CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-VMR3-MC6R-J34F
Vulnerability from github – Published: 2025-07-04 12:30 – Updated: 2025-11-19 21:31In the Linux kernel, the following vulnerability has been resolved:
binder: fix use-after-free in binderfs_evict_inode()
Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following:
BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699
CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: dump_stack_lvl+0x1c2/0x2a0 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 print_report+0x155/0x840 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 ? __phys_addr+0xba/0x170 ? binderfs_evict_inode+0x1de/0x2d0 kasan_report+0x147/0x180 ? binderfs_evict_inode+0x1de/0x2d0 binderfs_evict_inode+0x1de/0x2d0 ? __pfx_binderfs_evict_inode+0x10/0x10 evict+0x524/0x9f0 ? __pfx_lock_release+0x10/0x10 ? __pfx_evict+0x10/0x10 ? do_raw_spin_unlock+0x4d/0x210 ? _raw_spin_unlock+0x28/0x50 ? iput+0x697/0x9b0 __dentry_kill+0x209/0x660 ? shrink_kill+0x8d/0x2c0 shrink_kill+0xa9/0x2c0 shrink_dentry_list+0x2e0/0x5e0 shrink_dcache_parent+0xa2/0x2c0 ? __pfx_shrink_dcache_parent+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 do_one_tree+0x23/0xe0 shrink_dcache_for_umount+0xa0/0x170 generic_shutdown_super+0x67/0x390 kill_litter_super+0x76/0xb0 binderfs_kill_super+0x44/0x90 deactivate_locked_super+0xb9/0x130 cleanup_mnt+0x422/0x4c0 ? lockdep_hardirqs_on+0x9d/0x150 task_work_run+0x1d2/0x260 ? __pfx_task_work_run+0x10/0x10 resume_user_mode_work+0x52/0x60 syscall_exit_to_user_mode+0x9a/0x120 do_syscall_64+0x103/0x210 ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830
Allocated by task 1705: kasan_save_track+0x3e/0x80 __kasan_kmalloc+0x8f/0xa0 __kmalloc_cache_noprof+0x213/0x3e0 binderfs_binder_device_create+0x183/0xa80 binder_ctl_ioctl+0x138/0x190 __x64_sys_ioctl+0x120/0x1b0 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 1705: kasan_save_track+0x3e/0x80 kasan_save_free_info+0x46/0x50 __kasan_slab_free+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 do_unlinkat+0x390/0x5b0 __x64_sys_unlink+0x47/0x50 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f
This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption.
I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well.
{
"affected": [],
"aliases": [
"CVE-2025-38176"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T11:15:51Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in binderfs_evict_inode()\n\nRunning \u0027stress-ng --binderfs 16 --timeout 300\u0027 under KASAN-enabled\nkernel, I\u0027ve noticed the following:\n\nBUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0\nWrite of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699\n\nCPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x1c2/0x2a0\n ? __pfx_dump_stack_lvl+0x10/0x10\n ? __pfx__printk+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? __virt_addr_valid+0x18c/0x540\n ? __virt_addr_valid+0x469/0x540\n print_report+0x155/0x840\n ? __virt_addr_valid+0x18c/0x540\n ? __virt_addr_valid+0x469/0x540\n ? __phys_addr+0xba/0x170\n ? binderfs_evict_inode+0x1de/0x2d0\n kasan_report+0x147/0x180\n ? binderfs_evict_inode+0x1de/0x2d0\n binderfs_evict_inode+0x1de/0x2d0\n ? __pfx_binderfs_evict_inode+0x10/0x10\n evict+0x524/0x9f0\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_evict+0x10/0x10\n ? do_raw_spin_unlock+0x4d/0x210\n ? _raw_spin_unlock+0x28/0x50\n ? iput+0x697/0x9b0\n __dentry_kill+0x209/0x660\n ? shrink_kill+0x8d/0x2c0\n shrink_kill+0xa9/0x2c0\n shrink_dentry_list+0x2e0/0x5e0\n shrink_dcache_parent+0xa2/0x2c0\n ? __pfx_shrink_dcache_parent+0x10/0x10\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n do_one_tree+0x23/0xe0\n shrink_dcache_for_umount+0xa0/0x170\n generic_shutdown_super+0x67/0x390\n kill_litter_super+0x76/0xb0\n binderfs_kill_super+0x44/0x90\n deactivate_locked_super+0xb9/0x130\n cleanup_mnt+0x422/0x4c0\n ? lockdep_hardirqs_on+0x9d/0x150\n task_work_run+0x1d2/0x260\n ? __pfx_task_work_run+0x10/0x10\n resume_user_mode_work+0x52/0x60\n syscall_exit_to_user_mode+0x9a/0x120\n do_syscall_64+0x103/0x210\n ? asm_sysvec_apic_timer_interrupt+0x1a/0x20\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0xcac57b\nCode: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8\nRSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\nRAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850\nRBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff\nR10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718\nR13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830\n \u003c/TASK\u003e\n\nAllocated by task 1705:\n kasan_save_track+0x3e/0x80\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc_cache_noprof+0x213/0x3e0\n binderfs_binder_device_create+0x183/0xa80\n binder_ctl_ioctl+0x138/0x190\n __x64_sys_ioctl+0x120/0x1b0\n do_syscall_64+0xf6/0x210\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 1705:\n kasan_save_track+0x3e/0x80\n kasan_save_free_info+0x46/0x50\n __kasan_slab_free+0x62/0x70\n kfree+0x194/0x440\n evict+0x524/0x9f0\n do_unlinkat+0x390/0x5b0\n __x64_sys_unlink+0x47/0x50\n do_syscall_64+0xf6/0x210\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis \u0027stress-ng\u0027 workload causes the concurrent deletions from\n\u0027binder_devices\u0027 and so requires full-featured synchronization\nto prevent list corruption.\n\nI\u0027ve found this issue independently but pretty sure that syzbot did\nthe same, so Reported-by: and Closes: should be applicable here as well.",
"id": "GHSA-vmr3-mc6r-j34f",
"modified": "2025-11-19T21:31:14Z",
"published": "2025-07-04T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38176"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/80ed8ab8efa0d18c03968a2321154f10e2d1a2e3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c0a559825281764061a127632e5ad273f0466ad"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aea61a1a77613d4184d7ebe7c1d7cb606458b43b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMV5-H8C6-426P
Vulnerability from github – Published: 2025-04-03 09:32 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
proc: fix UAF in proc_get_inode()
Fix race between rmmod and /proc/XXX's inode instantiation.
The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used.
use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved before proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference.
rmmod lookup
sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod);
if (S_ISREG(inode->i_mode))
if (de->proc_ops->proc_read_iter)
--> As module is already freed, will trigger UAF
BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e
[adobriyan@gmail.com: don't do 2 atomic ops on the common path]
{
"affected": [],
"aliases": [
"CVE-2025-21999"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-03T08:15:15Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: fix UAF in proc_get_inode()\n\nFix race between rmmod and /proc/XXX\u0027s inode instantiation.\n\nThe bug is that pde-\u003eproc_ops don\u0027t belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\n\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde-\u003eproc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde-\u003eproc_ops-\u003e... dereference.\n\n rmmod lookup\nsys_delete_module\n proc_lookup_de\n\t\t\t pde_get(de);\n\t\t\t proc_get_inode(dir-\u003ei_sb, de);\n mod-\u003eexit()\n proc_remove\n remove_proc_subtree\n proc_entry_rundown(de);\n free_module(mod);\n\n if (S_ISREG(inode-\u003ei_mode))\n\t if (de-\u003eproc_ops-\u003eproc_read_iter)\n --\u003e As module is already freed, will trigger UAF\n\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_lookup_de+0x11f/0x2e0\n __lookup_slow+0x188/0x350\n walk_component+0x2ab/0x4f0\n path_lookupat+0x120/0x660\n filename_lookup+0x1ce/0x560\n vfs_statx+0xac/0x150\n __do_sys_newstat+0x96/0x110\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[adobriyan@gmail.com: don\u0027t do 2 atomic ops on the common path]",
"id": "GHSA-vmv5-h8c6-426p",
"modified": "2026-07-14T15:31:20Z",
"published": "2025-04-03T09:32:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21999"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/63b53198aff2e4e6c5866a4ff73c7891f958ffa4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64dc7c68e040251d9ec6e989acb69f8f6ae4a10b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/654b33ada4ab5e926cd9c570196fefa7bec7c1df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/966f331403dc3ed04ff64eaf3930cf1267965e53"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eda279586e571b05dff44d48e05f8977ad05855d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ede3e8ac90ae106f0b29cd759aadebc1568f1308"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMWQ-XC6V-XJ4J
Vulnerability from github – Published: 2022-05-02 03:46 – Updated: 2024-02-15 21:31Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2009-3616"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-10-23T18:30:00Z",
"severity": "HIGH"
},
"details": "Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.",
"id": "GHSA-vmwq-xc6v-xj4j",
"modified": "2024-02-15T21:31:23Z",
"published": "2022-05-02T03:46:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3616"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=501131"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=505641"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=508567"
},
{
"type": "WEB",
"url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5"
},
{
"type": "WEB",
"url": "http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331"
},
{
"type": "WEB",
"url": "http://marc.info/?l=qemu-devel\u0026m=124324043812915"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHEA-2009-1272.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/10/16/8"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/36716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP2F-C695-VXRG
Vulnerability from github – Published: 2024-04-17 12:32 – Updated: 2025-01-07 18:30In the Linux kernel, the following vulnerability has been resolved:
rds: tcp: Fix use-after-free of net in reqsk_timer_handler().
syzkaller reported a warning of netns tracker [0] followed by KASAN splat [1] and another ref tracker warning [1].
syzkaller could not find a repro, but in the log, the only suspicious sequence was as follows:
18:26:22 executing program 1: r0 = socket$inet6_mptcp(0xa, 0x1, 0x106) ... connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)
The notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.
So, the scenario would be:
- unshare(CLONE_NEWNET) creates a per netns tcp listener in rds_tcp_listen_init().
- syz-executor connect()s to it and creates a reqsk.
- syz-executor exit()s immediately.
- netns is dismantled. [0]
- reqsk timer is fired, and UAF happens while freeing reqsk. [1]
- listener is freed after RCU grace period. [2]
Basically, reqsk assumes that the listener guarantees netns safety until all reqsk timers are expired by holding the listener's refcount. However, this was not the case for kernel sockets.
Commit 740ea3c4a0b2 ("tcp: Clean up kernel listener's reqsk in inet_twsk_purge()") fixed this issue only for per-netns ehash.
Let's apply the same fix for the global ehash.
[0]: ref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146) inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119) __sock_create (net/socket.c:1572) rds_tcp_listen_init (net/rds/tcp_listen.c:279) rds_tcp_init_net (net/rds/tcp.c:577) ops_init (net/core/net_namespace.c:137) setup_net (net/core/net_namespace.c:340) copy_net_ns (net/core/net_namespace.c:497) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3429) __x64_sys_unshare (kernel/fork.c:3496) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) ... WARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)
[1]: BUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) Read of size 8 at addr ffff88801b370400 by task swapper/0/0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) kasan_report (mm/kasan/report.c:603) inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966) reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038) run_timer_softirq (kernel/time/timer.c:2053) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))
Allocated by task 258 on cpu 0 at 83.612050s: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:68) __kasan_slab_alloc (mm/kasan/common.c:343) kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867) copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_name ---truncated---
{
"affected": [],
"aliases": [
"CVE-2024-26865"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-17T11:15:09Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\n\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\n\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\n\n 18:26:22 executing program 1:\n r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n ...\n connect$inet6(r0, \u0026(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\n\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\n\nSo, the scenario would be:\n\n 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n rds_tcp_listen_init().\n 2. syz-executor connect()s to it and creates a reqsk.\n 3. syz-executor exit()s immediately.\n 4. netns is dismantled. [0]\n 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1]\n 6. listener is freed after RCU grace period. [2]\n\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener\u0027s refcount.\nHowever, this was not the case for kernel sockets.\n\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener\u0027s reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\n\nLet\u0027s apply the same fix for the global ehash.\n\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n __sock_create (net/socket.c:1572)\n rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n rds_tcp_init_net (net/rds/tcp.c:577)\n ops_init (net/core/net_namespace.c:137)\n setup_net (net/core/net_namespace.c:340)\n copy_net_ns (net/core/net_namespace.c:497)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n ksys_unshare (kernel/fork.c:3429)\n __x64_sys_unshare (kernel/fork.c:3496)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\n\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n \u003c/IRQ\u003e\n\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---",
"id": "GHSA-vp2f-c695-vxrg",
"modified": "2025-01-07T18:30:42Z",
"published": "2024-04-17T12:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26865"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e9fd5cf8d7f487332560f7bb312fc7d416817f3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a750d6a5b365265dbda33330a6188547ddb5c24"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9905a157048f441f1412e7bd13372f4a971d75c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ceac040506a05a30b104b2aa2e9146810704500"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f901ee07853ce97e9f1104c7c898fbbe447f0279"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP2P-WQJ6-25WF
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
net/xen-netback: prevent UAF in xenvif_flush_hash()
During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free.
Therefore, to solve this, you need to change it to list_for_each_entry_safe.
{
"affected": [],
"aliases": [
"CVE-2024-49936"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:15Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/xen-netback: prevent UAF in xenvif_flush_hash()\n\nDuring the list_for_each_entry_rcu iteration call of xenvif_flush_hash,\nkfree_rcu does not exist inside the rcu read critical section, so if\nkfree_rcu is called when the rcu grace period ends during the iteration,\nUAF occurs when accessing head-\u003enext after the entry becomes free.\n\nTherefore, to solve this, you need to change it to list_for_each_entry_safe.",
"id": "GHSA-vp2p-wqj6-25wf",
"modified": "2025-11-04T00:31:42Z",
"published": "2024-10-21T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49936"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0fa5e94a1811d68fbffa0725efe6d4ca62c03d12"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/143edf098b80669d05245b2f2367dd156a83a2c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3c4423b0c4b98213b3438e15061e1d08220e6982"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54d8639af5568fc41c0e274fc3ec9cf86c59fcbb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0465723b8581cad27164c9073fd780904cd22d4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d408889d4b54f5501e4becc4dbbb9065143fbf4e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/efcff6ce7467f01f0753609f420333f3f2ceceda"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP2W-XX74-HPQR
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Use after free in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-10886"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:16:50Z",
"severity": "CRITICAL"
},
"details": "Use after free in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)",
"id": "GHSA-vp2w-xx74-hpqr",
"modified": "2026-06-05T03:31:30Z",
"published": "2026-06-05T00:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10886"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/505096898"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP45-9PX8-7XW8
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service condition or execute code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2021-32944"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-17T13:15:00Z",
"severity": "HIGH"
},
"details": "A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service condition or execute code in the context of the current process.",
"id": "GHSA-vp45-9px8-7xw8",
"modified": "2022-05-24T19:05:37Z",
"published": "2022-05-24T19:05:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32944"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-155599.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-365397.pdf"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-159-02"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-987"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-990"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP78-5X9P-M27H
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-01-14 18:31In the Linux kernel, the following vulnerability has been resolved:
KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio
BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 Read of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269
CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x110/0x164 lib/dump_stack.c:118 print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x148/0x1e4 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:183 [inline] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
Allocated by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 kmem_cache_alloc_trace include/linux/slab.h:450 [inline] kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146 kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
Freed by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x38/0x6c mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline] slab_free mm/slub.c:3142 [inline] kfree+0x104/0x38c mm/slub.c:4124 coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102 kvm_iodevice_destructor include/kvm/iodev.h:61 [inline] kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374 kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/sys ---truncated---
{
"affected": [],
"aliases": [
"CVE-2021-47341"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:20Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio\n\nBUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\nRead of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269\n\nCPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132\n show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x110/0x164 lib/dump_stack.c:118\n print_address_description+0x78/0x5c8 mm/kasan/report.c:385\n __kasan_report mm/kasan/report.c:545 [inline]\n kasan_report+0x148/0x1e4 mm/kasan/report.c:562\n check_memory_region_inline mm/kasan/generic.c:183 [inline]\n __asan_load8+0xb4/0xbc mm/kasan/generic.c:252\n kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nAllocated by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461\n kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475\n kmem_cache_alloc_trace include/linux/slab.h:450 [inline]\n kmalloc include/linux/slab.h:552 [inline]\n kzalloc include/linux/slab.h:664 [inline]\n kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146\n kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]\n el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]\n do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220\n el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367\n el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383\n el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670\n\nFreed by task 4269:\n stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121\n kasan_save_stack mm/kasan/common.c:48 [inline]\n kasan_set_track+0x38/0x6c mm/kasan/common.c:56\n kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355\n __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422\n kasan_slab_free+0x10/0x1c mm/kasan/common.c:431\n slab_free_hook mm/slub.c:1544 [inline]\n slab_free_freelist_hook mm/slub.c:1577 [inline]\n slab_free mm/slub.c:3142 [inline]\n kfree+0x104/0x38c mm/slub.c:4124\n coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102\n kvm_iodevice_destructor include/kvm/iodev.h:61 [inline]\n kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374\n kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186\n kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739\n __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]\n invoke_syscall arch/arm64/kernel/sys\n---truncated---",
"id": "GHSA-vp78-5x9p-m27h",
"modified": "2025-01-14T18:31:49Z",
"published": "2024-05-21T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47341"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/069d44a24c0ff8f85adf49233aae7a8ca16f5c7e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23fa2e46a5556f787ce2ea1a315d3ab93cced204"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/679837dc0abaa2c6e2a7bcd86483e05eee1d5066"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d7c539316d652d217e5e82b89ee204c812a7061"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f2ff9d03432fcb160e9f7d4be26174d89de2779a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP7H-G9MH-C77G
Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in the read_gif function resulting potential code execution
{
"affected": [],
"aliases": [
"CVE-2017-1000421"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-02T19:29:00Z",
"severity": "CRITICAL"
},
"details": "Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in the read_gif function resulting potential code execution",
"id": "GHSA-vp7h-g9mh-c77g",
"modified": "2022-05-14T01:05:58Z",
"published": "2022-05-14T01:05:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000421"
},
{
"type": "WEB",
"url": "https://github.com/kohler/gifsicle/issues/114"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00006.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4084"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPCJ-JQJR-JHJ9
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17A use after free vulnerability in FATEK Automation WinProladder versions 3.30 and prior may be exploited when a valid user opens a malformed project file, which may allow arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2021-38438"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-18T13:15:00Z",
"severity": "HIGH"
},
"details": "A use after free vulnerability in FATEK Automation WinProladder versions 3.30 and prior may be exploited when a valid user opens a malformed project file, which may allow arbitrary code execution.",
"id": "GHSA-vpcj-jqjr-jhj9",
"modified": "2022-05-24T19:17:49Z",
"published": "2022-05-24T19:17:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38438"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-06"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.