"
}
GHSA-84XW-J5XX-RXXP
Vulnerability from github – Published: 2024-05-08 00:31 – Updated: 2024-05-08 00:31Foxit PDF Editor FileAttachment Annotation Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14367.
{
"affected": [],
"aliases": [
"CVE-2021-34966"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T23:15:11Z",
"severity": "HIGH"
},
"details": "Foxit PDF Editor FileAttachment Annotation Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-14367.",
"id": "GHSA-84xw-j5xx-rxxp",
"modified": "2024-05-08T00:31:14Z",
"published": "2024-05-08T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34966"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1197"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-853V-GFGF-8MF3
Vulnerability from github – Published: 2022-02-19 00:00 – Updated: 2022-03-02 00:00This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15851.
{
"affected": [],
"aliases": [
"CVE-2022-24364"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T20:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15851.",
"id": "GHSA-853v-gfgf-8mf3",
"modified": "2022-03-02T00:00:39Z",
"published": "2022-02-19T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24364"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-275"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-855F-H3M2-HFC5
Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-29 18:30In UnwindingWorker of unwinding.cc, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-233338564
{
"affected": [],
"aliases": [
"CVE-2023-21018"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T20:15:00Z",
"severity": "MODERATE"
},
"details": "In UnwindingWorker of unwinding.cc, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-233338564",
"id": "GHSA-855f-h3m2-hfc5",
"modified": "2023-03-29T18:30:28Z",
"published": "2023-03-24T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21018"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-855F-PRPX-GQV7
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG use elements.
{
"affected": [],
"aliases": [
"CVE-2011-3035"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-03-05T19:55:00Z",
"severity": "MODERATE"
},
"details": "Use-after-free vulnerability in Google Chrome before 17.0.963.65 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG use elements.",
"id": "GHSA-855f-prpx-gqv7",
"modified": "2022-05-13T01:27:16Z",
"published": "2022-05-13T01:27:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3035"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73646"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15097"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=112212"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2012/03/chrome-stable-update.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Jul/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Sep/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00012.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48265"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48419"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48527"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201203-19.xml"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT5400"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT5485"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT5503"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/52271"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1026759"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-855J-754P-55FW
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 18:31Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-9988"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:57Z",
"severity": "HIGH"
},
"details": "Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-855j-754p-55fw",
"modified": "2026-05-29T18:31:29Z",
"published": "2026-05-29T00:38:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9988"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513049286"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.