CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-VPV3-R9V6-RH28
Vulnerability from github – Published: 2022-05-14 03:10 – Updated: 2025-11-25 18:32A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
{
"affected": [],
"aliases": [
"CVE-2017-5472"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash. This vulnerability affects Firefox \u003c 54, Firefox ESR \u003c 52.2, and Thunderbird \u003c 52.2.",
"id": "GHSA-vpv3-r9v6-rh28",
"modified": "2025-11-25T18:32:08Z",
"published": "2022-05-14T03:10:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5472"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1440"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1561"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1365602"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3881"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3918"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-15"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-16"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-17"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99040"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038689"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPV9-WG95-RJ96
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-55691"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:50Z",
"severity": "HIGH"
},
"details": "Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-vpv9-wg95-rj96",
"modified": "2025-10-14T18:30:31Z",
"published": "2025-10-14T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55691"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55691"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ28-PR6F-GPM4
Vulnerability from github – Published: 2022-05-14 03:10 – Updated: 2025-11-25 18:32A use-after-free vulnerability in the Media Decoder when working with media files when some events are fired after the media elements are freed from memory. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
{
"affected": [],
"aliases": [
"CVE-2017-5396"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability in the Media Decoder when working with media files when some events are fired after the media elements are freed from memory. This vulnerability affects Thunderbird \u003c 45.7, Firefox ESR \u003c 45.7, and Firefox \u003c 51.",
"id": "GHSA-vq28-pr6f-gpm4",
"modified": "2025-11-25T18:32:07Z",
"published": "2022-05-14T03:10:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5396"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1329403"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201702-13"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201702-22"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3771"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3832"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-01"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-02"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-03"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0190.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0238.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95769"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ3G-6QWH-5WJ2
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_api: use RCU with deferred freeing for action lifecycle
When NEWTFILTER and DELFILTER are run concurrently it is possible to create a race with an associated action.
Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:
0: mutex_lock() <-- holds the idr lock 0: rcu_read_lock() 0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR) 0: mutex_unlock() <-- releases the idr lock 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) <-- Action removed from IDR 1: mutex_unlock() <-- mutex released allowing us to delete the action 1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory
This patch fixes the race condition between NEWTFILTER and DELFILTER by adding struct rcu_head to tc_action used in the deferral and introducing a call_rcu() in the delete path to defer the final kfree().
Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu") but also modernization/simplification to directly use kfree_rcu().
Let's illustrate the new restored code path:
0: rcu_read_lock() 1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held 1: idr_remove(idr, index) 1: mutex_unlock() 1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period 0: p = idr_find(idr, index) 0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0 1: rcu_read_unlock() <-- release so freeing can run after grace period
After CPU1 calls idr_remove(), the object is no longer reachable through the IDR. CPU0's subsequent idr_find() will return NULL, and even if it still held a stale pointer, the immediate kfree() is now deferred until after the RCU grace period, so no UAF can occur.
{
"affected": [],
"aliases": [
"CVE-2026-53264"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:44Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_api: use RCU with deferred freeing for action lifecycle\n\nWhen NEWTFILTER and DELFILTER are run concurrently it is possible to create a\nrace with an associated action.\n\nLet\u0027s illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:\n\n 0: mutex_lock() \u003c-- holds the idr lock\n 0: rcu_read_lock()\n 0: p = idr_find(idr, index) \u003c-- action p is valid (RCU protects IDR)\n 0: mutex_unlock() \u003c-- releases the idr lock\n 1: refcount_dec_and_mutex_lock() \u003c-- refcnt 1-\u003e0, mutex held\n 1: idr_remove(idr, index) \u003c-- Action removed from IDR\n 1: mutex_unlock() \u003c-- mutex released allowing us to delete the action\n 1: tcf_action_cleanup(p); kfree(p) \u003c-- Kfrees p immediately, no deferral\n 0: refcount_inc_not_zero(\u0026p-\u003etcfa_refcnt) \u003c-- ouch, UAF p points to freed memory\n\nThis patch fixes the race condition between NEWTFILTER and DELFILTER by\nadding struct rcu_head to tc_action used in the deferral and introducing a\ncall_rcu() in the delete path to defer the final kfree().\n\nNote: this is a revert of commit d7fb60b9cafb (\"net_sched: get rid of tcfa_rcu\")\nbut also modernization/simplification to directly use kfree_rcu().\n\nLet\u0027s illustrate the new restored code path:\n\n 0: rcu_read_lock()\n 1: refcount_dec_and_mutex_lock() \u003c-- refcnt 1-\u003e0, mutex held\n 1: idr_remove(idr, index)\n 1: mutex_unlock()\n 1: call_rcu(\u0026p-\u003etcfa_rcu, tcf_action_rcu_free) \u003c-- defer kfree after grace period\n 0: p = idr_find(idr, index)\n 0: refcount_inc_not_zero(\u0026p-\u003etcfa_refcnt) \u003c-- fails, refcnt already 0\n 1: rcu_read_unlock() \u003c-- release so freeing can run after grace period\n\nAfter CPU1 calls idr_remove(), the object is no longer reachable through the IDR.\nCPU0\u0027s subsequent idr_find() will return NULL, and even if it still held a\nstale pointer, the immediate kfree() is now deferred until after the RCU grace\nperiod, so no UAF can occur.",
"id": "GHSA-vq3g-6qwh-5wj2",
"modified": "2026-06-28T09:31:47Z",
"published": "2026-06-25T09:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53264"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18af5d2ef0c4f65787fd1280c8b23286b9f2a835"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f1b98fea6b9ea30507d0f2fbff6750292d097e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5057e1aca011e51ef51498c940ef96f3d3e8a305"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5dd51e09020c65aa53cf128e5e3517cd53b3c113"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b136f18ac4b2ace5aaad3305b3f8a5d8165a009"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/91d105d2cbe002f9c7b43a6183adedc37e1da1f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98b2e40879abf0245be5a5b7af69e0f6ff524ac3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b60e9391142e983fab2be53497aa8f71fdd09cd5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ43-XQC9-9RGJ
Vulnerability from github – Published: 2022-05-14 01:12 – Updated: 2022-05-14 01:12A use after free issue was addressed with improved memory management. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.
{
"affected": [],
"aliases": [
"CVE-2018-4314"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-03T18:29:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue affected versions prior to iOS 12, tvOS 12, Safari 12, iTunes 12.9 for Windows, iCloud for Windows 7.7.",
"id": "GHSA-vq43-xqc9-9rgj",
"modified": "2022-05-14T01:12:21Z",
"published": "2022-05-14T01:12:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4314"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209106"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209107"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209109"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209140"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ5W-GMHQ-WGW3
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-50353"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:35Z",
"severity": "HIGH"
},
"details": "Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-vq5w-gmhq-wgw3",
"modified": "2026-07-14T18:32:17Z",
"published": "2026-07-14T18:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50353"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50353"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ6Q-RF95-5QF7
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31Memory corruption while deinitializing a HDCP session.
{
"affected": [],
"aliases": [
"CVE-2025-47339"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:17:03Z",
"severity": "HIGH"
},
"details": "Memory corruption while deinitializing a HDCP session.",
"id": "GHSA-vq6q-rf95-5qf7",
"modified": "2026-01-07T12:31:24Z",
"published": "2026-01-07T12:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47339"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ7Q-G9C7-HJ87
Vulnerability from github – Published: 2021-12-16 00:00 – Updated: 2021-12-21 00:01In dsi_panel_debugfs_read_cmdset of dsi_panel.c, there is a possible disclosure of freed kernel heap memory due to a use after free. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-187851056References: N/A
{
"affected": [],
"aliases": [
"CVE-2021-1042"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "In dsi_panel_debugfs_read_cmdset of dsi_panel.c, there is a possible disclosure of freed kernel heap memory due to a use after free. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-187851056References: N/A",
"id": "GHSA-vq7q-g9c7-hj87",
"modified": "2021-12-21T00:01:10Z",
"published": "2021-12-16T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1042"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-11-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VQ85-3JQ9-6FCW
Vulnerability from github – Published: 2024-05-08 00:31 – Updated: 2024-05-08 00:31Foxit PDF Reader PDF File Parsing Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of PDF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-14659.
{
"affected": [],
"aliases": [
"CVE-2021-34976"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-07T23:15:13Z",
"severity": "LOW"
},
"details": "Foxit PDF Reader PDF File Parsing Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of PDF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-14659.",
"id": "GHSA-vq85-3jq9-6fcw",
"modified": "2024-05-08T00:31:14Z",
"published": "2024-05-08T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34976"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1207"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VQ8M-3RP9-WCR4
Vulnerability from github – Published: 2023-08-09 09:30 – Updated: 2024-04-04 06:43Adobe Dimension version 3.4.9 is affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-38211"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-09T09:15:13Z",
"severity": "HIGH"
},
"details": "Adobe Dimension version 3.4.9 is affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-vq8m-3rp9-wcr4",
"modified": "2024-04-04T06:43:52Z",
"published": "2023-08-09T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38211"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/dimension/apsb23-44.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.