Common Weakness Enumeration

CWE-762

Allowed

Mismatched Memory Management Routines

Abstraction: Variant · Status: Incomplete

The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.

19 vulnerabilities reference this CWE, most recent first.

GHSA-4PFJ-XHF6-V58F

Vulnerability from github – Published: 2025-05-24 03:30 – Updated: 2025-05-24 03:30
VLAI
Details

In the spiral-rs crate 0.2.0 for Rust, allocation can be attempted for a ZST (zero-sized type).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-24T03:15:24Z",
    "severity": "LOW"
  },
  "details": "In the spiral-rs crate 0.2.0 for Rust, allocation can be attempted for a ZST (zero-sized type).",
  "id": "GHSA-4pfj-xhf6-v58f",
  "modified": "2025-05-24T03:30:19Z",
  "published": "2025-05-24T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48755"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blyssprivacy/sdk/issues/36"
    },
    {
      "type": "WEB",
      "url": "https://crates.io/crates/spiral-rs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WC2-F8MC-76RV

Vulnerability from github – Published: 2023-10-12 21:30 – Updated: 2024-04-04 08:36
VLAI
Details

tsMuxer version git-2539d07 was discovered to contain an alloc-dealloc-mismatch (operator new [] vs operator delete) error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-12T21:15:11Z",
    "severity": "HIGH"
  },
  "details": "tsMuxer version git-2539d07 was discovered to contain an alloc-dealloc-mismatch (operator new [] vs operator delete) error.",
  "id": "GHSA-6wc2-f8mc-76rv",
  "modified": "2024-04-04T08:36:22Z",
  "published": "2023-10-12T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45510"
    },
    {
      "type": "WEB",
      "url": "https://github.com/justdan96/tsMuxer/issues/778"
    },
    {
      "type": "WEB",
      "url": "https://github.com/justdan96/tsMuxer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6X45-R4PR-5362

Vulnerability from github – Published: 2025-05-09 06:32 – Updated: 2026-06-09 11:57
VLAI
Summary
trailer mishandles allocating with a size of zero
Details

lib.rs in the trailer crate through 0.1.2 for Rust mishandles allocating with a size of zero.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "trailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-09T15:54:02Z",
    "nvd_published_at": "2025-05-09T05:15:51Z",
    "severity": "LOW"
  },
  "details": "lib.rs in the trailer crate through 0.1.2 for Rust mishandles allocating with a size of zero.",
  "id": "GHSA-6x45-r4pr-5362",
  "modified": "2026-06-09T11:57:41Z",
  "published": "2025-05-09T06:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Geal/trailer/issues/2"
    },
    {
      "type": "WEB",
      "url": "https://crates.io/crates/trailer"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Geal/trailer"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0163.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "trailer mishandles allocating with a size of zero"
}

GHSA-7XXH-V6V3-QWGX

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2025-11-04 00:30
VLAI
Details

Memory handling issue in editcap could cause denial of service via crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:45:18Z",
    "severity": "LOW"
  },
  "details": "Memory handling issue in editcap could cause denial of service via crafted capture file",
  "id": "GHSA-7xxh-v6v3-qwgx",
  "modified": "2025-11-04T00:30:48Z",
  "published": "2024-05-14T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4853"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/19724"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2024-08.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GC85-62PW-52FP

Vulnerability from github – Published: 2024-03-26 21:30 – Updated: 2025-11-04 00:30
VLAI
Details

T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762",
      "CWE-763"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-26T20:15:11Z",
    "severity": "HIGH"
  },
  "details": "T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-gc85-62pw-52fp",
  "modified": "2025-11-04T00:30:48Z",
  "published": "2024-03-26T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2955"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/19695"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7TWJQKXOV4HYI5C4TWRKTN7B5YL7GTU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZD2MNS6EW2K2SSMN4YBGPZCC47KBDNEE"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2024-06.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPV5-592P-G5Q4

Vulnerability from github – Published: 2026-04-28 12:31 – Updated: 2026-07-09 15:32
VLAI
Details

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762",
      "CWE-763"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-28T10:16:02Z",
    "severity": "HIGH"
  },
  "details": "Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.\n\nDescription: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal \"free(): invalid pointer\" error message.",
  "id": "GHSA-ppv5-592p-g5q4",
  "modified": "2026-07-09T15:32:00Z",
  "published": "2026-04-28T12:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48431"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:24539"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25273"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27126"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:28010"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36882"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-48431"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463410"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-48431.json"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/28/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHF2-GM47-V465

Vulnerability from github – Published: 2025-06-12 18:31 – Updated: 2025-06-23 15:31
VLAI
Details

There is a memory management vulnerability in Absolute Secure Access server versions 9.0 to 13.54. Attackers with network access to the server can cause a Denial of Service by sending a specially crafted sequence of packets to the server. The attack complexity is low, there are no attack requirements, privileges, or user interaction required. Loss of availability is high; there is no impact on confidentiality or integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49080"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-12T17:15:29Z",
    "severity": "HIGH"
  },
  "details": "There is a memory management vulnerability in Absolute\nSecure Access server versions 9.0 to 13.54. Attackers with network access to\nthe server can cause a Denial of Service by sending a specially crafted\nsequence of packets to the server. The attack complexity is low, there are no\nattack requirements, privileges, or user interaction required. Loss of\navailability is high; there is no impact on confidentiality or integrity.",
  "id": "GHSA-qhf2-gm47-v465",
  "modified": "2025-06-23T15:31:38Z",
  "published": "2025-06-12T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49080"
    },
    {
      "type": "WEB",
      "url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2025-49080"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R7P8-QF55-R286

Vulnerability from github – Published: 2023-07-14 09:30 – Updated: 2025-11-04 00:30
VLAI
Details

Kafka dissector crash in Wireshark 4.0.0 to 4.0.6 and 3.6.0 to 3.6.14 allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-14T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Kafka dissector crash in Wireshark 4.0.0 to 4.0.6 and 3.6.0 to 3.6.14 allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-r7p8-qf55-r286",
  "modified": "2025-11-04T00:30:38Z",
  "published": "2023-07-14T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3648"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/19105"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2023-21.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V76P-4WXX-WRPQ

Vulnerability from github – Published: 2025-05-07 18:30 – Updated: 2025-05-07 18:30
VLAI
Details

A vulnerability in the Cisco Express Forwarding functionality of Cisco IOS XE Software for Cisco ASR 903 Aggregation Services Routers with Route Switch Processor 3 (RSP3C) could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition.

This vulnerability is due to improper memory management when Cisco IOS XE Software is processing Address Resolution Protocol (ARP) messages. An attacker could exploit this vulnerability by sending crafted ARP messages at a high rate over a period of time to an affected device. A successful exploit could allow the attacker to exhaust system resources, which eventually triggers a reload of the active route switch processor (RSP). If a redundant RSP is not present, the router reloads.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-762"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T18:15:38Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Cisco Express Forwarding functionality of Cisco IOS XE Software for Cisco ASR 903 Aggregation Services Routers with Route Switch Processor 3 (RSP3C) could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition.\n\n This vulnerability is due to improper memory management when Cisco IOS XE Software is processing Address Resolution Protocol (ARP) messages. An attacker could exploit this vulnerability by sending crafted ARP messages at a high rate over a period of time to an affected device. A successful exploit could allow the attacker to exhaust system resources, which eventually triggers a reload of the active route switch processor (RSP). If a redundant RSP is not present, the router reloads.",
  "id": "GHSA-v76p-4wxx-wrpq",
  "modified": "2025-05-07T18:30:49Z",
  "published": "2025-05-07T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20189"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr903-rsp3-arp-dos-WmfzdvJZ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation MIT-4.6
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, glibc in Linux provides protection against free of invalid pointers.
Mitigation
Architecture and Design

Use a language that provides abstractions for memory allocation and deallocation.

No CAPEC attack patterns related to this CWE.