CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9804 vulnerabilities reference this CWE, most recent first.
GHSA-X9PW-HH7V-WJPF
Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-01-29 00:01HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the component H5AC_unpin_entry.
{
"affected": [],
"aliases": [
"CVE-2021-46242"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-21T21:15:00Z",
"severity": "HIGH"
},
"details": "HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the component H5AC_unpin_entry.",
"id": "GHSA-x9pw-hh7v-wjpf",
"modified": "2022-01-29T00:01:10Z",
"published": "2022-01-22T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46242"
},
{
"type": "WEB",
"url": "https://github.com/HDFGroup/hdf5/issues/1329"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X9QX-846H-75G8
Vulnerability from github – Published: 2022-05-14 01:18 – Updated: 2025-04-12 13:02The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-4582 and CVE-2016-4653.
{
"affected": [],
"aliases": [
"CVE-2016-1863"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-07-22T02:59:00Z",
"severity": "HIGH"
},
"details": "The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-4582 and CVE-2016-4653.",
"id": "GHSA-x9qx-846h-75g8",
"modified": "2025-04-12T13:02:43Z",
"published": "2022-05-14T01:18:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1863"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206902"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206903"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206904"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT206905"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/40652"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91828"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036344"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X9RV-39RR-F53C
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19An issue was discovered in GNU Hurd before 0.9 20210404-9. libports accepts fake notification messages from any client on any port, which can lead to port use-after-free. This can be exploited for local privilege escalation to get full root access.
{
"affected": [],
"aliases": [
"CVE-2021-43412"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-07T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in GNU Hurd before 0.9 20210404-9. libports accepts fake notification messages from any client on any port, which can lead to port use-after-free. This can be exploited for local privilege escalation to get full root access.",
"id": "GHSA-x9rv-39rr-f53c",
"modified": "2022-05-24T19:19:56Z",
"published": "2022-05-24T19:19:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43412"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/bug-hurd/2021-05/msg00079.html"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/bug-hurd@gnu.org/msg32116.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X9VG-QJPV-3C38
Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30Memory corruption when memory mapped in a VBO is not unmapped by the GPU SMMU.
{
"affected": [],
"aliases": [
"CVE-2024-23381"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T15:15:47Z",
"severity": "HIGH"
},
"details": "Memory corruption when memory mapped in a VBO is not unmapped by the GPU SMMU.",
"id": "GHSA-x9vg-qjpv-3c38",
"modified": "2024-08-05T15:30:53Z",
"published": "2024-08-05T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23381"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X9VM-7P3C-2C8Q
Vulnerability from github – Published: 2022-05-14 03:27 – Updated: 2025-04-20 03:31In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2016-7479"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-12T00:59:00Z",
"severity": "CRITICAL"
},
"details": "In all versions of PHP 7, during the unserialization process, resizing the \u0027properties\u0027 hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.",
"id": "GHSA-x9vm-7p3c-2c8q",
"modified": "2025-04-20T03:31:00Z",
"published": "2022-05-14T03:27:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7479"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1296"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=73092"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180112-0001"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=LDcaPstAuPk"
},
{
"type": "WEB",
"url": "http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7"
},
{
"type": "WEB",
"url": "http://blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdf"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95151"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037659"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X9WP-3948-XG4X
Vulnerability from github – Published: 2024-07-16 12:30 – Updated: 2024-08-07 21:31In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion().
In this case, the following are the two steps in handling those I/O completions:
-
Call complete() to inform the upper layer handler of completion of the I/O.
-
Release driver resources associated with the sas_task in pm8001_ccb_task_free() call.
When complete() is called, the upper layer may free the sas_task. As such, we should not touch the associated sas_task afterwards, but we do so in the pm8001_ccb_task_free() call.
Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering.
{
"affected": [],
"aliases": [
"CVE-2022-48792"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-16T12:15:03Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task\n\nCurrently a use-after-free may occur if a sas_task is aborted by the upper\nlayer before we handle the I/O completion in mpi_ssp_completion() or\nmpi_sata_completion().\n\nIn this case, the following are the two steps in handling those I/O\ncompletions:\n\n - Call complete() to inform the upper layer handler of completion of\n the I/O.\n\n - Release driver resources associated with the sas_task in\n pm8001_ccb_task_free() call.\n\nWhen complete() is called, the upper layer may free the sas_task. As such,\nwe should not touch the associated sas_task afterwards, but we do so in the\npm8001_ccb_task_free() call.\n\nFix by swapping the complete() and pm8001_ccb_task_free() calls ordering.",
"id": "GHSA-x9wp-3948-xg4x",
"modified": "2024-08-07T21:31:43Z",
"published": "2024-07-16T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48792"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X9X2-8G6V-P8FW
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) devices (Exynos and Qualcomm chipsets) software. A race condition causes a Use-After-Free. The Samsung ID is SVE-2019-15067 (September 2019).
{
"affected": [],
"aliases": [
"CVE-2019-20568"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-24T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered on Samsung mobile devices with O(8.x) and P(9.0) devices (Exynos and Qualcomm chipsets) software. A race condition causes a Use-After-Free. The Samsung ID is SVE-2019-15067 (September 2019).",
"id": "GHSA-x9x2-8g6v-p8fw",
"modified": "2022-05-24T17:12:23Z",
"published": "2022-05-24T17:12:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20568"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X9XC-63HG-VCFQ
Vulnerability from github – Published: 2024-04-05 15:00 – Updated: 2025-04-01 22:59Impact
Code that attempts to use an item (e.g., a row) returned by an iterator after the iterator has advanced to the next item will be accessing freed memory and experience undefined behaviour. Code that uses the item and then advances the iterator is unaffected. This problem has always existed.
This is a use-after-free bug, so it's rated high severity. If your code uses a pre-3.0.0 version of cassandra-rs, and uses an item returned by a cassandra-rs iterator after calling next() on that iterator, then it is vulnerable. However, such code will almost always fail immediately - so we believe it is unlikely that any code using this pattern would have reached production. For peace of mind, we recommend you upgrade anyway.
Patches
The problem has been fixed in version 3.0.0. Users should upgrade to ensure their code cannot use the problematic pattern.
Workarounds
Ensure all usage fits the expected pattern. For example, use get_first_row() rather than an iterator, or completely process an item before advancing the iterator with next().
References
None.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "cassandra-cpp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27284"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-05T15:00:55Z",
"nvd_published_at": "2024-02-29T01:44:19Z",
"severity": "HIGH"
},
"details": "### Impact\nCode that attempts to use an item (e.g., a row) returned by an iterator after the iterator has advanced to the next item will be accessing freed memory and experience undefined behaviour. Code that uses the item and then advances the iterator is unaffected. This problem has always existed.\n\nThis is a use-after-free bug, so it\u0027s rated high severity. If your code uses a pre-3.0.0 version of cassandra-rs, and uses an item returned by a cassandra-rs iterator after calling `next()` on that iterator, then it is vulnerable. However, such code will almost always fail immediately - so we believe it is unlikely that any code using this pattern would have reached production. For peace of mind, we recommend you upgrade anyway.\n\n### Patches\nThe problem has been fixed in version 3.0.0. Users should upgrade to ensure their code cannot use the problematic pattern.\n\n### Workarounds\nEnsure all usage fits the expected pattern. For example, use `get_first_row()` rather than an iterator, or completely process an item before advancing the iterator with `next()`.\n\n### References\nNone.",
"id": "GHSA-x9xc-63hg-vcfq",
"modified": "2025-04-01T22:59:42Z",
"published": "2024-04-05T15:00:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Metaswitch/cassandra-rs/security/advisories/GHSA-x9xc-63hg-vcfq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27284"
},
{
"type": "WEB",
"url": "https://github.com/Metaswitch/cassandra-rs/commit/ae054dc8044eac9c2c7ae2b1ab154b53ca7f8df7"
},
{
"type": "PACKAGE",
"url": "https://github.com/Metaswitch/cassandra-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "cassandra-rs\u0027s non-idiomatic use of iterators leads to use after free"
}
GHSA-X9XH-3FFC-HR3F
Vulnerability from github – Published: 2022-05-24 16:43 – Updated: 2024-04-04 00:02In removeInterfaceAddress of NetworkController.cpp, there is a possible use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-119496789.
{
"affected": [],
"aliases": [
"CVE-2019-2030"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-19T20:29:00Z",
"severity": "CRITICAL"
},
"details": "In removeInterfaceAddress of NetworkController.cpp, there is a possible use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-119496789.",
"id": "GHSA-x9xh-3ffc-hr3f",
"modified": "2024-04-04T00:02:03Z",
"published": "2022-05-24T16:43:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2030"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2019-04-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XC2G-3F28-FMC4
Vulnerability from github – Published: 2023-04-18 00:32 – Updated: 2024-04-04 03:31A Use After Free vulnerability in the routing protocol daemon of Juniper Networks Junos OS and Junos OS Evolved allows a locally authenticated attacker with low privileges to cause Denial of Service (DoS). In a rib sharding scenario the rpd process will crash shortly after specific CLI command is issued. This issue is more likely to occur in a scenario with high route scale (>1M routes). This issue affects: Juniper Networks Junos OS 20.2 version 20.2R3-S5 and later versions prior to 20.2R3-S6; 20.3 version 20.3R3-S2 and later versions prior to 20.3R3-S5; 20.4 version 20.4R3-S1 and later versions prior to 20.4R3-S4 21.1 version 21.1R3 and later versions prior to 21.1R3-S3; 21.2 version 21.2R1-S2, 21.2R2-S1 and later versions prior to 21.2R3-S2; 21.3 version 21.3R2 and later versions prior to 21.3R3; 21.4 versions prior to 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R2. Juniper Networks Junos OS Evolved 20.4-EVO version 20.4R3-S1-EVO and later versions prior to 20.4R3-S6-EVO; 21.2-EVO version 21.2R1-S2-EVO and later versions prior to 21.2R3-S4-EVO; 21.3-EVO version 21.3R2-EVO and later versions prior to 21.3R3-S1-EVO; 21.4-EVO versions prior to 21.4R2-S1-EVO, 21.4R3-EVO; 22.1-EVO versions prior to 22.1R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2023-28980"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-17T22:15:09Z",
"severity": "MODERATE"
},
"details": "A Use After Free vulnerability in the routing protocol daemon of Juniper Networks Junos OS and Junos OS Evolved allows a locally authenticated attacker with low privileges to cause Denial of Service (DoS). In a rib sharding scenario the rpd process will crash shortly after specific CLI command is issued. This issue is more likely to occur in a scenario with high route scale (\u003e1M routes). This issue affects: Juniper Networks Junos OS 20.2 version 20.2R3-S5 and later versions prior to 20.2R3-S6; 20.3 version 20.3R3-S2 and later versions prior to 20.3R3-S5; 20.4 version 20.4R3-S1 and later versions prior to 20.4R3-S4 21.1 version 21.1R3 and later versions prior to 21.1R3-S3; 21.2 version 21.2R1-S2, 21.2R2-S1 and later versions prior to 21.2R3-S2; 21.3 version 21.3R2 and later versions prior to 21.3R3; 21.4 versions prior to 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R2. Juniper Networks Junos OS Evolved 20.4-EVO version 20.4R3-S1-EVO and later versions prior to 20.4R3-S6-EVO; 21.2-EVO version 21.2R1-S2-EVO and later versions prior to 21.2R3-S4-EVO; 21.3-EVO version 21.3R2-EVO and later versions prior to 21.3R3-S1-EVO; 21.4-EVO versions prior to 21.4R2-S1-EVO, 21.4R3-EVO; 22.1-EVO versions prior to 22.1R2-EVO.",
"id": "GHSA-xc2g-3f28-fmc4",
"modified": "2024-04-04T03:31:44Z",
"published": "2023-04-18T00:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28980"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA70606"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.