CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-X3GH-Q355-F5PX
Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-18 18:31In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers.
For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.
{
"affected": [],
"aliases": [
"CVE-2026-23191"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-14T17:15:56Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable-\u003elock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF.",
"id": "GHSA-x3gh-q355-f5px",
"modified": "2026-03-18T18:31:11Z",
"published": "2026-02-14T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23191"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X3Q6-6368-92WM
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-05-24 16:54Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2019-8058"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-20T21:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-x3q6-6368-92wm",
"modified": "2022-05-24T16:54:16Z",
"published": "2022-05-24T16:54:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8058"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-41.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X3Q7-35R8-P299
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-22 00:01MariaDB Server v10.9 and below was discovered to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h.
{
"affected": [],
"aliases": [
"CVE-2022-27447"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-14T13:15:00Z",
"severity": "HIGH"
},
"details": "MariaDB Server v10.9 and below was discovered to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h.",
"id": "GHSA-x3q7-35r8-p299",
"modified": "2022-04-22T00:01:01Z",
"published": "2022-04-15T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27447"
},
{
"type": "WEB",
"url": "https://jira.mariadb.org/browse/MDEV-28099"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220526-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X3QG-8V4M-CFV7
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-02-27 21:32In the Linux kernel, the following vulnerability has been resolved:
cgroup: Use separate src/dst nodes when preloading css_sets for migration
Each cset (css_set) is pinned by its tasks. When we're moving tasks around across csets for a migration, we need to hold the source and destination csets to ensure that they don't go away while we're moving tasks about. This is done by linking cset->mg_preload_node on either the mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the same cset->mg_preload_node for both the src and dst lists was deemed okay as a cset can't be both the source and destination at the same time.
Unfortunately, this overloading becomes problematic when multiple tasks are involved in a migration and some of them are identity noop migrations while others are actually moving across cgroups. For example, this can happen with the following sequence on cgroup1:
#1> mkdir -p /sys/fs/cgroup/misc/a/b #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS & #4> PID=$! #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs
the process including the group leader back into a. In this final migration, non-leader threads would be doing identity migration while the group leader is doing an actual one.
After #3, let's say the whole process was in cset A, and that after #4, the leader moves to cset B. Then, during #6, the following happens:
-
cgroup_migrate_add_src() is called on B for the leader.
-
cgroup_migrate_add_src() is called on A for the other threads.
-
cgroup_migrate_prepare_dst() is called. It scans the src list.
-
It notices that B wants to migrate to A, so it tries to A to the dst list but realizes that its ->mg_preload_node is already busy.
-
and then it notices A wants to migrate to A as it's an identity migration, it culls it by list_del_init()'ing its ->mg_preload_node and putting references accordingly.
-
The rest of migration takes place with B on the src list but nothing on the dst list.
This means that A isn't held while migration is in progress. If all tasks leave A before the migration finishes and the incoming task pins it, the cset will be destroyed leading to use-after-free.
This is caused by overloading cset->mg_preload_node for both src and dst preload lists. We wanted to exclude the cset from the src list but ended up inadvertently excluding it from the dst list too.
This patch fixes the issue by separating out cset->mg_preload_node into ->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst preloadings don't interfere with each other.
{
"affected": [],
"aliases": [
"CVE-2022-49647"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:39Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Use separate src/dst nodes when preloading css_sets for migration\n\nEach cset (css_set) is pinned by its tasks. When we\u0027re moving tasks around\nacross csets for a migration, we need to hold the source and destination\ncsets to ensure that they don\u0027t go away while we\u0027re moving tasks about. This\nis done by linking cset-\u003emg_preload_node on either the\nmgctx-\u003epreloaded_src_csets or mgctx-\u003epreloaded_dst_csets list. Using the\nsame cset-\u003emg_preload_node for both the src and dst lists was deemed okay as\na cset can\u0027t be both the source and destination at the same time.\n\nUnfortunately, this overloading becomes problematic when multiple tasks are\ninvolved in a migration and some of them are identity noop migrations while\nothers are actually moving across cgroups. For example, this can happen with\nthe following sequence on cgroup1:\n\n #1\u003e mkdir -p /sys/fs/cgroup/misc/a/b\n #2\u003e echo $$ \u003e /sys/fs/cgroup/misc/a/cgroup.procs\n #3\u003e RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS \u0026\n #4\u003e PID=$!\n #5\u003e echo $PID \u003e /sys/fs/cgroup/misc/a/b/tasks\n #6\u003e echo $PID \u003e /sys/fs/cgroup/misc/a/cgroup.procs\n\nthe process including the group leader back into a. In this final migration,\nnon-leader threads would be doing identity migration while the group leader\nis doing an actual one.\n\nAfter #3, let\u0027s say the whole process was in cset A, and that after #4, the\nleader moves to cset B. Then, during #6, the following happens:\n\n 1. cgroup_migrate_add_src() is called on B for the leader.\n\n 2. cgroup_migrate_add_src() is called on A for the other threads.\n\n 3. cgroup_migrate_prepare_dst() is called. It scans the src list.\n\n 4. It notices that B wants to migrate to A, so it tries to A to the dst\n list but realizes that its -\u003emg_preload_node is already busy.\n\n 5. and then it notices A wants to migrate to A as it\u0027s an identity\n migration, it culls it by list_del_init()\u0027ing its -\u003emg_preload_node and\n putting references accordingly.\n\n 6. The rest of migration takes place with B on the src list but nothing on\n the dst list.\n\nThis means that A isn\u0027t held while migration is in progress. If all tasks\nleave A before the migration finishes and the incoming task pins it, the\ncset will be destroyed leading to use-after-free.\n\nThis is caused by overloading cset-\u003emg_preload_node for both src and dst\npreload lists. We wanted to exclude the cset from the src list but ended up\ninadvertently excluding it from the dst list too.\n\nThis patch fixes the issue by separating out cset-\u003emg_preload_node into\n-\u003emg_src_preload_node and -\u003emg_dst_preload_node, so that the src and dst\npreloadings don\u0027t interfere with each other.",
"id": "GHSA-x3qg-8v4m-cfv7",
"modified": "2025-02-27T21:32:15Z",
"published": "2025-02-27T21:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49647"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07fd5b6cdf3cc30bfde8fe0f644771688be04447"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e41774b564befa6d271e8d5086bf870d617a4e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54aee4e5ce8c21555286a6333e46c1713880cf93"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7657e3958535d101a24ab4400f9b8062b9107cc4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ad44e05f3e016bdcb1ad25af35ade5b5f41ccd68"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cec2bbdcc14fbaa6b95ee15a7c423b05d97038be"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X3QJ-5VWP-JFH8
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-20 00:00MariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements.
{
"affected": [],
"aliases": [
"CVE-2022-27376"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T20:15:00Z",
"severity": "HIGH"
},
"details": "MariaDB Server v10.6.5 and below was discovered to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements.",
"id": "GHSA-x3qj-5vwp-jfh8",
"modified": "2022-04-20T00:00:48Z",
"published": "2022-04-13T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27376"
},
{
"type": "WEB",
"url": "https://jira.mariadb.org/browse/MDEV-26354"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220519-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X3QV-MVH4-MGQ3
Vulnerability from github – Published: 2024-12-19 00:37 – Updated: 2024-12-19 00:37Acrobat Reader DC version 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-44520"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-19T00:15:06Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC version 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-x3qv-mvh4-mgq3",
"modified": "2024-12-19T00:37:36Z",
"published": "2024-12-19T00:37:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44520"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-16.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X3VJ-997J-97HQ
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read.
{
"affected": [],
"aliases": [
"CVE-2020-27207"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-26T17:15:00Z",
"severity": "HIGH"
},
"details": "Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read.",
"id": "GHSA-x3vj-997j-97hq",
"modified": "2022-05-24T17:34:58Z",
"published": "2022-05-24T17:34:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27207"
},
{
"type": "WEB",
"url": "https://github.com/sqlcipher/sqlcipher/compare/v4.4.0...v4.4.1"
},
{
"type": "WEB",
"url": "https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/security/details/advisories-504842"
},
{
"type": "WEB",
"url": "https://www.telekom.com/resource/blob/612796/9f221708832a465f03585a45d7f59b45/dl-201112-denial-of-serviceen-data.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X3W9-8C2F-CCVJ
Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2024-12-31 21:30In the Linux kernel, the following vulnerability has been resolved:
ax25: fix use-after-free bugs caused by ax25_ds_del_timer
When the ax25 device is detaching, the ax25_dev_device_down() calls ax25_ds_del_timer() to cleanup the slave_timer. When the timer handler is running, the ax25_ds_del_timer() that calls del_timer() in it will return directly. As a result, the use-after-free bugs could happen, one of the scenarios is shown below:
(Thread 1) | (Thread 2)
| ax25_ds_timeout()
ax25_dev_device_down() | ax25_ds_del_timer() | del_timer() | ax25_dev_put() //FREE | | ax25_dev-> //USE
In order to mitigate bugs, when the device is detaching, use timer_shutdown_sync() to stop the timer.
{
"affected": [],
"aliases": [
"CVE-2024-35887"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-19T09:15:09Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\n\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\n\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-\u003e //USE\n\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.",
"id": "GHSA-x3w9-8c2f-ccvj",
"modified": "2024-12-31T21:30:44Z",
"published": "2024-05-19T09:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35887"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X43W-PH7M-PFJX
Vulnerability from github – Published: 2026-02-25 19:23 – Updated: 2026-02-25 19:23All versions of this crate have function deregister_command which can result in use after free. This is unsound.
In addition, all versions since 0.3.0 have "safe" macros, which are documented as unsafe to use in threads.
In addition, the hexchat crate is no longer actively maintained. If users rely on this crate, consider switching to an alternative.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "hexchat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T19:23:47Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "All versions of this crate have function `deregister_command` which can result in use after free. This is unsound.\n\nIn addition, all versions since 0.3.0 have \"safe\" macros, which are documented as unsafe to use in threads.\n\nIn addition, the `hexchat` crate is no longer actively maintained. If users rely on this crate, consider switching to an alternative.",
"id": "GHSA-x43w-ph7m-pfjx",
"modified": "2026-02-25T19:23:47Z",
"published": "2026-02-25T19:23:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pie-flavor/hexchat-rs/issues/3"
},
{
"type": "PACKAGE",
"url": "https://github.com/pie-flavor/hexchat-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0153.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "hexchat crate has a Use After Free vulnerability"
}
GHSA-X444-83WH-35RX
Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-03-27 18:31In the Linux kernel, the following vulnerability has been resolved:
net: fix UaF in netns ops registration error path
If net_assign_generic() fails, the current error path in ops_init() tries to clear the gen pointer slot. Anyway, in such error path, the gen pointer itself has not been modified yet, and the existing and accessed one is smaller than the accessed index, causing an out-of-bounds error:
BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320 Write of size 8 at addr ffff888109124978 by task modprobe/1018
CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: dump_stack_lvl+0x6a/0x9f print_address_description.constprop.0+0x86/0x2b5 print_report+0x11b/0x1fb kasan_report+0x87/0xc0 ops_init+0x2de/0x320 register_pernet_operations+0x2e4/0x750 register_pernet_subsys+0x24/0x40 tcf_register_action+0x9f/0x560 do_one_initcall+0xf9/0x570 do_init_module+0x190/0x650 load_module+0x1fa5/0x23c0 __do_sys_finit_module+0x10d/0x1b0 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f42518f778d Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003 RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000
This change addresses the issue by skipping the gen pointer de-reference in the mentioned error-path.
Found by code inspection and verified with explicit error injection on a kasan-enabled kernel.
{
"affected": [],
"aliases": [
"CVE-2023-52999"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T17:15:48Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix UaF in netns ops registration error path\n\nIf net_assign_generic() fails, the current error path in ops_init() tries\nto clear the gen pointer slot. Anyway, in such error path, the gen pointer\nitself has not been modified yet, and the existing and accessed one is\nsmaller than the accessed index, causing an out-of-bounds error:\n\n BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320\n Write of size 8 at addr ffff888109124978 by task modprobe/1018\n\n CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6a/0x9f\n print_address_description.constprop.0+0x86/0x2b5\n print_report+0x11b/0x1fb\n kasan_report+0x87/0xc0\n ops_init+0x2de/0x320\n register_pernet_operations+0x2e4/0x750\n register_pernet_subsys+0x24/0x40\n tcf_register_action+0x9f/0x560\n do_one_initcall+0xf9/0x570\n do_init_module+0x190/0x650\n load_module+0x1fa5/0x23c0\n __do_sys_finit_module+0x10d/0x1b0\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n RIP: 0033:0x7f42518f778d\n Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48\n 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff\n ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48\n RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d\n RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003\n RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000\n R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nThis change addresses the issue by skipping the gen pointer\nde-reference in the mentioned error-path.\n\nFound by code inspection and verified with explicit error injection\non a kasan-enabled kernel.",
"id": "GHSA-x444-83wh-35rx",
"modified": "2025-03-27T18:31:27Z",
"published": "2025-03-27T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52999"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/12075708f2e77ee6a9f8bb2cf512c38be3099794"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/66689a72ba73575e76d4f6a8748d3fa2690ec1c4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/71ab9c3e2253619136c31c89dbb2c69305cc89b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ad0dfe9bcf0d78e699c7efb64c90ed062dc48bea"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d4c008f3b7f7d4ffd311eb2dae5e75b3cbddacd0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ddd49cbbd4c1ceb38032018b589b44208e54f55e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.