Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9806 vulnerabilities reference this CWE, most recent first.

GHSA-XJMH-6WP6-74Q8

Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2024-11-27 18:34
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

idpf: avoid vport access in idpf_get_link_ksettings

When the device control plane is removed or the platform running device control plane is rebooted, a reset is detected on the driver. On driver reset, it releases the resources and waits for the reset to complete. If the reset fails, it takes the error path and releases the vport lock. At this time if the monitoring tools tries to access link settings, it call traces for accessing released vport pointer.

To avoid it, move link_speed_mbps to netdev_priv structure which removes the dependency on vport pointer and the vport lock in idpf_get_link_ksettings. Also use netif_carrier_ok() to check the link status and adjust the offsetof to use link_up instead of link_speed_mbps.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T02:16:29Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: avoid vport access in idpf_get_link_ksettings\n\nWhen the device control plane is removed or the platform\nrunning device control plane is rebooted, a reset is detected\non the driver. On driver reset, it releases the resources and\nwaits for the reset to complete. If the reset fails, it takes\nthe error path and releases the vport lock. At this time if the\nmonitoring tools tries to access link settings, it call traces\nfor accessing released vport pointer.\n\nTo avoid it, move link_speed_mbps to netdev_priv structure\nwhich removes the dependency on vport pointer and the vport lock\nin idpf_get_link_ksettings. Also use netif_carrier_ok()\nto check the link status and adjust the offsetof to use link_up\ninstead of link_speed_mbps.",
  "id": "GHSA-xjmh-6wp6-74q8",
  "modified": "2024-11-27T18:34:00Z",
  "published": "2024-11-19T03:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50274"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81d2fb4c7c18a3b36ba3e00b9d5b753107472d75"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa4d906ad0fb63a980a1d586a061c78ea1a345ba"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJR6-8999-VR65

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-25 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tracing: Free buffers when a used dynamic event is removed

After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob.

The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used.

To show how this can be an issue, the following can crash the kernel:

# cd /sys/kernel/tracing # for i in seq 65536; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done

For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same.

Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer.

# echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 # echo 0 > kprobes/foo/enable

Now if we delete the kprobe and create a new one that reads a string:

# echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events

And now we can the trace:

# cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������" cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="��������������������������������������� ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:12Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Free buffers when a used dynamic event is removed\n\nAfter 65536 dynamic events have been added and removed, the \"type\" field\nof the event then uses the first type number that is available (not\ncurrently used by other events). A type number is the identifier of the\nbinary blobs in the tracing ring buffer (known as events) to map them to\nlogic that can parse the binary blob.\n\nThe issue is that if a dynamic event (like a kprobe event) is traced and\nis in the ring buffer, and then that event is removed (because it is\ndynamic, which means it can be created and destroyed), if another dynamic\nevent is created that has the same number that new event\u0027s logic on\nparsing the binary blob will be used.\n\nTo show how this can be an issue, the following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # for i in `seq 65536`; do\n     echo \u0027p:kprobes/foo do_sys_openat2 $arg1:u32\u0027 \u003e kprobe_events\n # done\n\nFor every iteration of the above, the writing to the kprobe_events will\nremove the old event and create a new one (with the same format) and\nincrease the type number to the next available on until the type number\nreaches over 65535 which is the max number for the 16 bit type. After it\nreaches that number, the logic to allocate a new number simply looks for\nthe next available number. When an dynamic event is removed, that number\nis then available to be reused by the next dynamic event created. That is,\nonce the above reaches the max number, the number assigned to the event in\nthat loop will remain the same.\n\nNow that means deleting one dynamic event and created another will reuse\nthe previous events type number. This is where bad things can happen.\nAfter the above loop finishes, the kprobes/foo event which reads the\ndo_sys_openat2 function call\u0027s first parameter as an integer.\n\n # echo 1 \u003e kprobes/foo/enable\n # cat /etc/passwd \u003e /dev/null\n # cat trace\n             cat-2211    [005] ....  2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n             cat-2211    [005] ....  2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n             cat-2211    [005] ....  2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n             cat-2211    [005] ....  2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n # echo 0 \u003e kprobes/foo/enable\n\nNow if we delete the kprobe and create a new one that reads a string:\n\n # echo \u0027p:kprobes/foo do_sys_openat2 +0($arg2):string\u0027 \u003e kprobe_events\n\nAnd now we can the trace:\n\n # cat trace\n        sendmail-1942    [002] .....   530.136320: foo: (do_sys_openat2+0x0/0x240) arg1=             cat-2046    [004] .....   530.930817: foo: (do_sys_openat2+0x0/0x240) arg1=\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\n             cat-2046    [004] .....   530.930961: foo: (do_sys_openat2+0x0/0x240) arg1=\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\n             cat-2046    [004] .....   530.934278: foo: (do_sys_openat2+0x0/0x240) arg1=\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\n             cat-2046    [004] .....   530.934563: foo: (do_sys_openat2+0x0/0x240) arg1=\"\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n---truncated---",
  "id": "GHSA-xjr6-8999-vr65",
  "modified": "2024-10-25T15:31:26Z",
  "published": "2024-10-21T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49006"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1603feac154ff38514e8354e3079a455eb4801e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/417d5ea6e735e5d88ffb6c436cf2938f3f476dd1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4313e5a613049dfc1819a6dfb5f94cf2caff9452"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be111ebd8868d4b7c041cb3c6102e1ae27d6dc1d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c52d0c8c4f38f7580cff61c4dfe1034c580cedfd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJR6-HX73-V76X

Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49
VLAI
Details

Use after free in Dev Tools in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-30T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Dev Tools in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-xjr6-hx73-v76x",
  "modified": "2022-05-24T17:49:23Z",
  "published": "2022-05-24T17:49:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21232"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1175058"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAJ42L4JFPBJATCZ7MOZQTUDGV4OEHHG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3GZ42MYPGD35V652ZPVPYYS7A7LVXVY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUZBGKGVZADNA3I24NVG7HAYYUTOSN5A"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202104-08"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4911"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XJXC-H2MP-HQG8

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-18 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/srpt: Fix a use-after-free

Change the LIO port members inside struct srpt_port from regular members into pointers. Allocate the LIO port data structures from inside srpt_make_tport() and free these from inside srpt_make_tport(). Keep struct srpt_device as long as either an RDMA port or a LIO target port is associated with it. This patch decouples the lifetime of struct srpt_port (controlled by the RDMA core) and struct srpt_port_id (controlled by LIO). This patch fixes the following KASAN complaint:

BUG: KASAN: use-after-free in srpt_enable_tpg+0x31/0x70 [ib_srpt] Read of size 8 at addr ffff888141cc34b8 by task check/5093

Call Trace: show_stack+0x4e/0x53 dump_stack_lvl+0x51/0x66 print_address_description.constprop.0.cold+0xea/0x41e print_report.cold+0x90/0x205 kasan_report+0xb9/0xf0 __asan_load8+0x69/0x90 srpt_enable_tpg+0x31/0x70 [ib_srpt] target_fabric_tpg_base_enable_store+0xe2/0x140 [target_core_mod] configfs_write_iter+0x18b/0x210 new_sync_write+0x1f2/0x2f0 vfs_write+0x3e3/0x540 ksys_write+0xbb/0x140 __x64_sys_write+0x42/0x50 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:42Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Fix a use-after-free\n\nChange the LIO port members inside struct srpt_port from regular members\ninto pointers. Allocate the LIO port data structures from inside\nsrpt_make_tport() and free these from inside srpt_make_tport(). Keep\nstruct srpt_device as long as either an RDMA port or a LIO target port is\nassociated with it. This patch decouples the lifetime of struct srpt_port\n(controlled by the RDMA core) and struct srpt_port_id (controlled by LIO).\nThis patch fixes the following KASAN complaint:\n\n  BUG: KASAN: use-after-free in srpt_enable_tpg+0x31/0x70 [ib_srpt]\n  Read of size 8 at addr ffff888141cc34b8 by task check/5093\n\n  Call Trace:\n   \u003cTASK\u003e\n   show_stack+0x4e/0x53\n   dump_stack_lvl+0x51/0x66\n   print_address_description.constprop.0.cold+0xea/0x41e\n   print_report.cold+0x90/0x205\n   kasan_report+0xb9/0xf0\n   __asan_load8+0x69/0x90\n   srpt_enable_tpg+0x31/0x70 [ib_srpt]\n   target_fabric_tpg_base_enable_store+0xe2/0x140 [target_core_mod]\n   configfs_write_iter+0x18b/0x210\n   new_sync_write+0x1f2/0x2f0\n   vfs_write+0x3e3/0x540\n   ksys_write+0xbb/0x140\n   __x64_sys_write+0x42/0x50\n   do_syscall_64+0x34/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n   \u003c/TASK\u003e",
  "id": "GHSA-xjxc-h2mp-hqg8",
  "modified": "2025-11-18T18:32:46Z",
  "published": "2025-06-18T12:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50129"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/388326bb1c32fcd09371c1d494af71471ef3a04b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ee8c39968a648d58b273582d4b021044a41ee5e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b5605148e6ce36bb21020d49010b617693933128"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de95b52d9aabc979166aba81ccbe623aaf9c16a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e60d7e2462bf57273563c4e00dbfa79ee973b9e2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJXC-VFW2-CG96

Vulnerability from github – Published: 2021-08-25 20:43 – Updated: 2023-06-13 19:56
VLAI
Summary
Use after free in openssl
Details

An issue was discovered in the openssl crate before 0.10.9 for Rust. A use-after-free occurs in CMS Signing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "openssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.8"
            },
            {
              "fixed": "0.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:24:24Z",
    "nvd_published_at": "2019-08-26T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in the openssl crate before 0.10.9 for Rust. A use-after-free occurs in CMS Signing.",
  "id": "GHSA-xjxc-vfw2-cg96",
  "modified": "2023-06-13T19:56:24Z",
  "published": "2021-08-25T20:43:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20997"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sfackler/rust-openssl/pull/942"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sfackler/rust-openssl"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2018-0010.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use after free in openssl"
}

GHSA-XM2C-MV2P-HFFR

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 15:35
VLAI
Details

Use after free in BrowserTag in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T23:17:16Z",
    "severity": "HIGH"
  },
  "details": "Use after free in BrowserTag in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)",
  "id": "GHSA-xm2c-mv2p-hffr",
  "modified": "2026-07-01T15:35:07Z",
  "published": "2026-07-01T00:34:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14040"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/497488593"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM38-WPCW-48CJ

Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31
VLAI
Details

Foxit PDF Reader Annotation Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-24490.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T22:15:21Z",
    "severity": "LOW"
  },
  "details": "Foxit PDF Reader Annotation Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-24490.",
  "id": "GHSA-xm38-wpcw-48cj",
  "modified": "2024-11-23T03:31:59Z",
  "published": "2024-11-23T03:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9251"
    },
    {
      "type": "WEB",
      "url": "https://www.foxit.com/support/security-bulletins.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1306"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM3V-3QPG-JVXV

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

PDF-XChange Editor TIF File Parsing Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of TIF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18612.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T02:15:11Z",
    "severity": "LOW"
  },
  "details": "PDF-XChange Editor TIF File Parsing Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of TIF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18612.",
  "id": "GHSA-xm3v-3qpg-jvxv",
  "modified": "2024-05-03T03:30:48Z",
  "published": "2024-05-03T03:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27338"
    },
    {
      "type": "WEB",
      "url": "https://www.tracker-software.com/product/pdf-xchange-editor/history"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-350"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM48-Q5C3-24QC

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the mailDoc method of a app object. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6850.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-24T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the mailDoc method of a app object. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6850.",
  "id": "GHSA-xm48-q5c3-24qc",
  "modified": "2022-05-13T01:33:52Z",
  "published": "2022-05-13T01:33:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17677"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1164"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM4R-6VXG-M8FH

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T18:15:44Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-xm4r-6vxg-m8fh",
  "modified": "2025-08-12T18:31:32Z",
  "published": "2025-08-12T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53740"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53740"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.