CWE-825
AllowedExpired Pointer Dereference
Abstraction: Base · Status: Incomplete
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
105 vulnerabilities reference this CWE, most recent first.
GHSA-25VX-3H3C-MWV8
Vulnerability from github – Published: 2023-08-18 21:30 – Updated: 2024-01-25 18:30A vulnerability in the AutoIt module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to a logic error in the memory management of an affected device. An attacker could exploit this vulnerability by submitting a crafted AutoIt file to be scanned by ClamAV on the affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to restart unexpectedly, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2023-20212"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-18T20:15:09Z",
"severity": "HIGH"
},
"details": "A vulnerability in the AutoIt module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. \n\n This vulnerability is due to a logic error in the memory management of an affected device. An attacker could exploit this vulnerability by submitting a crafted AutoIt file to be scanned by ClamAV on the affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to restart unexpectedly, resulting in a DoS condition.",
"id": "GHSA-25vx-3h3c-mwv8",
"modified": "2024-01-25T18:30:41Z",
"published": "2023-08-18T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20212"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-dos-FTkhqMWZ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2F72-2CHX-Q8P6
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Take state lock for af_unix iter
When a BPF iterator program updates a sockmap, there is a race condition in
unix_stream_bpf_update_proto() where the peer pointer can become stale[1]
during a state transition TCP_ESTABLISHED -> TCP_CLOSE.
CPU0 bpf CPU1 close
-------- ----------
// unix_stream_bpf_update_proto() sk_pair = unix_peer(sk) if (unlikely(!sk_pair)) return -EINVAL; // unix_release_sock() skpair = unix_peer(sk); unix_peer(sk) = NULL; sock_put(skpair) sock_hold(sk_pair) // UaF
More practically, this fix guarantees that the iterator program is consistently provided with a unix socket that remains stable during iterator execution.
[1]: BUG: KASAN: slab-use-after-free in unix_stream_bpf_update_proto+0x155/0x490 Write of size 4 at addr ffff8881178c9a00 by task test_progs/2231 Call Trace: dump_stack_lvl+0x5d/0x80 print_report+0x170/0x4f3 kasan_report+0xe4/0x1c0 kasan_check_range+0x125/0x200 unix_stream_bpf_update_proto+0x155/0x490 sock_map_link+0x71c/0xec0 sock_map_update_common+0xbc/0x600 sock_map_update_elem+0x19a/0x1f0 bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217 bpf_iter_run_prog+0x21e/0xae0 bpf_iter_unix_seq_show+0x1e0/0x2a0 bpf_seq_read+0x42c/0x10d0 vfs_read+0x171/0xb20 ksys_read+0xff/0x200 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 2236: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x63/0x80 kmem_cache_alloc_noprof+0x1d5/0x680 sk_prot_alloc+0x59/0x210 sk_alloc+0x34/0x470 unix_create1+0x86/0x8a0 unix_stream_connect+0x318/0x15b0 __sys_connect+0xfd/0x130 __x64_sys_connect+0x72/0xd0 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 2236: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x47/0x70 kmem_cache_free+0x11c/0x590 __sk_destruct+0x432/0x6e0 unix_release_sock+0x9b3/0xf60 unix_release+0x8a/0xf0 __sock_release+0xb0/0x270 sock_close+0x18/0x20 __fput+0x36e/0xac0 fput_close_sync+0xe5/0x1a0 __x64_sys_close+0x7d/0xd0 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
{
"affected": [],
"aliases": [
"CVE-2026-53033"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:14Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Take state lock for af_unix iter\n\nWhen a BPF iterator program updates a sockmap, there is a race condition in\nunix_stream_bpf_update_proto() where the `peer` pointer can become stale[1]\nduring a state transition TCP_ESTABLISHED -\u003e TCP_CLOSE.\n\n CPU0 bpf CPU1 close\n -------- ----------\n// unix_stream_bpf_update_proto()\nsk_pair = unix_peer(sk)\nif (unlikely(!sk_pair))\n return -EINVAL;\n // unix_release_sock()\n skpair = unix_peer(sk);\n unix_peer(sk) = NULL;\n sock_put(skpair)\nsock_hold(sk_pair) // UaF\n\nMore practically, this fix guarantees that the iterator program is\nconsistently provided with a unix socket that remains stable during\niterator execution.\n\n[1]:\nBUG: KASAN: slab-use-after-free in unix_stream_bpf_update_proto+0x155/0x490\nWrite of size 4 at addr ffff8881178c9a00 by task test_progs/2231\nCall Trace:\n dump_stack_lvl+0x5d/0x80\n print_report+0x170/0x4f3\n kasan_report+0xe4/0x1c0\n kasan_check_range+0x125/0x200\n unix_stream_bpf_update_proto+0x155/0x490\n sock_map_link+0x71c/0xec0\n sock_map_update_common+0xbc/0x600\n sock_map_update_elem+0x19a/0x1f0\n bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217\n bpf_iter_run_prog+0x21e/0xae0\n bpf_iter_unix_seq_show+0x1e0/0x2a0\n bpf_seq_read+0x42c/0x10d0\n vfs_read+0x171/0xb20\n ksys_read+0xff/0x200\n do_syscall_64+0xf7/0x5e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAllocated by task 2236:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x63/0x80\n kmem_cache_alloc_noprof+0x1d5/0x680\n sk_prot_alloc+0x59/0x210\n sk_alloc+0x34/0x470\n unix_create1+0x86/0x8a0\n unix_stream_connect+0x318/0x15b0\n __sys_connect+0xfd/0x130\n __x64_sys_connect+0x72/0xd0\n do_syscall_64+0xf7/0x5e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 2236:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x47/0x70\n kmem_cache_free+0x11c/0x590\n __sk_destruct+0x432/0x6e0\n unix_release_sock+0x9b3/0xf60\n unix_release+0x8a/0xf0\n __sock_release+0xb0/0x270\n sock_close+0x18/0x20\n __fput+0x36e/0xac0\n fput_close_sync+0xe5/0x1a0\n __x64_sys_close+0x7d/0xd0\n do_syscall_64+0xf7/0x5e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e",
"id": "GHSA-2f72-2chx-q8p6",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-24T18:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53033"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53033"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492281"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a59cc6b65fd3ad9915aae5970d859109d4ce9fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64c2f93fc3254d3bf5de4445fb732ee5c451edb6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/921920c34cb591947dd30c692500795a69f1e3fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98f744d204e5d6fca589cd2c44c3190a0c71697f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6f4015eac2e3cbc3cb7a17539e10bbb5c2049c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d0d124dbcef9318e326956137b31671407094bd4"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53033.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2H2G-6J29-J4FM
Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-05-26 18:31IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.
{
"affected": [],
"aliases": [
"CVE-2026-8854"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T18:16:57Z",
"severity": "HIGH"
},
"details": "IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.",
"id": "GHSA-2h2g-6j29-j4fm",
"modified": "2026-05-26T18:31:51Z",
"published": "2026-05-26T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8854"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7274065"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3MG7-PFMQ-9QFV
Vulnerability from github – Published: 2026-06-01 18:31 – Updated: 2026-07-10 12:31In the Linux kernel, the following vulnerability has been resolved:
smb: client: reject userspace cifs.spnego descriptions
cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.
Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.
{
"affected": [],
"aliases": [
"CVE-2026-46243"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T17:17:34Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: reject userspace cifs.spnego descriptions\n\ncifs.spnego key descriptions contain authority-bearing fields such as\npid, uid, creduid, and upcall_target that cifs.upcall treats as\nkernel-originating inputs. However, userspace can also create keys of\nthis type through request_key(2) or add_key(2), allowing those fields to\nbe supplied without CIFS origin.\n\nOnly accept cifs.spnego descriptions while CIFS is using its private\nspnego_cred to request the key.",
"id": "GHSA-3mg7-pfmq-9qfv",
"modified": "2026-07-10T12:31:36Z",
"published": "2026-06-01T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46243"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23258"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33224"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33225"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34048"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34757"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34764"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34788"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34815"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-46243"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481486"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0aece6685fc80a8de492688ca2315fb86ec379c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2035acfb17221729b1b8ac335e941868a04ca079"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3da1fdf4efbc490041eb4f836bf596201203f8f2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7713bd320ed4fc3d08a227cd8e41242219a16981"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/91f89c1d83e80417629791fcef6af8140d7d01c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9544559e59438a4b609b2fdfa0763d8360572824"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a3bbda6502a9398b816fa2e71c9a3f955f58013d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf20038657d6d4974349556a34e08fe0490bebbc"
},
{
"type": "WEB",
"url": "https://github.com/manizada/CIFSwitch"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46243.json"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23259"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23329"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23395"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24381"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25908"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26570"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27719"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27729"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33219"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33220"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33221"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33222"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33223"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4345-CCPC-8955
Vulnerability from github – Published: 2026-05-07 15:38 – Updated: 2026-06-30 03:36Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2.
{
"affected": [],
"aliases": [
"CVE-2026-8090"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-07T13:16:13Z",
"severity": "HIGH"
},
"details": "Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2.",
"id": "GHSA-4345-ccpc-8955",
"modified": "2026-06-30T03:36:34Z",
"published": "2026-05-07T15:38:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8090"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-44"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-43"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-42"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-41"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-40"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8090.json"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467709"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2034352"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-8090"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25015"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24983"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24755"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24516"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24511"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24510"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24509"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24508"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20574"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20566"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19160"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-44FH-C439-XQ8F
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
bpf: fix mm lifecycle in open-coded task_vma iterator
The open-coded task_vma iterator reads task->mm locklessly and acquires mmap_read_trylock() but never calls mmget(). If the task exits concurrently, the mm_struct can be freed as it is not SLAB_TYPESAFE_BY_RCU, resulting in a use-after-free.
Safely read task->mm with a trylock on alloc_lock and acquire an mm reference. Drop the reference via bpf_iter_mmput_async() in _destroy() and error paths. bpf_iter_mmput_async() is a local wrapper around mmput_async() with a fallback to mmput() on !CONFIG_MMU.
Reject irqs-disabled contexts (including NMI) up front. Operations used by _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async) take spinlocks with IRQs disabled (pool->lock, pi_lock). Running from NMI or from a tracepoint that fires with those locks held could deadlock.
A trylock on alloc_lock is used instead of the blocking task_lock() (get_task_mm) to avoid a deadlock when a softirq BPF program iterates a task that already holds its alloc_lock on the same CPU.
{
"affected": [],
"aliases": [
"CVE-2026-53085"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:22Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix mm lifecycle in open-coded task_vma iterator\n\nThe open-coded task_vma iterator reads task-\u003emm locklessly and acquires\nmmap_read_trylock() but never calls mmget(). If the task exits\nconcurrently, the mm_struct can be freed as it is not\nSLAB_TYPESAFE_BY_RCU, resulting in a use-after-free.\n\nSafely read task-\u003emm with a trylock on alloc_lock and acquire an mm\nreference. Drop the reference via bpf_iter_mmput_async() in _destroy()\nand error paths. bpf_iter_mmput_async() is a local wrapper around\nmmput_async() with a fallback to mmput() on !CONFIG_MMU.\n\nReject irqs-disabled contexts (including NMI) up front. Operations used\nby _next() and _destroy() (mmap_read_unlock, bpf_iter_mmput_async)\ntake spinlocks with IRQs disabled (pool-\u003elock, pi_lock). Running from\nNMI or from a tracepoint that fires with those locks held could\ndeadlock.\n\nA trylock on alloc_lock is used instead of the blocking task_lock()\n(get_task_mm) to avoid a deadlock when a softirq BPF program iterates\na task that already holds its alloc_lock on the same CPU.",
"id": "GHSA-44fh-c439-xq8f",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-24T18:32:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53085"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53085"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492404"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/239cec25a22662dbd80f57d94b38178c8be95269"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/43683bb280330f3d36f0f2a3932a4867b9603e9c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d0862de7c866c5bd7c32531f66738c21197af888"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d8e27d2d22b6e2df3a0125b8c08e9aace38c954c"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53085.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4W98-XF39-23GP
Vulnerability from github – Published: 2026-03-16 20:49 – Updated: 2026-04-24 20:27Summary
ewe's handle_trailers function contains a bug where rejected trailer headers (forbidden or undeclared) cause an infinite loop. The function recurses with the original unparsed buffer instead of advancing past the rejected header, re-parsing the same header forever. Each malicious request permanently wedges a BEAM process at 100% CPU with no timeout or escape.
Impact
When handle_trailers (ewe/internal/http1.gleam:493) encounters a trailer that is either not in the declared trailer set or is blocked by is_forbidden_trailer, three code paths (lines 520, 523, 526) recurse with the original buffer rest instead of Buffer(header_rest, 0):
// Line 523 — uses `rest` (original buffer), not `Buffer(header_rest, 0)` (remaining)
False -> handle_trailers(req, set, rest)
This causes decoder.decode_packet to re-parse the same header on every iteration, producing an infinite loop. The BEAM process never yields, never times out, and never terminates.
Any ewe application that calls ewe.read_body on chunked requests is affected. This is exploitable by any unauthenticated remote client. There is no application-level workaround — the infinite loop is triggered inside read_body before control returns to application code.
Proof of Concept
Send a chunked request with a forbidden trailer (host) to trigger the infinite loop:
printf 'POST / HTTP/1.1\r\nHost: localhost:8080\r\nTransfer-Encoding: chunked\r\nTrailer: host\r\n\r\n4\r\ntest\r\n0\r\nhost: evil.example.com\r\n\r\n' | nc -w 3 localhost 8080
This will hang (no response) until the nc timeout. The server-side handler process is stuck forever.
Exhaust server resources with concurrent requests:
for i in $(seq 1 50); do
printf 'POST / HTTP/1.1\r\nHost: localhost:8080\r\nTransfer-Encoding: chunked\r\nTrailer: host\r\n\r\n4\r\ntest\r\n0\r\nhost: evil.example.com\r\n\r\n' | nc -w 1 localhost 8080 &
done
Open the Erlang Observer (observer:start()) and sort the Processes tab by Reductions to see the stuck processes with continuously climbing reduction counts.
Vulnerable Code
All three False/Error branches in handle_trailers have the same bug:
// ewe/internal/http1.gleam, lines 493–531
fn handle_trailers(
req: Request(BitArray),
set: Set(String),
rest: Buffer,
) -> Request(BitArray) {
case decoder.decode_packet(HttphBin, rest) {
Ok(Packet(HttpEoh, _)) -> req
Ok(Packet(HttpHeader(idx, field, value), header_rest)) -> {
// ... field name parsing ...
case field_name {
Ok(field_name) -> {
case
set.contains(set, field_name) && !is_forbidden_trailer(field_name)
{
True -> {
case bit_array.to_string(value) {
Ok(value) -> {
request.set_header(req, field_name, value)
|> handle_trailers(set, Buffer(header_rest, 0)) // correct
}
Error(Nil) -> handle_trailers(req, set, rest) // BUG: line 520
}
}
False -> handle_trailers(req, set, rest) // BUG: line 523
}
}
Error(Nil) -> handle_trailers(req, set, rest) // BUG: line 526
}
}
_ -> req
}
}
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "ewe"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32873"
],
"database_specific": {
"cwe_ids": [
"CWE-825",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T20:49:50Z",
"nvd_published_at": "2026-03-20T02:16:35Z",
"severity": "HIGH"
},
"details": "## Summary\n\newe\u0027s `handle_trailers` function contains a bug where rejected trailer headers (forbidden or undeclared) cause an infinite loop. The function recurses with the original unparsed buffer instead of advancing past the rejected header, re-parsing the same header forever. Each malicious request permanently wedges a BEAM process at 100% CPU with no timeout or escape.\n\n## Impact\n\nWhen `handle_trailers` (`ewe/internal/http1.gleam:493`) encounters a trailer that is either not in the declared trailer set or is blocked by `is_forbidden_trailer`, three code paths (lines 520, 523, 526) recurse with the original buffer `rest` instead of `Buffer(header_rest, 0)`:\n\n```gleam\n// Line 523 \u2014 uses `rest` (original buffer), not `Buffer(header_rest, 0)` (remaining)\nFalse -\u003e handle_trailers(req, set, rest)\n```\n\nThis causes `decoder.decode_packet` to re-parse the same header on every iteration, producing an infinite loop. The BEAM process never yields, never times out, and never terminates.\n\n**Any ewe application that calls `ewe.read_body` on chunked requests is affected.** This is exploitable by any unauthenticated remote client. There is no application-level workaround \u2014 the infinite loop is triggered inside `read_body` before control returns to application code.\n\n### Proof of Concept\n\n**Send a chunked request with a forbidden trailer (`host`) to trigger the infinite loop:**\n\n```sh\nprintf \u0027POST / HTTP/1.1\\r\\nHost: localhost:8080\\r\\nTransfer-Encoding: chunked\\r\\nTrailer: host\\r\\n\\r\\n4\\r\\ntest\\r\\n0\\r\\nhost: evil.example.com\\r\\n\\r\\n\u0027 | nc -w 3 localhost 8080\n```\n\nThis will hang (no response) until the `nc` timeout. The server-side handler process is stuck forever.\n\n**Exhaust server resources with concurrent requests:**\n\n```sh\nfor i in $(seq 1 50); do\n printf \u0027POST / HTTP/1.1\\r\\nHost: localhost:8080\\r\\nTransfer-Encoding: chunked\\r\\nTrailer: host\\r\\n\\r\\n4\\r\\ntest\\r\\n0\\r\\nhost: evil.example.com\\r\\n\\r\\n\u0027 | nc -w 1 localhost 8080 \u0026\ndone\n```\n\nOpen the Erlang Observer (`observer:start()`) and sort the Processes tab by Reductions to see the stuck processes with continuously climbing reduction counts.\n\n### Vulnerable Code\n\nAll three `False`/`Error` branches in `handle_trailers` have the same bug:\n\n```gleam\n// ewe/internal/http1.gleam, lines 493\u2013531\nfn handle_trailers(\n req: Request(BitArray),\n set: Set(String),\n rest: Buffer,\n) -\u003e Request(BitArray) {\n case decoder.decode_packet(HttphBin, rest) {\n Ok(Packet(HttpEoh, _)) -\u003e req\n Ok(Packet(HttpHeader(idx, field, value), header_rest)) -\u003e {\n // ... field name parsing ...\n case field_name {\n Ok(field_name) -\u003e {\n case\n set.contains(set, field_name) \u0026\u0026 !is_forbidden_trailer(field_name)\n {\n True -\u003e {\n case bit_array.to_string(value) {\n Ok(value) -\u003e {\n request.set_header(req, field_name, value)\n |\u003e handle_trailers(set, Buffer(header_rest, 0)) // correct\n }\n Error(Nil) -\u003e handle_trailers(req, set, rest) // BUG: line 520\n }\n }\n False -\u003e handle_trailers(req, set, rest) // BUG: line 523\n }\n }\n Error(Nil) -\u003e handle_trailers(req, set, rest) // BUG: line 526\n }\n }\n _ -\u003e req\n }\n}\n```",
"id": "GHSA-4w98-xf39-23gp",
"modified": "2026-04-24T20:27:31Z",
"published": "2026-03-16T20:49:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vshakitskiy/ewe/security/advisories/GHSA-4w98-xf39-23gp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32873"
},
{
"type": "WEB",
"url": "https://github.com/vshakitskiy/ewe/commit/8513de9dcdd0005f727c0f6f15dd89f8d626f560"
},
{
"type": "WEB",
"url": "https://github.com/vshakitskiy/ewe/commit/d8b9b8a86470c0cb5696647997c2f34763506e37"
},
{
"type": "PACKAGE",
"url": "https://github.com/vshakitskiy/ewe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) in ewe"
}
GHSA-4XQJ-427Q-HF6Q
Vulnerability from github – Published: 2024-08-29 00:31 – Updated: 2025-11-04 00:31NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 to 4.0.16 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2024-8250"
],
"database_specific": {
"cwe_ids": [
"CWE-787",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-29T00:15:09Z",
"severity": "HIGH"
},
"details": "NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 to 4.0.16 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-4xqj-427q-hf6q",
"modified": "2025-11-04T00:31:19Z",
"published": "2024-08-29T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8250"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/19943"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2024-11.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5RR4-3F6Q-M7HP
Vulnerability from github – Published: 2025-11-18 21:32 – Updated: 2026-05-19 18:32A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
{
"affected": [],
"aliases": [
"CVE-2025-54771"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T19:15:49Z",
"severity": "MODERATE"
},
"details": "A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.",
"id": "GHSA-5rr4-3f6q-m7hp",
"modified": "2026-05-19T18:32:02Z",
"published": "2025-11-18T21:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54771"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-54771"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413823"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/grub-devel/2025-11/msg00155.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/11/18/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-64RH-H733-HQ6G
Vulnerability from github – Published: 2025-04-09 21:31 – Updated: 2025-04-09 21:31An Expired Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause Denial of Service (DoS).On all Junos OS and Junos OS Evolved platforms, when an MPLS Label-Switched Path (LSP) is configured with node-link-protection and transport-class, and an LSP flaps, rpd crashes and restarts. Continuous flapping of LSP can cause a sustained Denial of Service (DoS) condition.
This issue affects:
Junos OS:
-
All versions before 22.2R3-S4,
-
22.4 versions before 22.4R3-S2,
-
23.2 versions before 23.2R2,
-
23.4 versions before 23.4R2.
Junos OS Evolved:
-
All versions before 22.2R3-S4-EVO,
-
22.4-EVO versions before 22.4R3-S2-EVO,
-
23.2-EVO versions before 23.2R2-EVO,
-
23.4-EVO versions before 23.4R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2025-30653"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T20:15:29Z",
"severity": "MODERATE"
},
"details": "An Expired Pointer Dereference vulnerability in Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause Denial of Service (DoS).On all Junos OS and Junos OS Evolved platforms, when an MPLS Label-Switched Path (LSP) is configured with node-link-protection and transport-class, and an LSP flaps, rpd crashes and restarts. Continuous flapping of LSP can cause a sustained Denial of Service (DoS) condition.\n\nThis issue affects:\n\nJunos OS:\n\n\n\n * All versions before 22.2R3-S4,\n\n * 22.4 versions before 22.4R3-S2,\n\n * 23.2 versions before 23.2R2,\n\n * 23.4 versions before 23.4R2.\n\n\n\n\n\nJunos OS Evolved:\n\n\n\n * All versions before 22.2R3-S4-EVO,\n\n * 22.4-EVO versions before 22.4R3-S2-EVO,\n\n * 23.2-EVO versions before 23.2R2-EVO,\n\n * 23.4-EVO versions before 23.4R2-EVO.",
"id": "GHSA-64rh-h733-hq6g",
"modified": "2025-04-09T21:31:44Z",
"published": "2025-04-09T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30653"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA96463"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.