CWE-763
AllowedRelease of Invalid Pointer or Reference
Abstraction: Base · Status: Incomplete
The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
109 vulnerabilities reference this CWE, most recent first.
GHSA-5PQG-QMMW-G6J5
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2026-05-29 18:31An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.
{
"affected": [],
"aliases": [
"CVE-2020-28941"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-19T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.",
"id": "GHSA-5pqg-qmmw-g6j5",
"modified": "2026-05-29T18:31:13Z",
"published": "2022-05-24T17:34:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28941"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/d4122754442799187d5d537a9c039a49a67e57f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d4122754442799187d5d537a9c039a49a67e57f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus\u0026id=d4122754442799187d5d537a9c039a49a67e57f1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TITJQPYDWZ4NB2ONJWUXW75KSQIPF35T"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZF4OGZPKTAJJXWHPIFP3LHEWWEMR5LPT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TITJQPYDWZ4NB2ONJWUXW75KSQIPF35T"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZF4OGZPKTAJJXWHPIFP3LHEWWEMR5LPT"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2020/11/19/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/11/19/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5WQW-CQHV-Q8CV
Vulnerability from github – Published: 2021-12-23 00:01 – Updated: 2021-12-29 00:01An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2021-45261"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-22T18:15:00Z",
"severity": "MODERATE"
},
"details": "An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.",
"id": "GHSA-5wqw-cqhv-q8cv",
"modified": "2021-12-29T00:01:30Z",
"published": "2021-12-23T00:01:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45261"
},
{
"type": "WEB",
"url": "https://savannah.gnu.org/bugs/?61685"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-647G-VGR2-5GQC
Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2022-09-22 00:00A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.
{
"affected": [],
"aliases": [
"CVE-2022-28203"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-19T21:15:00Z",
"severity": "HIGH"
},
"details": "A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in a very long running query.",
"id": "GHSA-647g-vgr2-5gqc",
"modified": "2022-09-22T00:00:26Z",
"published": "2022-09-20T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28203"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T297731"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5246"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-662R-59MF-5FXR
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
{
"affected": [],
"aliases": [
"CVE-2020-15673"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-01T19:15:00Z",
"severity": "HIGH"
},
"details": "Mozilla developers reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 81, Thunderbird \u003c 78.3, and Firefox ESR \u003c 78.3.",
"id": "GHSA-662r-59mf-5fxr",
"modified": "2022-05-24T17:29:55Z",
"published": "2022-05-24T17:29:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15673"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1648493%2C1660800"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00020.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202010-02"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4770"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-42"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-43"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-44"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6794-4VQV-W8QG
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
netfilter: nat: use kfree_rcu to release ops
Florian Westphal says:
"Historically this is not an issue, even for normal base hooks: the data path doesn't use the original nf_hook_ops that are used to register the callbacks.
However, in v5.14 I added the ability to dump the active netfilter hooks from userspace.
This code will peek back into the nf_hook_ops that are available at the tail of the pointer-array blob used by the datapath.
The nat hooks are special, because they are called indirectly from the central nat dispatcher hook. They are currently invisible to the nfnl hook dump subsystem though.
But once that changes the nat ops structures have to be deferred too."
Update nf_nat_register_fn() to deal with partial exposition of the hooks from error path which can be also an issue for nfnetlink_hook.
{
"affected": [],
"aliases": [
"CVE-2026-53000"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nat: use kfree_rcu to release ops\n\nFlorian Westphal says:\n\n\"Historically this is not an issue, even for normal base hooks: the data\npath doesn\u0027t use the original nf_hook_ops that are used to register the\ncallbacks.\n\nHowever, in v5.14 I added the ability to dump the active netfilter\nhooks from userspace.\n\nThis code will peek back into the nf_hook_ops that are available\nat the tail of the pointer-array blob used by the datapath.\n\nThe nat hooks are special, because they are called indirectly from\nthe central nat dispatcher hook. They are currently invisible to\nthe nfnl hook dump subsystem though.\n\nBut once that changes the nat ops structures have to be deferred too.\"\n\nUpdate nf_nat_register_fn() to deal with partial exposition of the hooks\nfrom error path which can be also an issue for nfnetlink_hook.",
"id": "GHSA-6794-4vqv-w8qg",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-24T18:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53000"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53000"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492273"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/32fdd2e38e7435a368d88f5977a7d6585ebc8b0e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3c7511f38ab511b791196b13ae48bf4973bf7dfd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6eda0d771f94267f73f57c94630aa47e90957915"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53000.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6F82-P732-9CP8
Vulnerability from github – Published: 2026-07-14 15:32 – Updated: 2026-07-14 15:32We are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw. This vulnerability was fixed in Firefox 152.0.6.
{
"affected": [],
"aliases": [
"CVE-2026-15718"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T13:18:20Z",
"severity": "MODERATE"
},
"details": "We are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw. This vulnerability was fixed in Firefox 152.0.6.",
"id": "GHSA-6f82-p732-9cp8",
"modified": "2026-07-14T15:32:16Z",
"published": "2026-07-14T15:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15718"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2045443"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-67"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6FVX-97P6-HW44
Vulnerability from github – Published: 2024-07-30 09:32 – Updated: 2024-12-11 18:30In the Linux kernel, the following vulnerability has been resolved:
bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX
Syzbot hit warning in hci_conn_del() caused by freeing handle that was not allocated using ida allocator.
This is caused by handle bigger than HCI_CONN_HANDLE_MAX passed by hci_le_big_sync_established_evt(), which makes code think it's unset connection.
Add same check for handle upper bound as in hci_conn_set_handle() to prevent warning.
{
"affected": [],
"aliases": [
"CVE-2024-42132"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T08:15:05Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX\n\nSyzbot hit warning in hci_conn_del() caused by freeing handle that was\nnot allocated using ida allocator.\n\nThis is caused by handle bigger than HCI_CONN_HANDLE_MAX passed by\nhci_le_big_sync_established_evt(), which makes code think it\u0027s unset\nconnection.\n\nAdd same check for handle upper bound as in hci_conn_set_handle() to\nprevent warning.",
"id": "GHSA-6fvx-97p6-hw44",
"modified": "2024-12-11T18:30:36Z",
"published": "2024-07-30T09:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42132"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1cc18c2ab2e8c54c355ea7c0423a636e415a0c23"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4970e48f83dbd21d2a6a7cdaaafc2a71f7f45dc4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d311036696fed778301d08a71a4bef737b86d8c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6WGV-VJ43-RPR5
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2025-11-03 21:30BootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting PcdFirmwarePerformanceDataTableS3Support to FALSE.
{
"affected": [],
"aliases": [
"CVE-2021-28216"
],
"database_specific": {
"cwe_ids": [
"CWE-587",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-05T21:15:00Z",
"severity": "HIGH"
},
"details": "BootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting PcdFirmwarePerformanceDataTableS3Support to FALSE.",
"id": "GHSA-6wgv-vj43-rpr5",
"modified": "2025-11-03T21:30:32Z",
"published": "2022-05-24T19:10:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28216"
},
{
"type": "WEB",
"url": "https://bugzilla.tianocore.org/show_bug.cgi?id=2957"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-78CM-F398-H7CF
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 18:30In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tipd: Free IRQ only if it was requested before
In polling mode, if no IRQ was requested there is no need to free it. Call devm_free_irq() only if client->irq is set. This fixes the warning caused by the tps6598x module removal:
WARNING: CPU: 2 PID: 333 at kernel/irq/devres.c:144 devm_free_irq+0x80/0x8c ... ... Call trace: devm_free_irq+0x80/0x8c tps6598x_remove+0x28/0x88 [tps6598x] i2c_device_remove+0x2c/0x9c device_remove+0x4c/0x80 device_release_driver_internal+0x1cc/0x228 driver_detach+0x50/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 i2c_del_driver+0x54/0x64 tps6598x_i2c_driver_exit+0x18/0xc3c [tps6598x] __arm64_sys_delete_module+0x184/0x264 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0xc8/0xe8 do_el0_svc+0x20/0x2c el0_svc+0x28/0x98 el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194
{
"affected": [],
"aliases": [
"CVE-2024-50057"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:17Z",
"severity": "LOW"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tipd: Free IRQ only if it was requested before\n\nIn polling mode, if no IRQ was requested there is no need to free it.\nCall devm_free_irq() only if client-\u003eirq is set. This fixes the warning\ncaused by the tps6598x module removal:\n\nWARNING: CPU: 2 PID: 333 at kernel/irq/devres.c:144 devm_free_irq+0x80/0x8c\n...\n...\nCall trace:\n devm_free_irq+0x80/0x8c\n tps6598x_remove+0x28/0x88 [tps6598x]\n i2c_device_remove+0x2c/0x9c\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1cc/0x228\n driver_detach+0x50/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n i2c_del_driver+0x54/0x64\n tps6598x_i2c_driver_exit+0x18/0xc3c [tps6598x]\n __arm64_sys_delete_module+0x184/0x264\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0xc8/0xe8\n do_el0_svc+0x20/0x2c\n el0_svc+0x28/0x98\n el0t_64_sync_handler+0x13c/0x158\n el0t_64_sync+0x190/0x194",
"id": "GHSA-78cm-f398-h7cf",
"modified": "2024-10-24T18:30:42Z",
"published": "2024-10-21T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50057"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d4b23c119542fbaed2a16794d3801cb4806ea02"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b72bf5cade51ba4055c8a8998d275e72e6b521ce"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db63d9868f7f310de44ba7bea584e2454f8b4ed0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-79GQ-68M6-V3VG
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshark through 2.4.4 performs a free operation on an uninitialized memory address, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
{
"affected": [],
"aliases": [
"CVE-2018-6836"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-08T07:29:00Z",
"severity": "CRITICAL"
},
"details": "The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshark through 2.4.4 performs a free operation on an uninitialized memory address, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"id": "GHSA-79gq-68m6-v3vg",
"modified": "2022-05-13T01:20:31Z",
"published": "2022-05-13T01:20:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6836"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14397"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/#/c/25660"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/#/c/25660/2/wiretap/netmon.c"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=28960d79cca262ac6b974f339697b299a1e28fef"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().
Mitigation
When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.
Mitigation MIT-4.6
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, glibc in Linux provides protection against free of invalid pointers.
Mitigation
Use a language that provides abstractions for memory allocation and deallocation.
No CAPEC attack patterns related to this CWE.