Common Weakness Enumeration

CWE-825

Allowed

Expired Pointer Dereference

Abstraction: Base · Status: Incomplete

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

105 vulnerabilities reference this CWE, most recent first.

GHSA-M237-4JXG-W5JH

Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-30 03:37
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ipc: limit next_id allocation to the valid ID range

The checkpoint/restore sysctl path can request the next SysV IPC id through ids->next_id. ipc_idr_alloc() currently forwards that request to idr_alloc() with an open-ended upper bound.

If the valid tail of the SysV IPC id space is full, the allocation can spill beyond ipc_mni. The returned SysV IPC id still uses the normal index encoding, so later lookup and removal can target the wrong slot. This leaves the real IDR entry behind and breaks the IDR state for the object.

The bug is in ipc_idr_alloc() in the checkpoint/restore path.

  1. ids->next_id is passed to:

    idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)

  2. The zero upper bound makes the allocation effectively open-ended. Once the valid SysV IPC tail is occupied, idr_alloc() can spill past ipc_mni and allocate an entry beyond the valid IPC id range.

  3. The new object id is still encoded with the narrower SysV IPC index width:

    new->id = (new->seq << ipcmni_seq_shift()) + idx

  4. Later removal goes through ipc_rmid(), which uses:

    ipcid_to_idx(ipcp->id)

That truncates the real IDR index. An object actually stored at a high index can then be removed as if it lived at a low in-range index.

  1. For shared memory, shm_destroy() frees the current object anyway, but the real high IDR slot is left behind as a dangling pointer.

  2. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry and dereferences freed memory.

Prevent this by bounding the requested allocation to ipc_mni so the checkpoint/restore path fails once the valid range is exhausted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T08:16:22Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: limit next_id allocation to the valid ID range\n\nThe checkpoint/restore sysctl path can request the next SysV IPC id\nthrough ids-\u003enext_id.  ipc_idr_alloc() currently forwards that request to\nidr_alloc() with an open-ended upper bound.\n\nIf the valid tail of the SysV IPC id space is full, the allocation can\nspill beyond ipc_mni.  The returned SysV IPC id still uses the normal\nindex encoding, so later lookup and removal can target the wrong slot. \nThis leaves the real IDR entry behind and breaks the IDR state for the\nobject.\n\nThe bug is in ipc_idr_alloc() in the checkpoint/restore path.\n\n1. ids-\u003enext_id is passed to:\n\n       idr_alloc(\u0026ids-\u003eipcs_idr, new, ipcid_to_idx(next_id), 0, ...)\n\n2. The zero upper bound makes the allocation effectively open-ended.\n   Once the valid SysV IPC tail is occupied, idr_alloc() can spill past\n   ipc_mni and allocate an entry beyond the valid IPC id range.\n\n3. The new object id is still encoded with the narrower SysV IPC index\n   width:\n\n       new-\u003eid = (new-\u003eseq \u003c\u003c ipcmni_seq_shift()) + idx\n\n4. Later removal goes through ipc_rmid(), which uses:\n\n       ipcid_to_idx(ipcp-\u003eid)\n\n   That truncates the real IDR index. An object actually stored at a\n   high index can then be removed as if it lived at a low in-range\n   index.\n\n5. For shared memory, shm_destroy() frees the current object anyway, but\n   the real high IDR slot is left behind as a dangling pointer.\n\n6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry\n   and dereferences freed memory.\n\nPrevent this by bounding the requested allocation to ipc_mni so the\ncheckpoint/restore path fails once the valid range is exhausted.",
  "id": "GHSA-m237-4jxg-w5jh",
  "modified": "2026-06-30T03:37:10Z",
  "published": "2026-06-24T09:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52923"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-52923"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492094"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/157ce2c6836ce0ff19108a819f38df061345425f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3bbe2bb9111ce6967a951bfac79af142d816fae5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/41058d4c3f63ab64901560a704882e0565f4e456"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c58a92849175f5e2ab7bc2734b3b89afe79f6ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3cc795129e5ec0f8948653a3bf471e7d8852f5e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af24e202b543ded8a34f1d5d3db54eb916173f04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd4be70669af55b974860d13680348cfdf50bbed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52923.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M4M5-7XC2-XC7G

Vulnerability from github – Published: 2026-06-16 03:30 – Updated: 2026-07-15 15:32
VLAI
Details

A flaw was found in GnuTLS. The gnutls_pkcs11_token_set_pin function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T02:16:19Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.",
  "id": "GHSA-m4m5-7xc2-xc7g",
  "modified": "2026-07-15T15:32:43Z",
  "published": "2026-06-16T03:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42014"
    },
    {
      "type": "WEB",
      "url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-9"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gnutls/gnutls/-/issues/1766"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467451"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42014"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:33125"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:32962"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30850"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30849"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30004"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:29197"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26409"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26319"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:20613"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:20612"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:20611"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:13274"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MC22-5Q92-8V85

Vulnerability from github – Published: 2021-09-20 19:52 – Updated: 2021-09-17 17:50
VLAI
Summary
Memory Safety Issue when using patch or merge on state and assign the result back to state
Details

Impact

This vulnerability is a memory safety Issue when using patch or merge on state and assign the result back to state. In this case affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the state, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct.

Details

If affects the following two tremor-script language constructs:

  • A Merge where we assign the result back to the target expression and the expression to be merged needs to reference the event:
let state = merge state of event end;
  • A Patch where we assign the result back to the target expression and the patch operations used need to reference the event:
let state = patch state of insert event.key => event.value end;

For constructs like this (it does not matter what it references in the expression to be merged or the patch operations) an optimization was applied to manipulate the target value in-place, instead of cloning it.

Our Value struct, which underpins all event data in tremor-script, is representing strings as borrowed beef::Cow<'lifetime, str>, that reference the raw data Vec<u8> the event is based upon. We keep this raw byte-array next to the Value structure inside our Event as a self-referential struct, so we make sure that the structured Value and its references are valid across its whole lifetime.

The optimization was considered safe as long as it was only possible to merge or patch event data or static data. When state was introduced to tremor-script (in version 0.7.3) a new possibility to keep Value data around for longer than the lifetime of an event emerged. If event data is merged or patched into state without cloning it first, it can still reference keys or values from the previous event, which will now be invalid. This allows access to those already freed regions of memory and to get their content out over the wire.

Patches

The issue has been patched in https://crates.io/crates/tremor-script/0.11.6 and https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6 via commit 1a2efcd by removing the optimization and always clone the target expression of a Merge or [Patch](https://www.tremor.rs/docs/tremor-script/index#patch.

Workarounds

If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to state:

let tmp = merge state of event end;
let state = tmp

References

The actual fix is applied in this PR: https://github.com/tremor-rs/tremor-runtime/pull/1217

For more information

If you have any questions or comments about this advisory: * Open an issue on our repository tremor-rs/tremor-runtime * Please join our discord https://chat.tremor.rs and reach out to the team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tremor-script"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.3"
            },
            {
              "fixed": "0.11.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-17T17:50:18Z",
    "nvd_published_at": "2021-09-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "\n### Impact\n\nThis vulnerability is a memory safety Issue when using [`patch`](https://www.tremor.rs/docs/tremor-script/index#patch) or [`merge`](https://www.tremor.rs/docs/tremor-script/index#merge) on `state` and assign the result back to `state`.\nIn this case affected versions of Tremor and the [tremor-script crate](https://crates.io/crates/tremor-script) maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct.\n\n#### Details\n\nIf affects the following two tremor-script language constructs:\n\n* A [Merge](https://www.tremor.rs/docs/tremor-script/index#merge) where we assign the result back to the target expression\n  and the expression to be merged needs to reference the `event`:\n\n```\nlet state = merge state of event end;\n```\n\n* A [Patch](https://www.tremor.rs/docs/tremor-script/index#patch) where we assign the result back to the target expression\n  and the patch operations used need to reference the `event`:\n\n```\nlet state = patch state of insert event.key =\u003e event.value end;\n```\n\nFor constructs like this (it does not matter what it references in the expression to be merged or the patch operations) an optimization\nwas applied to manipulate the target value in-place, instead of cloning it.\n\nOur `Value` struct, which underpins all event data in `tremor-script`, is representing strings as borrowed `beef::Cow\u003c\u0027lifetime, str\u003e`, \nthat reference the raw data `Vec\u003cu8\u003e` the event is based upon. We keep this raw byte-array next to the `Value` structure inside our `Event` as a self-referential struct,\nso we make sure that the structured `Value` and its references are valid across its whole lifetime.\n\nThe optimization was considered safe as long as it was only possible to merge or patch `event` data or static data.\nWhen `state` was introduced to `tremor-script` (in version 0.7.3) a new possibility to keep `Value` data around for longer than the lifetime of an event emerged.\nIf `event` data is merged or patched into `state` without cloning it first, it can still reference keys or values from\nthe previous event, which will now be invalid. This allows access to those already freed regions of memory and to get their content out over the wire.\n\n### Patches\n\nThe issue has been patched in https://crates.io/crates/tremor-script/0.11.6 and https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6 via commit [1a2efcd](https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e) by removing the optimization\nand always clone the target expression of a [Merge](https://www.tremor.rs/docs/tremor-script/index#merge) or [Patch](https://www.tremor.rs/docs/tremor-script/index#patch.\n\n### Workarounds\n\nIf an upgrade is not possible, a possible workaround is to avoid the optimization\nby introducing a temporary variable and not immediately reassigning to `state`:\n\n```\nlet tmp = merge state of event end;\nlet state = tmp\n```\n\n### References\n\nThe actual fix is applied in this PR: https://github.com/tremor-rs/tremor-runtime/pull/1217\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue on our repository [tremor-rs/tremor-runtime](https://github.com/tremor-rs/tremor-runtime)\n* Please join our discord https://chat.tremor.rs and reach out to the team.\n\n",
  "id": "GHSA-mc22-5q92-8v85",
  "modified": "2021-09-17T17:50:18Z",
  "published": "2021-09-20T19:52:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tremor-rs/tremor-runtime/security/advisories/GHSA-mc22-5q92-8v85"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tremor-rs/tremor-runtime/pull/1217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tremor-rs/tremor-runtime/commit/1a2efcdbe68e5e7fd0a05836ac32d2cde78a0b2e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tremor-rs/tremor-runtime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tremor-rs/tremor-runtime/releases/tag/v0.11.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Memory Safety Issue when using patch or merge on state and assign the result back to state"
}

GHSA-MJCM-HF7X-HM3W

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-03 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix potential UAF after skb_unshare() failure

If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops.

Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided.

And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:17Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix potential UAF after skb_unshare() failure\n\nIf skb_unshare() fails to unshare a packet due to allocation failure in\nrxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread())\nwill be NULL\u0027d out.  This will likely cause the call to\ntrace_rxrpc_rx_done() to oops.\n\nFix this by moving the unsharing down to where rxrpc_input_call_event()\ncalls rxrpc_input_call_packet().  There are a number of places prior to\nthat where we ignore DATA packets for a variety of reasons (such as the\ncall already being complete) for which an unshare is then avoided.\n\nAnd with that, rxrpc_input_packet() doesn\u0027t need to take a pointer to the\npointer to the packet, so change that to just a pointer.",
  "id": "GHSA-mjcm-hf7x-hm3w",
  "modified": "2026-07-03T15:31:53Z",
  "published": "2026-05-27T15:33:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45998"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:34911"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45998"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482024"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45998.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MMVQ-H6G9-8H39

Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-06-30 03:35
VLAI
Details

Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, and Firefox ESR < 140.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T13:16:07Z",
    "severity": "CRITICAL"
  },
  "details": "Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 149, Firefox ESR \u003c 115.34, and Firefox ESR \u003c 140.9.",
  "id": "GHSA-mmvq-h6g9-8h39",
  "modified": "2026-06-30T03:35:59Z",
  "published": "2026-03-24T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4721"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5930"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8287"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8288"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8289"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8290"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8315"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8427"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8850"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4721"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=2013762%2C2015291%2C2016591%2C2016661%2C2016664%2C2017303%2C2017894%2C2018090%2C2018196%2C2018379%2C2019112%2C2022090%2C2022243%2C2022351%2C2022478%2C2022676"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450711"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4721.json"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-21"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5931"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5932"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6188"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6342"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6917"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7837"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7838"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7839"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7840"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7841"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7842"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7843"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7845"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7858"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8284"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8285"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8286"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MP35-P2HC-V59Q

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/dma-buf: fix UAF with retry loop

Retry doesn't work here, since bo will be freed on error, leading to UAF. However, now that we do the alloc & init before the attach, we can now combine this as one unit and have the init do the alloc for us. This should make the retry safe.

Reported by Sashiko.

v2: Fix up the error unwind (CI)

(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:05Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/dma-buf: fix UAF with retry loop\n\nRetry doesn\u0027t work here, since bo will be freed on error, leading to\nUAF. However, now that we do the alloc \u0026 init before the attach, we can\nnow combine this as one unit and have the init do the alloc for us. This\nshould make the retry safe.\n\nReported by Sashiko.\n\nv2: Fix up the error unwind (CI)\n\n(cherry picked from commit 479669418253e0f27f8cf5db01a731352ea592e7)",
  "id": "GHSA-mp35-p2hc-v59q",
  "modified": "2026-06-30T03:37:11Z",
  "published": "2026-06-24T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52950"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-52950"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492318"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/155a372a1cc50fa93387c5d3cdfd614a61e1afd1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/39fdac6be02eb7c3460518c1c4085f75f935c4ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/827062952ed9bdf4220466c1f05ce452d04bdedf"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52950.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWCC-7VPP-XMV9

Vulnerability from github – Published: 2025-11-19 00:31 – Updated: 2026-03-24 14:41
VLAI
Summary
MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory
Details

A mongoc_bulk_operation_t may read invalid memory if large options are passed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mongodb/mongodb-extension"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-12119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-825"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-19T18:54:37Z",
    "nvd_published_at": "2025-11-18T22:15:45Z",
    "severity": "MODERATE"
  },
  "details": "A mongoc_bulk_operation_t may read invalid memory if large options are passed.",
  "id": "GHSA-mwcc-7vpp-xmv9",
  "modified": "2026-03-24T14:41:29Z",
  "published": "2025-11-19T00:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12119"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-c-driver/commit/775998df7c67"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-php-driver/commit/fa5b43366407bc0e5b0a919ed374decd9022b2f9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-c-driver/releases/tag/1.30.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-c-driver/releases/tag/2.1.2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mongodb/mongo-php-driver"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-php-driver/releases/tag/1.21.2"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/PHPC-2637"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00009.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MongoDB driver extension affected by mongoc_bulk_operation_t\u0027s read of invalid memory"
}

GHSA-PG25-7CX5-CVCM

Vulnerability from github – Published: 2026-04-13 18:30 – Updated: 2026-06-30 03:36
VLAI
Details

Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.

The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-13T18:16:31Z",
    "severity": "CRITICAL"
  },
  "details": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
  "id": "GHSA-pg25-7cx5-cvcm",
  "modified": "2026-06-30T03:36:16Z",
  "published": "2026-04-13T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6100"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/issues/148395"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/148396"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30087"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30078"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26187"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25096"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:21682"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:21275"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19590"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19576"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19571"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10117"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30088"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30089"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8822"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8824"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:9228"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-6100"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
    },
    {
      "type": "WEB",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6100.json"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10140"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10141"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10711"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10745"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10774"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10949"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10950"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:11062"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:11077"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:11768"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:13692"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:13812"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:14652"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:14653"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:14656"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:16699"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:17525"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:17619"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19019"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19064"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19175"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19176"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19177"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19216"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19549"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:19570"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/13/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PHWJ-RPRQ-35PP

Vulnerability from github – Published: 2026-06-19 16:37 – Updated: 2026-06-19 16:37
VLAI
Summary
Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`
Details

Summary

Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault.

Nokogiri 1.19.4 preserves any already-wrapped attribute child nodes before replacing the attribute value.

JRuby is not affected.

Severity

The Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must directly access an attribute's child node and then replace that same attribute's value via Attr#value= or #content=. Nokogiri 1.19.4 makes this pattern safe with no change to the public API. Already-wrapped attribute child nodes are preserved before the value is replaced.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

As a workaround, avoid accessing attribute child nodes directly via Attr#child or similar before mutating the same attribute’s value.

Credit

This issue was responsibly reported by Zheng Yu from depthfirst.com.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.19.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T16:37:46Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nNokogiri\u2019s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, `Nokogiri::XML::Attr#value=` could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault.\n\nNokogiri 1.19.4 preserves any already-wrapped attribute child nodes before replacing the attribute value.\n\nJRuby is not affected.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must directly access an attribute\u0027s child node and then replace that same attribute\u0027s value via `Attr#value=` or `#content=`. Nokogiri 1.19.4 makes this pattern safe with no change to the public API. Already-wrapped attribute child nodes are preserved before the value is replaced.\n\n### Mitigation\n\nUpgrade to Nokogiri 1.19.4 or later.\n\nAs a workaround, avoid accessing attribute child nodes directly via `Attr#child` or similar before mutating the same attribute\u2019s value.\n\n### Credit\n\nThis issue was responsibly reported by Zheng Yu from depthfirst.com.",
  "id": "GHSA-phwj-rprq-35pp",
  "modified": "2026-06-19T16:37:46Z",
  "published": "2026-06-19T16:37:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`"
}

GHSA-PP4W-C8M6-4XVF

Vulnerability from github – Published: 2026-06-15 18:31 – Updated: 2026-06-30 03:37
VLAI
Details

A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-825"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T18:16:36Z",
    "severity": "MODERATE"
  },
  "details": "A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.",
  "id": "GHSA-pp4w-c8m6-4xvf",
  "modified": "2026-06-30T03:37:04Z",
  "published": "2026-06-15T18:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6040"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-6040"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488966"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6040.json"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6040"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.