CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-C9M5-JXPX-3GVH
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-02-23 15:33ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c.
{
"affected": [],
"aliases": [
"CVE-2019-13309"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-05T01:15:00Z",
"severity": "MODERATE"
},
"details": "ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c.",
"id": "GHSA-c9m5-jxpx-3gvh",
"modified": "2023-02-23T15:33:06Z",
"published": "2022-05-24T16:49:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13309"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/1616"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/5f21230b657ccd65452dd3d94c5b5401ba691a2d"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick6/commit/5982632109cad48bc6dab867298fdea4dea57c51"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4192-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4712"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C9XC-697W-F6JM
Vulnerability from github – Published: 2024-05-03 18:30 – Updated: 2025-09-18 18:30In the Linux kernel, the following vulnerability has been resolved:
ice: Fix DMA mappings leak
Fix leak, when user changes ring parameters. During reallocation of RX buffers, new DMA mappings are created for those buffers. New buffers with different RX ring count should substitute older ones, but those buffers were freed in ice_vsi_cfg_rxq and reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused leak of already mapped DMA. Reallocate ZC with xdp_buf struct, when BPF program loads. Reallocate back to rx_buf, when BPF program unloads. If BPF program is loaded/unloaded and XSK pools are created, reallocate RX queues accordingly in XDP_SETUP_XSK_POOL handler.
Steps for reproduction: while : do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done
{
"affected": [],
"aliases": [
"CVE-2022-48690"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T18:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix DMA mappings leak\n\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\n\nSteps for reproduction:\nwhile :\ndo\n\tfor ((i=0; i\u003c=8160; i=i+32))\n\tdo\n\t\tethtool -G enp130s0f0 rx $i tx $i\n\t\tsleep 0.5\n\t\tethtool -g enp130s0f0\n\tdone\ndone",
"id": "GHSA-c9xc-697w-f6jm",
"modified": "2025-09-18T18:30:21Z",
"published": "2024-05-03T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48690"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CC2X-2XG8-9RPF
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths
The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks.
The leak in gssx_dec_ctx() is particularly relevant because the caller (gssp_accept_sec_context_upcall) initializes several buffer length fields to non-zero values, resulting in memory allocation:
struct gssx_ctx rctxh = {
.exported_context_token.len = GSSX_max_output_handle_sz,
.mech.len = GSS_OID_MAX_LEN,
.src_name.display_name.len = GSSX_max_princ_sz,
.targ_name.display_name.len = GSSX_max_princ_sz
};
If, for example, gssx_dec_name() succeeds for src_name but fails for targ_name, the memory allocated for exported_context_token, mech, and src_name.display_name remains unreferenced and cannot be reclaimed.
Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error.
{
"affected": [],
"aliases": [
"CVE-2026-45870"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: auth_gss: fix memory leaks in XDR decoding error paths\n\nThe gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name()\nfunctions allocate memory via gssx_dec_buffer(), which calls\nkmemdup(). When a subsequent decode operation fails, these\nfunctions return immediately without freeing previously\nallocated buffers, causing memory leaks.\n\nThe leak in gssx_dec_ctx() is particularly relevant because\nthe caller (gssp_accept_sec_context_upcall) initializes several\nbuffer length fields to non-zero values, resulting in memory\nallocation:\n\n struct gssx_ctx rctxh = {\n .exported_context_token.len = GSSX_max_output_handle_sz,\n .mech.len = GSS_OID_MAX_LEN,\n .src_name.display_name.len = GSSX_max_princ_sz,\n .targ_name.display_name.len = GSSX_max_princ_sz\n };\n\nIf, for example, gssx_dec_name() succeeds for src_name but\nfails for targ_name, the memory allocated for\nexported_context_token, mech, and src_name.display_name\nremains unreferenced and cannot be reclaimed.\n\nAdd error handling with goto-based cleanup to free any\npreviously allocated buffers before returning an error.",
"id": "GHSA-cc2x-2xg8-9rpf",
"modified": "2026-06-25T21:31:19Z",
"published": "2026-05-27T15:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45870"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b56eb90feb8a3709417f5624f3871847d42bcb1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3e6397b056335cc56ef0e9da36c95946a19f5118"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64303b92d94c0c7845a273acd8d84b796d6f1db7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4af3806846778799cd4ab0766dc18341e777264"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c81431b1b9fbd21e9a5a9211b5517b7295d18e6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/caf7eff432e91a9eba1c79fa545c2f54be15d62b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d79b9097a6a2b91471b40755f1225364be5d85ff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df10f23defff22c8d55fe6db74f6e4ce927145bf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CC38-6Q22-J4RM
Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-03-18 15:30In the Linux kernel, the following vulnerability has been resolved:
can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak").
In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
{
"affected": [],
"aliases": [
"CVE-2026-23080"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T17:16:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn mcba_usb_probe() -\u003e mcba_usb_start(), the URBs for USB-in transfers are\nallocated, added to the priv-\u003erx_submitted anchor and submitted. In the\ncomplete callback mcba_usb_read_bulk_callback(), the URBs are processed and\nresubmitted. In mcba_usb_close() -\u003e mcba_urb_unlink() the URBs are freed by\ncalling usb_kill_anchored_urbs(\u0026priv-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nmcba_usb_read_bulk_callback()to the priv-\u003erx_submitted anchor.",
"id": "GHSA-cc38-6q22-j4rm",
"modified": "2026-03-18T15:30:39Z",
"published": "2026-02-04T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23080"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CC5X-4C4F-8GXF
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-11 09:30In the Linux kernel, the following vulnerability has been resolved:
net: ncsi: fix skb leak in error paths
Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak.
Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed.
{
"affected": [],
"aliases": [
"CVE-2026-43373"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:48Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ncsi: fix skb leak in error paths\n\nEarly return paths in NCSI RX and AEN handlers fail to release\nthe received skb, resulting in a memory leak.\n\nSpecifically, ncsi_aen_handler() returns on invalid AEN packets\nwithout consuming the skb. Similarly, ncsi_rcv_rsp() exits early\nwhen failing to resolve the NCSI device, response handler, or\nrequest, leaving the skb unfreed.",
"id": "GHSA-cc5x-4c4f-8gxf",
"modified": "2026-05-11T09:30:30Z",
"published": "2026-05-08T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43373"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/553366c271479c0d571dd1bb5d1bcde4747fb82e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59962588197863d0d746879f193905c0c6b3df49"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c3398a54266541610c8d0a7082e654e9ff3e259"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87138dde2d6937b12b967f28fe598a7d59000ae4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9891d7f4f1ede473c54b49776ae07755083eef06"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b70c4e5e711931cdd56e6e905737b72f1e649189"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fef5aa6e3bcf3c8053307642663a63b7362d7552"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CC8F-64J2-HXM7
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-26 18:30In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix memory leak in compat_insnlist()
compat_insnlist() handles the 32-bit version of the COMEDI_INSNLIST
ioctl (whenwhen CONFIG_COMPAT is enabled). It allocates memory to
temporarily hold an array of struct comedi_insn converted from the
32-bit version in user space. This memory is only being freed if there
is a fault while filling the array, otherwise it is leaked.
Add a call to kfree() to fix the leak.
{
"affected": [],
"aliases": [
"CVE-2021-47364"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix memory leak in compat_insnlist()\n\n`compat_insnlist()` handles the 32-bit version of the `COMEDI_INSNLIST`\nioctl (whenwhen `CONFIG_COMPAT` is enabled). It allocates memory to\ntemporarily hold an array of `struct comedi_insn` converted from the\n32-bit version in user space. This memory is only being freed if there\nis a fault while filling the array, otherwise it is leaked.\n\nAdd a call to `kfree()` to fix the leak.",
"id": "GHSA-cc8f-64j2-hxm7",
"modified": "2024-12-26T18:30:33Z",
"published": "2024-05-21T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47364"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d6a21e4cd6a319b0662cbe4ad6199e276ac776a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bb509a6ffed2c8b0950f637ab5779aa818ed1596"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f217b6c1e28ed0b353634ce4d92a155b80bd1671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CCPJ-R729-PQCF
Vulnerability from github – Published: 2025-04-14 21:32 – Updated: 2025-04-14 21:32In the Linux kernel, the following vulnerability has been resolved:
amt: fix possible memory leak in amt_rcv()
If an amt receives packets and it finds socket. If it can't find a socket, it should free a received skb. But it doesn't. So, a memory leak would possibly occur.
{
"affected": [],
"aliases": [
"CVE-2022-49369"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\namt: fix possible memory leak in amt_rcv()\n\nIf an amt receives packets and it finds socket.\nIf it can\u0027t find a socket, it should free a received skb.\nBut it doesn\u0027t.\nSo, a memory leak would possibly occur.",
"id": "GHSA-ccpj-r729-pqcf",
"modified": "2025-04-14T21:32:22Z",
"published": "2025-04-14T21:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49369"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a1a0e80e005cbdc2c250fc858e1d8570f4e4acb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b8032d39b276c52db57ff834c300405b9da2691"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60d9c020c69977e138727b3577bc6a0458325e9c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CF3W-5GM7-WVP9
Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-01-15 21:31A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition.
Memory usage can be monitored through the use of the 'show task memory detail' command. For example:
user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 25 1072 28 1184 229
user@junos>
show task memory detail | match ted-infra TED-INFRA-COOKIE 31 1360 34 1472 307
This issue affects:
Junos OS:
- from 23.2 before 23.2R2,
- from 23.4 before 23.4R1-S2, 23.4R2,
- from 24.1 before 24.1R2;
Junos OS Evolved:
- from 23.2 before 23.2R2-EVO,
- from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO,
- from 24.1 before 24.1R2-EVO.
This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.
{
"affected": [],
"aliases": [
"CVE-2026-21909"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T21:16:06Z",
"severity": "HIGH"
},
"details": "A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak.\u00a0Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition.\n\nMemory usage can be monitored through the use of the \u0027show task memory detail\u0027 command. For example:\n\nuser@junos\u003e show task memory detail | match ted-infra\n\u00a0 TED-INFRA-COOKIE \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 25 \u00a0 1072 \u00a0 \u00a0 28 \u00a0 1184 \u00a0 \u00a0 229\n\n\n\nuser@junos\u003e \n\nshow task memory detail | match ted-infra\n\u00a0 TED-INFRA-COOKIE \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 31 \u00a0 1360 \u00a0 \u00a0 34 \u00a0 1472 \u00a0 \u00a0 307\n\nThis issue affects:\n\nJunos OS:\u00a0\n\n * from 23.2 before 23.2R2,\u00a0\n * from 23.4 before 23.4R1-S2, 23.4R2,\u00a0\n * from 24.1 before 24.1R2;\u00a0\n\n\nJunos OS Evolved:\u00a0\n\n * from 23.2 before 23.2R2-EVO,\u00a0\n * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO,\u00a0\n * from 24.1 before 24.1R2-EVO.\n\n\nThis issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.",
"id": "GHSA-cf3w-5gm7-wvp9",
"modified": "2026-01-15T21:31:48Z",
"published": "2026-01-15T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21909"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA106008"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA106008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-CFH4-9F7V-FHRC
Vulnerability from github – Published: 2025-08-25 15:53 – Updated: 2025-11-03 22:59Summary
In ImageMagick's magick stream command, specifying multiple consecutive %d format specifiers in a filename template causes a memory leak.
Details
- Vulnerability Type: Memory leak
- Affected Version: ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)
Reproduction
Tested Environment
- Operating System: Ubuntu 22.04 LTS
- Architecture: x86_64
- Compiler: gcc with AddressSanitizer (gcc version: 11.4.0)
Reproduction Steps
# Clone source
git clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1
cd ImageMagick-7.1.1
# Build with ASan
CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" LDFLAGS="-fsanitize=address" ./configure --enable-maintainer-mode --enable-shared && make -j$(nproc) && make install
# Trigger crash
./utilities/magick stream %d%d a a
Output
$ magick stream %d%d a a
stream: no decode delegate for this image format `' @ error/constitute.c/ReadImage/746.
stream: missing an image filename `a' @ error/stream.c/StreamImageCommand/755.
=================================================================
==114==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 152 byte(s) in 1 object(s) allocated from:
#0 0x7fc4ebe58887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7fc4eb563c5c in AcquireMagickMemory MagickCore/memory.c:559
#2 0x7fc4eb563c82 in AcquireCriticalMemory MagickCore/memory.c:635
#3 0x7fc4eb60c2be in AcquireQuantumInfo MagickCore/quantum.c:119
#4 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335
#5 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292
#6 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177
#7 0x55a34f7c0a0c in MagickMain utilities/magick.c:153
#8 0x55a34f7c0cba in main utilities/magick.c:184
#9 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Indirect leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7fc4ebe5957c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x7fc4eb680e2f in AcquireSemaphoreMemory MagickCore/semaphore.c:154
#2 0x7fc4eb680f30 in AcquireSemaphoreInfo MagickCore/semaphore.c:200
#3 0x7fc4eb60d38d in GetQuantumInfo MagickCore/quantum.c:435
#4 0x7fc4eb60c30e in AcquireQuantumInfo MagickCore/quantum.c:121
#5 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335
#6 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292
#7 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177
#8 0x55a34f7c0a0c in MagickMain utilities/magick.c:153
#9 0x55a34f7c0cba in main utilities/magick.c:184
#10 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: 216 byte(s) leaked in 2 allocation(s).
Commits
Fixed in https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c and https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53019"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-401",
"CWE-404"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-25T15:53:57Z",
"nvd_published_at": "2025-07-14T20:15:29Z",
"severity": "LOW"
},
"details": "## Summary\n\nIn ImageMagick\u0027s `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak.\n\n## Details\n\n- **Vulnerability Type:** Memory leak\n- **Affected Version:** ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)\n\n## Reproduction\n\n### Tested Environment\n\n- **Operating System:** Ubuntu 22.04 LTS\n- **Architecture:** x86_64\n- **Compiler:** gcc with AddressSanitizer (gcc version: 11.4.0)\n\n### Reproduction Steps\n\n```bash\n# Clone source\ngit clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1\ncd ImageMagick-7.1.1\n\n# Build with ASan\nCFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" CXXFLAGS=\"$CFLAGS\" LDFLAGS=\"-fsanitize=address\" ./configure --enable-maintainer-mode --enable-shared \u0026\u0026 make -j$(nproc) \u0026\u0026 make install\n\n# Trigger crash\n./utilities/magick stream %d%d a a\n```\n\n### Output\n```\n$ magick stream %d%d a a\nstream: no decode delegate for this image format `\u0027 @ error/constitute.c/ReadImage/746.\nstream: missing an image filename `a\u0027 @ error/stream.c/StreamImageCommand/755.\n\n=================================================================\n==114==ERROR: LeakSanitizer: detected memory leaks\n\nDirect leak of 152 byte(s) in 1 object(s) allocated from:\n #0 0x7fc4ebe58887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145\n #1 0x7fc4eb563c5c in AcquireMagickMemory MagickCore/memory.c:559\n #2 0x7fc4eb563c82 in AcquireCriticalMemory MagickCore/memory.c:635\n #3 0x7fc4eb60c2be in AcquireQuantumInfo MagickCore/quantum.c:119\n #4 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335\n #5 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292\n #6 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177\n #7 0x55a34f7c0a0c in MagickMain utilities/magick.c:153\n #8 0x55a34f7c0cba in main utilities/magick.c:184\n #9 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nIndirect leak of 64 byte(s) in 1 object(s) allocated from:\n #0 0x7fc4ebe5957c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226\n #1 0x7fc4eb680e2f in AcquireSemaphoreMemory MagickCore/semaphore.c:154\n #2 0x7fc4eb680f30 in AcquireSemaphoreInfo MagickCore/semaphore.c:200\n #3 0x7fc4eb60d38d in GetQuantumInfo MagickCore/quantum.c:435\n #4 0x7fc4eb60c30e in AcquireQuantumInfo MagickCore/quantum.c:121\n #5 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335\n #6 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292\n #7 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177\n #8 0x55a34f7c0a0c in MagickMain utilities/magick.c:153\n #9 0x55a34f7c0cba in main utilities/magick.c:184\n #10 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nSUMMARY: AddressSanitizer: 216 byte(s) leaked in 2 allocation(s).\n```\n\n### Commits\nFixed in https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c and https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b",
"id": "GHSA-cfh4-9f7v-fhrc",
"modified": "2025-11-03T22:59:45Z",
"published": "2025-08-25T15:53:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53019"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has a Memory Leak in magick stream"
}
GHSA-CFR8-F5Q7-84WQ
Vulnerability from github – Published: 2026-03-30 21:31 – Updated: 2026-03-31 18:31A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.
This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
{
"affected": [],
"aliases": [
"CVE-2026-21714"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T20:16:19Z",
"severity": "MODERATE"
},
"details": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\n\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
"id": "GHSA-cfr8-f5q7-84wq",
"modified": "2026-03-31T18:31:30Z",
"published": "2026-03-30T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21714"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.