CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-85QF-CWMH-QCFP
Vulnerability from github – Published: 2023-04-13 00:30 – Updated: 2023-04-13 00:30Adobe Substance 3D Stager version 2.0.1 (and earlier) is affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-26384"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T22:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Substance 3D Stager version 2.0.1 (and earlier) is affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-85qf-cwmh-qcfp",
"modified": "2023-04-13T00:30:49Z",
"published": "2023-04-13T00:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26384"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb23-26.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-85V3-G6VP-HQ6P
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:20A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7, Firefox < 67, and Firefox ESR < 60.7.
{
"affected": [],
"aliases": [
"CVE-2019-11691"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-23T14:15:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR) in an event loop, causing the XHR main thread to be called after it has been freed. This results in a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 60.7, Firefox \u003c 67, and Firefox ESR \u003c 60.7.",
"id": "GHSA-85v3-g6vp-hq6p",
"modified": "2024-04-04T01:20:41Z",
"published": "2022-05-24T16:50:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11691"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1542465"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-13"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-14"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2019-15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-85WH-QMGF-78V3
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the getAttribute method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6474.
{
"affected": [],
"aliases": [
"CVE-2018-17638"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-24T04:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the getAttribute method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6474.",
"id": "GHSA-85wh-qmgf-78v3",
"modified": "2022-05-13T01:33:58Z",
"published": "2022-05-13T01:33:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17638"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-85WJ-8HQ2-4FHH
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-62558"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T18:16:01Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.",
"id": "GHSA-85wj-8hq2-4fhh",
"modified": "2025-12-09T18:30:46Z",
"published": "2025-12-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62558"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-85WX-5HRG-2F3F
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-12 00:01Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-35670"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-85wx-5hrg-2f3f",
"modified": "2022-08-12T00:01:23Z",
"published": "2022-08-12T00:01:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35670"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-39.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-862P-2JPG-8GG4
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.
{
"affected": [],
"aliases": [
"CVE-2018-6307"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-19T16:29:00Z",
"severity": "HIGH"
},
"details": "LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.",
"id": "GHSA-862p-2jpg-8gg4",
"modified": "2022-05-13T01:30:45Z",
"published": "2022-05-13T01:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6307"
},
{
"type": "WEB",
"url": "https://github.com/LibVNC/libvncserver/issues/241"
},
{
"type": "WEB",
"url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-026-libvnc-heap-use-after-free"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3877-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8634-CQM9-9GFH
Vulnerability from github – Published: 2026-03-02 18:31 – Updated: 2026-03-02 18:31Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls.
{
"affected": [],
"aliases": [
"CVE-2025-47377"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-02T17:16:25Z",
"severity": "HIGH"
},
"details": "Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls.",
"id": "GHSA-8634-cqm9-9gfh",
"modified": "2026-03-02T18:31:45Z",
"published": "2026-03-02T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47377"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-864F-QFFM-34WC
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31In the Linux kernel, the following vulnerability has been resolved:
atm: fore200e: fix use-after-free in tasklets during device removal
When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().
One of the race conditions can occur as follows:
CPU 0 (cleanup) | CPU 1 (tasklet) fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet() | fore200e-> // UAF
Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch...case structure.
This bug was identified through static analysis.
{
"affected": [],
"aliases": [
"CVE-2026-43203"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:39Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: fore200e: fix use-after-free in tasklets during device removal\n\nWhen the PCA-200E or SBA-200E adapter is being detached, the fore200e\nis deallocated. However, the tx_tasklet or rx_tasklet may still be running\nor pending, leading to use-after-free bug when the already freed fore200e\nis accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().\n\nOne of the race conditions can occur as follows:\n\nCPU 0 (cleanup) | CPU 1 (tasklet)\nfore200e_pca_remove_one() | fore200e_interrupt()\n fore200e_shutdown() | tasklet_schedule()\n kfree(fore200e) | fore200e_tx_tasklet()\n | fore200e-\u003e // UAF\n\nFix this by ensuring tx_tasklet or rx_tasklet is properly canceled before\nthe fore200e is released. Add tasklet_kill() in fore200e_shutdown() to\nsynchronize with any pending or running tasklets. Moreover, since\nfore200e_reset() could prevent further interrupts or data transfers,\nthe tasklet_kill() should be placed after fore200e_reset() to prevent\nthe tasklet from being rescheduled in fore200e_interrupt(). Finally,\nit only needs to do tasklet_kill() when the fore200e state is greater\nthan or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized\nin earlier states. In a word, the tasklet_kill() should be placed in\nthe FORE200E_STATE_IRQ branch within the switch...case structure.\n\nThis bug was identified through static analysis.",
"id": "GHSA-864f-qffm-34wc",
"modified": "2026-05-08T15:31:17Z",
"published": "2026-05-06T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43203"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5189368f10903956be05062d160b2804bf5e5016"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/73fbc5d1a9ccb626937500bbd67136f077d8237b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8930878101cd40063888a68af73b1b0f8b6c79bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/91f25749aaf57c47ae1e12478144e6ea8c8562f2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97900f512252a59f23d6ce4ab215cc88fed66e68"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aba0b4bc09376dfc3d53c826514fe38fc8337f52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e075ec9b08f862dade8011481058f7eb5f716c57"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-864G-2436-49MM
Vulnerability from github – Published: 2022-05-24 17:06 – Updated: 2022-05-24 17:06An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2019-5131"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software\u0027s Foxit PDF Reader, version 9.7.0.29435. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
"id": "GHSA-864g-2436-49mm",
"modified": "2022-05-24T17:06:50Z",
"published": "2022-05-24T17:06:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5131"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0920"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-864J-6GWG-G82X
Vulnerability from github – Published: 2024-01-02 06:30 – Updated: 2024-01-02 06:30Memory corruption while running VK synchronization with KASAN enabled.
{
"affected": [],
"aliases": [
"CVE-2023-33094"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T06:15:11Z",
"severity": "HIGH"
},
"details": "Memory corruption while running VK synchronization with KASAN enabled.",
"id": "GHSA-864j-6gwg-g82x",
"modified": "2024-01-02T06:30:31Z",
"published": "2024-01-02T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33094"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.