CWE-763
AllowedRelease of Invalid Pointer or Reference
Abstraction: Base · Status: Incomplete
The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
109 vulnerabilities reference this CWE, most recent first.
GHSA-FPPR-V7H4-2G4V
Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-10-31 00:30In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow
For the case of IB_MR_TYPE_DM the mr does doesn't have a umem, even though it is a user MR. This causes function mlx5_free_priv_descs() to think that it is a kernel MR, leading to wrongly accessing mr->descs that will get wrong values in the union which leads to attempt to release resources that were not allocated in the first place.
For example: DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes] WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0 RIP: 0010:check_unmap+0x54f/0x8b0 Call Trace: debug_dma_unmap_page+0x57/0x60 mlx5_free_priv_descs+0x57/0x70 [mlx5_ib] mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib] ib_dereg_mr_user+0x60/0x140 [ib_core] uverbs_destroy_uobject+0x59/0x210 [ib_uverbs] uobj_destroy+0x3f/0x80 [ib_uverbs] ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs] ? uverbs_finalize_object+0x50/0x50 [ib_uverbs] ? lock_acquire+0xc4/0x2e0 ? lock_acquired+0x12/0x380 ? lock_acquire+0xc4/0x2e0 ? lock_acquire+0xc4/0x2e0 ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs] ? lock_release+0x28a/0x400 ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs] ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs] __x64_sys_ioctl+0x7f/0xb0 do_syscall_64+0x38/0x90
Fix it by reorganizing the dereg flow and mlx5_ib_mr structure: - Move the ib_umem field into the user MRs structure in the union as it's applicable only there. - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only in case there isn't udata, which indicates that this isn't a user MR.
{
"affected": [],
"aliases": [
"CVE-2021-47615"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T15:15:56Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix releasing unallocated memory in dereg MR flow\n\nFor the case of IB_MR_TYPE_DM the mr does doesn\u0027t have a umem, even though\nit is a user MR. This causes function mlx5_free_priv_descs() to think that\nit is a kernel MR, leading to wrongly accessing mr-\u003edescs that will get\nwrong values in the union which leads to attempt to release resources that\nwere not allocated in the first place.\n\nFor example:\n DMA-API: mlx5_core 0000:08:00.1: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=0 bytes]\n WARNING: CPU: 8 PID: 1021 at kernel/dma/debug.c:961 check_unmap+0x54f/0x8b0\n RIP: 0010:check_unmap+0x54f/0x8b0\n Call Trace:\n debug_dma_unmap_page+0x57/0x60\n mlx5_free_priv_descs+0x57/0x70 [mlx5_ib]\n mlx5_ib_dereg_mr+0x1fb/0x3d0 [mlx5_ib]\n ib_dereg_mr_user+0x60/0x140 [ib_core]\n uverbs_destroy_uobject+0x59/0x210 [ib_uverbs]\n uobj_destroy+0x3f/0x80 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x435/0xd10 [ib_uverbs]\n ? uverbs_finalize_object+0x50/0x50 [ib_uverbs]\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquired+0x12/0x380\n ? lock_acquire+0xc4/0x2e0\n ? lock_acquire+0xc4/0x2e0\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n ? lock_release+0x28a/0x400\n ib_uverbs_ioctl+0xc0/0x140 [ib_uverbs]\n ? ib_uverbs_ioctl+0x7c/0x140 [ib_uverbs]\n __x64_sys_ioctl+0x7f/0xb0\n do_syscall_64+0x38/0x90\n\nFix it by reorganizing the dereg flow and mlx5_ib_mr structure:\n - Move the ib_umem field into the user MRs structure in the union as it\u0027s\n applicable only there.\n - Function mlx5_ib_dereg_mr() will now call mlx5_free_priv_descs() only\n in case there isn\u0027t udata, which indicates that this isn\u0027t a user MR.",
"id": "GHSA-fppr-v7h4-2g4v",
"modified": "2024-10-31T00:30:36Z",
"published": "2024-06-19T15:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47615"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c44979ace49b4aede3cc7cb5542316e53a4005c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3bc4d4b50cae7db08e50dbe43f771c906e97701"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f0ae4afe3d35e67db042c58a52909e06262b740f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2F3-3734-6Q3W
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30A vulnerability in SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS) due to the release of Invalid pointer and leads to a firewall crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.
{
"affected": [],
"aliases": [
"CVE-2020-5139"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-12T11:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS) due to the release of Invalid pointer and leads to a firewall crash. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.",
"id": "GHSA-g2f3-3734-6q3w",
"modified": "2022-05-24T17:30:32Z",
"published": "2022-05-24T17:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5139"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0014"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GC85-62PW-52FP
Vulnerability from github – Published: 2024-03-26 21:30 – Updated: 2025-11-04 00:30T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2024-2955"
],
"database_specific": {
"cwe_ids": [
"CWE-762",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-26T20:15:11Z",
"severity": "HIGH"
},
"details": "T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-gc85-62pw-52fp",
"modified": "2025-11-04T00:30:48Z",
"published": "2024-03-26T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2955"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/19695"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7TWJQKXOV4HYI5C4TWRKTN7B5YL7GTU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZD2MNS6EW2K2SSMN4YBGPZCC47KBDNEE"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2024-06.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GQ55-CJRV-P49J
Vulnerability from github – Published: 2024-07-09 15:30 – Updated: 2024-08-01 15:31It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a <select> element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128.
{
"affected": [],
"aliases": [
"CVE-2024-6607"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T15:15:12Z",
"severity": "HIGH"
},
"details": "It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `\u0026lt;select\u0026gt;` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox \u003c 128.",
"id": "GHSA-gq55-cjrv-p49j",
"modified": "2024-08-01T15:31:53Z",
"published": "2024-07-09T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6607"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1694513"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-29"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GQPC-4QR8-J9G3
Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2022-08-28 00:00An invalid memory address reference was discovered in the adjABS function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file.
{
"affected": [],
"aliases": [
"CVE-2020-27798"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-25T20:15:00Z",
"severity": "MODERATE"
},
"details": "An invalid memory address reference was discovered in the adjABS function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file.",
"id": "GHSA-gqpc-4qr8-j9g3",
"modified": "2022-08-28T00:00:28Z",
"published": "2022-08-26T00:03:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27798"
},
{
"type": "WEB",
"url": "https://github.com/upx/upx/issues/396"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HCP2-8J7P-77M4
Vulnerability from github – Published: 2023-06-01 03:30 – Updated: 2024-04-04 04:27In Tencent QQ through 9.7.8.29039 and TIM through 3.4.7.22084, QQProtect.exe and QQProtectEngine.dll do not validate pointers from inter-process communication, which leads to a write-what-where condition.
{
"affected": [],
"aliases": [
"CVE-2023-34312"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T03:15:20Z",
"severity": "HIGH"
},
"details": "In Tencent QQ through 9.7.8.29039 and TIM through 3.4.7.22084, QQProtect.exe and QQProtectEngine.dll do not validate pointers from inter-process communication, which leads to a write-what-where condition.",
"id": "GHSA-hcp2-8j7p-77m4",
"modified": "2024-04-04T04:27:38Z",
"published": "2023-06-01T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34312"
},
{
"type": "WEB",
"url": "https://github.com/vi3t1/qq-tim-elevation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMPW-7RWX-Q968
Vulnerability from github – Published: 2023-12-30 03:30 – Updated: 2024-01-08 15:30A lack of pointer-validation logic in the __scone_dispatch component of SCONE before v5.8.0 for Intel SGX allows attackers to access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2022-46486"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-30T03:15:08Z",
"severity": "MODERATE"
},
"details": "A lack of pointer-validation logic in the __scone_dispatch component of SCONE before v5.8.0 for Intel SGX allows attackers to access sensitive information.",
"id": "GHSA-hmpw-7rwx-q968",
"modified": "2024-01-08T15:30:26Z",
"published": "2023-12-30T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46486"
},
{
"type": "WEB",
"url": "https://jovanbulck.github.io/files/ccs19-tale.pdf"
},
{
"type": "WEB",
"url": "https://jovanbulck.github.io/files/oakland24-pandora.pdf"
},
{
"type": "WEB",
"url": "https://sconedocs.github.io/release5.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HXP8-H2PW-F72F
Vulnerability from github – Published: 2026-01-01 18:30 – Updated: 2026-01-06 15:30Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service.
This issue affects Apache NuttX RTOS: from 10.0.0 before 12.10.0.
Users of filesystem based services with write access that were exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.10.0 that fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2025-48768"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-01T17:15:43Z",
"severity": "MODERATE"
},
"details": "Release of Invalid Pointer or Reference vulnerability was discovered in\u00a0fs/inode/fs_inoderemove\u00a0code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service.\n\nThis issue affects Apache NuttX RTOS: from 10.0.0 before 12.10.0.\n\nUsers of filesystem based services with write access that were exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.10.0 that fixes the issue.",
"id": "GHSA-hxp8-h2pw-f72f",
"modified": "2026-01-06T15:30:26Z",
"published": "2026-01-01T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48768"
},
{
"type": "WEB",
"url": "https://github.com/apache/nuttx/pull/16437"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/nwo1kd08b7t3dyz082q2pghdxwvxwyvo"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/12/31/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4WW-V8Q8-VR74
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29Mozilla developers reported memory safety bugs present in Firefox for Android 79. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 80, Firefox ESR < 78.2, Thunderbird < 78.2, and Firefox for Android < 80.
{
"affected": [],
"aliases": [
"CVE-2020-15670"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-01T19:15:00Z",
"severity": "HIGH"
},
"details": "Mozilla developers reported memory safety bugs present in Firefox for Android 79. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 80, Firefox ESR \u003c 78.2, Thunderbird \u003c 78.2, and Firefox for Android \u003c 80.",
"id": "GHSA-j4ww-v8q8-vr74",
"modified": "2022-05-24T17:29:54Z",
"published": "2022-05-24T17:29:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15670"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1651001%2C1653626%2C1656957"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-36"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-38"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-39"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-41"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J649-25W2-C75P
Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-24 18:30Memory corruption while handling invalid inputs in application info setup.
{
"affected": [],
"aliases": [
"CVE-2025-47329"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-24T16:15:37Z",
"severity": "HIGH"
},
"details": "Memory corruption while handling invalid inputs in application info setup.",
"id": "GHSA-j649-25w2-c75p",
"modified": "2025-09-24T18:30:31Z",
"published": "2025-09-24T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47329"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().
Mitigation
When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.
Mitigation MIT-4.6
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, glibc in Linux provides protection against free of invalid pointers.
Mitigation
Use a language that provides abstractions for memory allocation and deallocation.
No CAPEC attack patterns related to this CWE.