Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-C9M5-JXPX-3GVH

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-02-23 15:33
VLAI
Details

ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-05T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c.",
  "id": "GHSA-c9m5-jxpx-3gvh",
  "modified": "2023-02-23T15:33:06Z",
  "published": "2022-05-24T16:49:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/1616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/5f21230b657ccd65452dd3d94c5b5401ba691a2d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick6/commit/5982632109cad48bc6dab867298fdea4dea57c51"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4192-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4712"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9XC-697W-F6JM

Vulnerability from github – Published: 2024-05-03 18:30 – Updated: 2025-09-18 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix DMA mappings leak

Fix leak, when user changes ring parameters. During reallocation of RX buffers, new DMA mappings are created for those buffers. New buffers with different RX ring count should substitute older ones, but those buffers were freed in ice_vsi_cfg_rxq and reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused leak of already mapped DMA. Reallocate ZC with xdp_buf struct, when BPF program loads. Reallocate back to rx_buf, when BPF program unloads. If BPF program is loaded/unloaded and XSK pools are created, reallocate RX queues accordingly in XDP_SETUP_XSK_POOL handler.

Steps for reproduction: while : do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix DMA mappings leak\n\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\n\nSteps for reproduction:\nwhile :\ndo\n\tfor ((i=0; i\u003c=8160; i=i+32))\n\tdo\n\t\tethtool -G enp130s0f0 rx $i tx $i\n\t\tsleep 0.5\n\t\tethtool -g enp130s0f0\n\tdone\ndone",
  "id": "GHSA-c9xc-697w-f6jm",
  "modified": "2025-09-18T18:30:21Z",
  "published": "2024-05-03T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48690"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC2X-2XG8-9RPF

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths

The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks.

The leak in gssx_dec_ctx() is particularly relevant because the caller (gssp_accept_sec_context_upcall) initializes several buffer length fields to non-zero values, resulting in memory allocation:

struct gssx_ctx rctxh = {
    .exported_context_token.len = GSSX_max_output_handle_sz,
    .mech.len = GSS_OID_MAX_LEN,
    .src_name.display_name.len = GSSX_max_princ_sz,
    .targ_name.display_name.len = GSSX_max_princ_sz
};

If, for example, gssx_dec_name() succeeds for src_name but fails for targ_name, the memory allocated for exported_context_token, mech, and src_name.display_name remains unreferenced and cannot be reclaimed.

Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:00Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: auth_gss: fix memory leaks in XDR decoding error paths\n\nThe gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name()\nfunctions allocate memory via gssx_dec_buffer(), which calls\nkmemdup(). When a subsequent decode operation fails, these\nfunctions return immediately without freeing previously\nallocated buffers, causing memory leaks.\n\nThe leak in gssx_dec_ctx() is particularly relevant because\nthe caller (gssp_accept_sec_context_upcall) initializes several\nbuffer length fields to non-zero values, resulting in memory\nallocation:\n\n    struct gssx_ctx rctxh = {\n        .exported_context_token.len = GSSX_max_output_handle_sz,\n        .mech.len = GSS_OID_MAX_LEN,\n        .src_name.display_name.len = GSSX_max_princ_sz,\n        .targ_name.display_name.len = GSSX_max_princ_sz\n    };\n\nIf, for example, gssx_dec_name() succeeds for src_name but\nfails for targ_name, the memory allocated for\nexported_context_token, mech, and src_name.display_name\nremains unreferenced and cannot be reclaimed.\n\nAdd error handling with goto-based cleanup to free any\npreviously allocated buffers before returning an error.",
  "id": "GHSA-cc2x-2xg8-9rpf",
  "modified": "2026-06-25T21:31:19Z",
  "published": "2026-05-27T15:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45870"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b56eb90feb8a3709417f5624f3871847d42bcb1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e6397b056335cc56ef0e9da36c95946a19f5118"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64303b92d94c0c7845a273acd8d84b796d6f1db7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4af3806846778799cd4ab0766dc18341e777264"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c81431b1b9fbd21e9a5a9211b5517b7295d18e6a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/caf7eff432e91a9eba1c79fa545c2f54be15d62b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d79b9097a6a2b91471b40755f1225364be5d85ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df10f23defff22c8d55fe6db74f6e4ce927145bf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC38-6Q22-J4RM

Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-03-18 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak

Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak").

In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted).

However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs().

Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23080"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-04T17:16:18Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak\n\nFix similar memory leak as in commit 7352e1d5932a (\"can: gs_usb:\ngs_usb_receive_bulk_callback(): fix URB memory leak\").\n\nIn mcba_usb_probe() -\u003e mcba_usb_start(), the URBs for USB-in transfers are\nallocated, added to the priv-\u003erx_submitted anchor and submitted. In the\ncomplete callback mcba_usb_read_bulk_callback(), the URBs are processed and\nresubmitted. In mcba_usb_close() -\u003e mcba_urb_unlink() the URBs are freed by\ncalling usb_kill_anchored_urbs(\u0026priv-\u003erx_submitted).\n\nHowever, this does not take into account that the USB framework unanchors\nthe URB before the complete function is called. This means that once an\nin-URB has been completed, it is no longer anchored and is ultimately not\nreleased in usb_kill_anchored_urbs().\n\nFix the memory leak by anchoring the URB in the\nmcba_usb_read_bulk_callback()to the priv-\u003erx_submitted anchor.",
  "id": "GHSA-cc38-6q22-j4rm",
  "modified": "2026-03-18T15:30:39Z",
  "published": "2026-02-04T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23080"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC5X-4C4F-8GXF

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-11 09:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ncsi: fix skb leak in error paths

Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak.

Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:48Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ncsi: fix skb leak in error paths\n\nEarly return paths in NCSI RX and AEN handlers fail to release\nthe received skb, resulting in a memory leak.\n\nSpecifically, ncsi_aen_handler() returns on invalid AEN packets\nwithout consuming the skb. Similarly, ncsi_rcv_rsp() exits early\nwhen failing to resolve the NCSI device, response handler, or\nrequest, leaving the skb unfreed.",
  "id": "GHSA-cc5x-4c4f-8gxf",
  "modified": "2026-05-11T09:30:30Z",
  "published": "2026-05-08T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43373"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/553366c271479c0d571dd1bb5d1bcde4747fb82e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/59962588197863d0d746879f193905c0c6b3df49"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c3398a54266541610c8d0a7082e654e9ff3e259"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87138dde2d6937b12b967f28fe598a7d59000ae4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9891d7f4f1ede473c54b49776ae07755083eef06"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b70c4e5e711931cdd56e6e905737b72f1e649189"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fef5aa6e3bcf3c8053307642663a63b7362d7552"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC8F-64J2-HXM7

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-26 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

comedi: Fix memory leak in compat_insnlist()

compat_insnlist() handles the 32-bit version of the COMEDI_INSNLIST ioctl (whenwhen CONFIG_COMPAT is enabled). It allocates memory to temporarily hold an array of struct comedi_insn converted from the 32-bit version in user space. This memory is only being freed if there is a fault while filling the array, otherwise it is leaked.

Add a call to kfree() to fix the leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:22Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix memory leak in compat_insnlist()\n\n`compat_insnlist()` handles the 32-bit version of the `COMEDI_INSNLIST`\nioctl (whenwhen `CONFIG_COMPAT` is enabled).  It allocates memory to\ntemporarily hold an array of `struct comedi_insn` converted from the\n32-bit version in user space.  This memory is only being freed if there\nis a fault while filling the array, otherwise it is leaked.\n\nAdd a call to `kfree()` to fix the leak.",
  "id": "GHSA-cc8f-64j2-hxm7",
  "modified": "2024-12-26T18:30:33Z",
  "published": "2024-05-21T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47364"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d6a21e4cd6a319b0662cbe4ad6199e276ac776a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bb509a6ffed2c8b0950f637ab5779aa818ed1596"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f217b6c1e28ed0b353634ce4d92a155b80bd1671"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CCPJ-R729-PQCF

Vulnerability from github – Published: 2025-04-14 21:32 – Updated: 2025-04-14 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

amt: fix possible memory leak in amt_rcv()

If an amt receives packets and it finds socket. If it can't find a socket, it should free a received skb. But it doesn't. So, a memory leak would possibly occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\namt: fix possible memory leak in amt_rcv()\n\nIf an amt receives packets and it finds socket.\nIf it can\u0027t find a socket, it should free a received skb.\nBut it doesn\u0027t.\nSo, a memory leak would possibly occur.",
  "id": "GHSA-ccpj-r729-pqcf",
  "modified": "2025-04-14T21:32:22Z",
  "published": "2025-04-14T21:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49369"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a1a0e80e005cbdc2c250fc858e1d8570f4e4acb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b8032d39b276c52db57ff834c300405b9da2691"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60d9c020c69977e138727b3577bc6a0458325e9c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CF3W-5GM7-WVP9

Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-01-15 21:31
VLAI
Details

A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition.

Memory usage can be monitored through the use of the 'show task memory detail' command. For example:

user@junos> show task memory detail | match ted-infra   TED-INFRA-COOKIE           25   1072     28   1184     229

user@junos>

show task memory detail | match ted-infra   TED-INFRA-COOKIE           31   1360     34   1472     307

This issue affects:

Junos OS: 

  • from 23.2 before 23.2R2, 
  • from 23.4 before 23.4R1-S2, 23.4R2, 
  • from 24.1 before 24.1R2; 

Junos OS Evolved: 

  • from 23.2 before 23.2R2-EVO, 
  • from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, 
  • from 24.1 before 24.1R2-EVO.

This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-15T21:16:06Z",
    "severity": "HIGH"
  },
  "details": "A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak.\u00a0Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition.\n\nMemory usage can be monitored through the use of the \u0027show task memory detail\u0027 command. For example:\n\nuser@junos\u003e show task memory detail | match ted-infra\n\u00a0 TED-INFRA-COOKIE  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0  25  \u00a0  1072  \u00a0 \u00a0  28  \u00a0  1184  \u00a0 \u00a0  229\n\n\n\nuser@junos\u003e \n\nshow task memory detail | match ted-infra\n\u00a0 TED-INFRA-COOKIE  \u00a0 \u00a0 \u00a0 \u00a0 \u00a0  31  \u00a0  1360  \u00a0 \u00a0  34  \u00a0  1472  \u00a0 \u00a0  307\n\nThis issue affects:\n\nJunos OS:\u00a0\n\n  *  from 23.2 before 23.2R2,\u00a0\n  *  from 23.4 before 23.4R1-S2, 23.4R2,\u00a0\n  *  from 24.1 before 24.1R2;\u00a0\n\n\nJunos OS Evolved:\u00a0\n\n  *  from 23.2 before 23.2R2-EVO,\u00a0\n  *  from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO,\u00a0\n  *  from 24.1 before 24.1R2-EVO.\n\n\nThis issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.",
  "id": "GHSA-cf3w-5gm7-wvp9",
  "modified": "2026-01-15T21:31:48Z",
  "published": "2026-01-15T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21909"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA106008"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA106008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CFH4-9F7V-FHRC

Vulnerability from github – Published: 2025-08-25 15:53 – Updated: 2025-11-03 22:59
VLAI
Summary
ImageMagick has a Memory Leak in magick stream
Details

Summary

In ImageMagick's magick stream command, specifying multiple consecutive %d format specifiers in a filename template causes a memory leak.

Details

  • Vulnerability Type: Memory leak
  • Affected Version: ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)

Reproduction

Tested Environment

  • Operating System: Ubuntu 22.04 LTS
  • Architecture: x86_64
  • Compiler: gcc with AddressSanitizer (gcc version: 11.4.0)

Reproduction Steps

# Clone source
git clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1
cd ImageMagick-7.1.1

# Build with ASan
CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" LDFLAGS="-fsanitize=address" ./configure --enable-maintainer-mode --enable-shared && make -j$(nproc) && make install

# Trigger crash
./utilities/magick stream %d%d a a

Output

$ magick stream %d%d a a
stream: no decode delegate for this image format `' @ error/constitute.c/ReadImage/746.
stream: missing an image filename `a' @ error/stream.c/StreamImageCommand/755.

=================================================================
==114==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 152 byte(s) in 1 object(s) allocated from:
    #0 0x7fc4ebe58887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7fc4eb563c5c in AcquireMagickMemory MagickCore/memory.c:559
    #2 0x7fc4eb563c82 in AcquireCriticalMemory MagickCore/memory.c:635
    #3 0x7fc4eb60c2be in AcquireQuantumInfo MagickCore/quantum.c:119
    #4 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335
    #5 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292
    #6 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177
    #7 0x55a34f7c0a0c in MagickMain utilities/magick.c:153
    #8 0x55a34f7c0cba in main utilities/magick.c:184
    #9 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Indirect leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7fc4ebe5957c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
    #1 0x7fc4eb680e2f in AcquireSemaphoreMemory MagickCore/semaphore.c:154
    #2 0x7fc4eb680f30 in AcquireSemaphoreInfo MagickCore/semaphore.c:200
    #3 0x7fc4eb60d38d in GetQuantumInfo MagickCore/quantum.c:435
    #4 0x7fc4eb60c30e in AcquireQuantumInfo MagickCore/quantum.c:121
    #5 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335
    #6 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292
    #7 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177
    #8 0x55a34f7c0a0c in MagickMain utilities/magick.c:153
    #9 0x55a34f7c0cba in main utilities/magick.c:184
    #10 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: 216 byte(s) leaked in 2 allocation(s).

Commits

Fixed in https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c and https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-401",
      "CWE-404"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-25T15:53:57Z",
    "nvd_published_at": "2025-07-14T20:15:29Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nIn ImageMagick\u0027s `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak.\n\n## Details\n\n- **Vulnerability Type:** Memory leak\n- **Affected Version:** ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025)\n\n## Reproduction\n\n### Tested Environment\n\n- **Operating System:** Ubuntu 22.04 LTS\n- **Architecture:** x86_64\n- **Compiler:** gcc with AddressSanitizer (gcc version: 11.4.0)\n\n### Reproduction Steps\n\n```bash\n# Clone source\ngit clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1\ncd ImageMagick-7.1.1\n\n# Build with ASan\nCFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" CXXFLAGS=\"$CFLAGS\" LDFLAGS=\"-fsanitize=address\" ./configure --enable-maintainer-mode --enable-shared \u0026\u0026 make -j$(nproc) \u0026\u0026 make install\n\n# Trigger crash\n./utilities/magick stream %d%d a a\n```\n\n### Output\n```\n$ magick stream %d%d a a\nstream: no decode delegate for this image format `\u0027 @ error/constitute.c/ReadImage/746.\nstream: missing an image filename `a\u0027 @ error/stream.c/StreamImageCommand/755.\n\n=================================================================\n==114==ERROR: LeakSanitizer: detected memory leaks\n\nDirect leak of 152 byte(s) in 1 object(s) allocated from:\n    #0 0x7fc4ebe58887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145\n    #1 0x7fc4eb563c5c in AcquireMagickMemory MagickCore/memory.c:559\n    #2 0x7fc4eb563c82 in AcquireCriticalMemory MagickCore/memory.c:635\n    #3 0x7fc4eb60c2be in AcquireQuantumInfo MagickCore/quantum.c:119\n    #4 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335\n    #5 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292\n    #6 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177\n    #7 0x55a34f7c0a0c in MagickMain utilities/magick.c:153\n    #8 0x55a34f7c0cba in main utilities/magick.c:184\n    #9 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nIndirect leak of 64 byte(s) in 1 object(s) allocated from:\n    #0 0x7fc4ebe5957c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226\n    #1 0x7fc4eb680e2f in AcquireSemaphoreMemory MagickCore/semaphore.c:154\n    #2 0x7fc4eb680f30 in AcquireSemaphoreInfo MagickCore/semaphore.c:200\n    #3 0x7fc4eb60d38d in GetQuantumInfo MagickCore/quantum.c:435\n    #4 0x7fc4eb60c30e in AcquireQuantumInfo MagickCore/quantum.c:121\n    #5 0x7fc4eb6b6621 in StreamImage MagickCore/stream.c:1335\n    #6 0x7fc4eb09d889 in StreamImageCommand MagickWand/stream.c:292\n    #7 0x7fc4eaf1295d in MagickCommandGenesis MagickWand/magick-cli.c:177\n    #8 0x55a34f7c0a0c in MagickMain utilities/magick.c:153\n    #9 0x55a34f7c0cba in main utilities/magick.c:184\n    #10 0x7fc4ea38fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nSUMMARY: AddressSanitizer: 216 byte(s) leaked in 2 allocation(s).\n```\n\n### Commits\nFixed in https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c and https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b",
  "id": "GHSA-cfh4-9f7v-fhrc",
  "modified": "2025-11-03T22:59:45Z",
  "published": "2025-08-25T15:53:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.7.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick has a Memory Leak in magick stream"
}

GHSA-CFR8-F5Q7-84WQ

Vulnerability from github – Published: 2026-03-30 21:31 – Updated: 2026-03-31 18:31
VLAI
Details

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.

This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T20:16:19Z",
    "severity": "MODERATE"
  },
  "details": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\n\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
  "id": "GHSA-cfr8-f5q7-84wq",
  "modified": "2026-03-31T18:31:30Z",
  "published": "2026-03-30T21:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21714"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.