Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-W586-CVCH-P9CH

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-11-01 12:00
VLAI
Details

A flaw was found in SQLite's SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in SQLite\u0027s SELECT query functionality (src/select.c). This flaw allows an attacker who is capable of running SQL queries locally on the SQLite database to cause a denial of service or possible code execution by triggering a use-after-free. The highest threat from this vulnerability is to system availability.",
  "id": "GHSA-w586-cvch-p9ch",
  "modified": "2022-11-01T12:00:33Z",
  "published": "2022-05-24T17:45:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20227"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1924886"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202103-04"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-40"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210423-0010"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sqlite.org/releaselog/3_34_1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W594-5GJ3-F9G6

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: validate inline data i_size during inode read

When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count).

This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory.

In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry()

Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T10:16:20Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: validate inline data i_size during inode read\n\nWhen reading an inode from disk, ocfs2_validate_inode_block() performs\nvarious sanity checks but does not validate the size of inline data.  If\nthe filesystem is corrupted, an inode\u0027s i_size can exceed the actual\ninline data capacity (id_count).\n\nThis causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data\nbuffer, triggering a use-after-free when accessing directory entries from\nfreed memory.\n\nIn the syzbot report:\n  - i_size was 1099511627576 bytes (~1TB)\n  - Actual inline data capacity (id_count) is typically \u003c256 bytes\n  - A garbage rec_len (54648) caused ctx-\u003epos to jump out of bounds\n  - This triggered a UAF in ocfs2_check_dir_entry()\n\nFix by adding a validation check in ocfs2_validate_inode_block() to ensure\ninodes with inline data have i_size \u003c= id_count.  This catches the\ncorruption early during inode read and prevents all downstream code from\noperating on invalid data.",
  "id": "GHSA-w594-5gj3-f9g6",
  "modified": "2026-06-01T18:31:29Z",
  "published": "2026-05-06T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43076"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/131c0b573e1b467b7d553e9ff38003f1acd8f5f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcd46bc261b215b3b12c557a978299eafa02ecdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d012c782abcabe68b5b9e71be58a15e9f9d83dc1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W59X-6CPG-PX75

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XFA Forms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-13092.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-07T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XFA Forms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-13092.",
  "id": "GHSA-w59x-6cpg-px75",
  "modified": "2022-05-24T19:01:43Z",
  "published": "2022-05-24T19:01:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31453"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-542"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W5F2-X256-Q5RW

Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30
VLAI
Details

Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T17:17:36Z",
    "severity": "HIGH"
  },
  "details": "Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network.",
  "id": "GHSA-w5f2-x256-q5rw",
  "modified": "2026-06-09T18:30:55Z",
  "published": "2026-06-09T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47654"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47654"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5F4-M5JQ-X4XP

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 18:31
VLAI
Details

Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T00:17:08Z",
    "severity": "HIGH"
  },
  "details": "Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Low)",
  "id": "GHSA-w5f4-m5jq-x4xp",
  "modified": "2026-06-05T18:31:39Z",
  "published": "2026-06-05T00:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11304"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/504418475"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5FV-J786-WHP9

Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:01
VLAI
Details

Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlier) are affected by an use-after-free vulnerability in the processing of Format event actions that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlier) are affected by an use-after-free vulnerability in the processing of Format event actions that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-w5fv-j786-whp9",
  "modified": "2022-01-22T00:01:53Z",
  "published": "2022-01-15T00:01:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45051"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/bridge/apsb22-03.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W5G9-6V5H-28CV

Vulnerability from github – Published: 2025-07-04 12:30 – Updated: 2025-11-19 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix yet another UAF in binder_devices

Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed:

================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...]

Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...]

Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ==================================================================

Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-04T11:15:51Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix yet another UAF in binder_devices\n\nCommit e77aff5528a18 (\"binderfs: fix use-after-free in binder_devices\")\naddressed a use-after-free where devices could be released without first\nbeing removed from the binder_devices list. However, there is a similar\npath in binder_free_proc() that was missed:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100\n  Write of size 8 at addr ffff0000c773b900 by task umount/467\n  CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   binder_remove_device+0xd4/0x100\n   binderfs_evict_inode+0x230/0x2f0\n   evict+0x25c/0x5dc\n   iput+0x304/0x480\n   dentry_unlink_inode+0x208/0x46c\n   __dentry_kill+0x154/0x530\n   [...]\n\n  Allocated by task 463:\n   __kmalloc_cache_noprof+0x13c/0x324\n   binderfs_binder_device_create.isra.0+0x138/0xa60\n   binder_ctl_ioctl+0x1ac/0x230\n  [...]\n\n  Freed by task 215:\n   kfree+0x184/0x31c\n   binder_proc_dec_tmpref+0x33c/0x4ac\n   binder_deferred_func+0xc10/0x1108\n   process_one_work+0x520/0xba4\n  [...]\n  ==================================================================\n\nCall binder_remove_device() within binder_free_proc() to ensure the\ndevice is removed from the binder_devices list before being kfreed.",
  "id": "GHSA-w5g9-6v5h-28cv",
  "modified": "2025-11-19T21:31:14Z",
  "published": "2025-07-04T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38175"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a7694f499cae5b83412c5281bf2c961f34f2ed6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72a726fb5f25fbb31d6060acfb671c1955831245"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9857af0fcff385c75433f2162c30c62eb912ef6d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5HV-G8P5-VWJR

Vulnerability from github – Published: 2023-09-06 00:30 – Updated: 2025-05-05 18:32
VLAI
Details

Use after free in Networks in Google Chrome prior to 116.0.5845.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-05T22:15:09Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Networks in Google Chrome prior to 116.0.5845.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-w5hv-g8p5-vwjr",
  "modified": "2025-05-05T18:32:47Z",
  "published": "2023-09-06T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4763"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1469928"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27NR3KG553CG6LGPMP6SHWEVHTYPL6RC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202311-11"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202312-07"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-34"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5491"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5J3-3J83-3J22

Vulnerability from github – Published: 2024-07-16 12:30 – Updated: 2024-08-07 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iwlwifi: fix use-after-free

If no firmware was present at all (or, presumably, all of the firmware files failed to parse), we end up unbinding by calling device_release_driver(), which calls remove(), which then in iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However the new code I added will still erroneously access it after it was freed.

Set 'failure=false' in this case to avoid the access, all data was already freed anyway.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-16T12:15:03Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: fix use-after-free\n\nIf no firmware was present at all (or, presumably, all of the\nfirmware files failed to parse), we end up unbinding by calling\ndevice_release_driver(), which calls remove(), which then in\niwlwifi calls iwl_drv_stop(), freeing the \u0027drv\u0027 struct. However\nthe new code I added will still erroneously access it after it\nwas freed.\n\nSet \u0027failure=false\u0027 in this case to avoid the access, all data\nwas already freed anyway.",
  "id": "GHSA-w5j3-3j83-3j22",
  "modified": "2024-08-07T21:31:43Z",
  "published": "2024-07-16T12:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48787"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/008508c16af0087cda0394e1ac6f0493b01b6063"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/494de920d98f125b099f27a2d274850750aff957"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d6475179b85a83186ccce59cdc359d4f07d0bcb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9958b9cbb22145295ee1ffaea0904c383da2c05d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bea2662e7818e15d7607d17d57912ac984275d94"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3b98fe36f8a06ce654049540773256ab59cb53d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddd46059f7d99119b62d44c519df7a79f2e6a515"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5JC-3VGP-F4C9

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix missing cleanup on rollforward recovery error

In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug.

It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed.

Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:05Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix missing cleanup on rollforward recovery error\n\nIn an error injection test of a routine for mount-time recovery, KASAN\nfound a use-after-free bug.\n\nIt turned out that if data recovery was performed using partial logs\ncreated by dsync writes, but an error occurred before starting the log\nwriter to create a recovered checkpoint, the inodes whose data had been\nrecovered were left in the ns_dirty_files list of the nilfs object and\nwere not freed.\n\nFix this issue by cleaning up inodes that have read the recovery data if\nthe recovery routine fails midway before the log writer starts.",
  "id": "GHSA-w5jc-3vgp-f4c9",
  "modified": "2025-11-04T00:31:29Z",
  "published": "2024-09-18T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46781"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07e4dc2fe000ab008bcfe90be4324ef56b5b4355"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1cf1f7e8cd47244fa947d357ef1f642d91e219a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35a9a7a7d94662146396199b0cfd95f9517cdd14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5787fcaab9eb5930f5378d6a1dd03d916d146622"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e2d1e9d93c4ec51354229361ac3373058529ec4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d8c3a585d564d776ee60d4aabec59b404be7403"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca92c4bff2833cb30d493b935168d6cccd5c805d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da02f9eb333333b2e4f25d2a14967cff785ac82e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.