Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-W3GF-4959-2377

Vulnerability from github – Published: 2026-06-25 03:31 – Updated: 2026-06-25 03:31
VLAI
Details

sys/kern/sysv_sem.c in OpenBSD through 7.9 has a use-after-free allowing local privilege escalation to root. This is a context switch use-after-free after tsleep in sys_semget().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57589"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T01:16:26Z",
    "severity": "HIGH"
  },
  "details": "sys/kern/sysv_sem.c in OpenBSD through 7.9 has a use-after-free allowing local privilege escalation to root. This is a context switch use-after-free after tsleep in sys_semget().",
  "id": "GHSA-w3gf-4959-2377",
  "modified": "2026-06-25T03:31:40Z",
  "published": "2026-06-25T03:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57589"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbsd/src/commit/1957873d2063db11dab780eca75b5e629d1e838d"
    },
    {
      "type": "WEB",
      "url": "https://openai.com/index/patch-the-planet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3H2-4JRJ-6MCC

Vulnerability from github – Published: 2023-08-24 18:30 – Updated: 2024-04-04 07:10
VLAI
Details

A potential use-after-free vulnerability existed in SVG Images if the Refresh Driver was destroyed at an inopportune time. This could have lead to memory corruption or a potentially exploitable crash. Note: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox < 106.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-24T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "A potential use-after-free vulnerability existed in SVG Images if the Refresh Driver was destroyed at an inopportune time.  This could have lead to memory corruption or a potentially exploitable crash.\n*Note*: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox \u003c 106.",
  "id": "GHSA-w3h2-4jrj-6mcc",
  "modified": "2024-04-04T07:10:41Z",
  "published": "2023-08-24T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46884"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1786818"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-44"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3H3-52FR-JJHW

Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-21 21:31
VLAI
Details

Use after free in Sign-In Flow in Google Chrome prior to 104.0.5112.101 allowed a remote attacker to potentially exploit heap corruption via specific UI interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-26T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Sign-In Flow in Google Chrome prior to 104.0.5112.101 allowed a remote attacker to potentially exploit heap corruption via specific UI interaction.",
  "id": "GHSA-w3h3-52fr-jjhw",
  "modified": "2025-05-21T21:31:07Z",
  "published": "2022-09-27T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2858"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1341918"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3H3-5P95-FV5G

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

Use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyTxn function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-4179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-10-10T17:55:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyTxn function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.",
  "id": "GHSA-w3h3-5p95-fv5g",
  "modified": "2022-05-13T01:23:43Z",
  "published": "2022-05-13T01:23:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4179"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=785574"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79157"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16882"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2012-1351.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50856"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50892"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50904"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50935"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50936"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50984"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/51181"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/55318"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2012/dsa-2565"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2012/dsa-2569"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2012/dsa-2572"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2012:163"
    },
    {
      "type": "WEB",
      "url": "http://www.mozilla.org/security/announce/2012/mfsa2012-85.html"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1611-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W3H4-VPFJ-X3XQ

Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2025-04-20 03:31
VLAI
Details

libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-27T22:59:00Z",
    "severity": "MODERATE"
  },
  "details": "libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file.",
  "id": "GHSA-w3h4-vpfj-x3xq",
  "modified": "2025-04-20T03:31:39Z",
  "published": "2022-05-14T01:14:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5824"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libical/libical/issues/235"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libical/libical/issues/251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libical/libical/issues/286"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0269"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0270"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1275400"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201904-02"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201904-07"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3897-1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/06/25/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/01/20/16"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91459"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3HV-RWGR-CRX3

Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-08-29 21:31
VLAI
Details

bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51779"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T01:42:05Z",
    "severity": "HIGH"
  },
  "details": "bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition.",
  "id": "GHSA-w3hv-rwgr-crx3",
  "modified": "2024-08-29T21:31:01Z",
  "published": "2024-02-29T03:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51779"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/2e07e8348ea454615e268222ae3fc240421be768"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3J7-W57F-MRWQ

Vulnerability from github – Published: 2023-08-03 18:30 – Updated: 2024-05-22 18:30
VLAI
Details

A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-03T15:15:33Z",
    "severity": "MODERATE"
  },
  "details": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.",
  "id": "GHSA-w3j7-w57f-mrwq",
  "modified": "2024-05-22T18:30:37Z",
  "published": "2023-08-03T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2394"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2950"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3138"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4133"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221702"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3JP-CXWR-6JWC

Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-05-12 18:30
VLAI
Details

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-11T21:18:59Z",
    "severity": "MODERATE"
  },
  "details": "A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets.",
  "id": "GHSA-w3jp-cxwr-6jwc",
  "modified": "2026-05-12T18:30:37Z",
  "published": "2026-05-11T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28994"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/127110"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/127111"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/127115"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/127116"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/127117"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/127118"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/127119"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3MR-X868-44RJ

Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2024-02-02 18:30
VLAI
Details

Use-after-free vulnerability in the NetWare Core Protocol (NCP) feature in Novell eDirectory 8.7.3 SP10 before 8.7.3 SP10 FTF1 and 8.8 SP2 for Windows allows remote attackers to cause a denial of service and possibly execute arbitrary code via a sequence of "Get NCP Extension Information By Name" requests that cause one thread to operate on memory after it has been freed in another thread, which triggers memory corruption, aka Novell Bug 373852.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-12T21:09:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in the NetWare Core Protocol (NCP) feature in Novell eDirectory 8.7.3 SP10 before 8.7.3 SP10 FTF1 and 8.8 SP2 for Windows allows remote attackers to cause a denial of service and possibly execute arbitrary code via a sequence of \"Get NCP Extension Information By Name\" requests that cause one thread to operate on memory after it has been freed in another thread, which triggers memory corruption, aka Novell Bug 373852.",
  "id": "GHSA-w3mr-x868-44rj",
  "modified": "2024-02-02T18:30:20Z",
  "published": "2022-05-17T02:18:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5038"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46138"
    },
    {
      "type": "WEB",
      "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=748"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/48206"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32395"
    },
    {
      "type": "WEB",
      "url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037180.html"
    },
    {
      "type": "WEB",
      "url": "http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037181.html"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/support/viewContent.do?externalId=3426981"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31956"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1021117"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2937"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3RC-7C7W-5VQ5

Vulnerability from github – Published: 2024-07-29 15:30 – Updated: 2025-09-25 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Defer work in bpf_timer_cancel_and_free

Currently, the same case as previous patch (two timer callbacks trying to cancel each other) can be invoked through bpf_map_update_elem as well, or more precisely, freeing map elements containing timers. Since this relies on hrtimer_cancel as well, it is prone to the same deadlock situation as the previous patch.

It would be sufficient to use hrtimer_try_to_cancel to fix this problem, as the timer cannot be enqueued after async_cancel_and_free. Once async_cancel_and_free has been done, the timer must be reinitialized before it can be armed again. The callback running in parallel trying to arm the timer will fail, and freeing bpf_hrtimer without waiting is sufficient (given kfree_rcu), and bpf_timer_cb will return HRTIMER_NORESTART, preventing the timer from being rearmed again.

However, there exists a UAF scenario where the callback arms the timer before entering this function, such that if cancellation fails (due to timer callback invoking this routine, or the target timer callback running concurrently). In such a case, if the timer expiration is significantly far in the future, the RCU grace period expiration happening before it will free the bpf_hrtimer state and along with it the struct hrtimer, that is enqueued.

Hence, it is clear cancellation needs to occur after async_cancel_and_free, and yet it cannot be done inline due to deadlock issues. We thus modify bpf_timer_cancel_and_free to defer work to the global workqueue, adding a work_struct alongside rcu_head (both used at different points of time, so can share space).

Update existing code comments to reflect the new state of affairs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T15:15:12Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer work in bpf_timer_cancel_and_free\n\nCurrently, the same case as previous patch (two timer callbacks trying\nto cancel each other) can be invoked through bpf_map_update_elem as\nwell, or more precisely, freeing map elements containing timers. Since\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\nsituation as the previous patch.\n\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\nas the timer cannot be enqueued after async_cancel_and_free. Once\nasync_cancel_and_free has been done, the timer must be reinitialized\nbefore it can be armed again. The callback running in parallel trying to\narm the timer will fail, and freeing bpf_hrtimer without waiting is\nsufficient (given kfree_rcu), and bpf_timer_cb will return\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\n\nHowever, there exists a UAF scenario where the callback arms the timer\nbefore entering this function, such that if cancellation fails (due to\ntimer callback invoking this routine, or the target timer callback\nrunning concurrently). In such a case, if the timer expiration is\nsignificantly far in the future, the RCU grace period expiration\nhappening before it will free the bpf_hrtimer state and along with it\nthe struct hrtimer, that is enqueued.\n\nHence, it is clear cancellation needs to occur after\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\n_different_ points of time, so can share space).\n\nUpdate existing code comments to reflect the new state of affairs.",
  "id": "GHSA-w3rc-7c7w-5vq5",
  "modified": "2025-09-25T21:30:19Z",
  "published": "2024-07-29T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41045"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.