CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-CXRH-J4JR-QWG3
Vulnerability from github – Published: 2025-05-15 14:15 – Updated: 2026-02-06 21:35Impact
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
Patches
This has been patched in https://github.com/nodejs/undici/pull/4088.
Workarounds
If a webhook fails, avoid keep calling it repeatedly.
References
Reported as: https://github.com/nodejs/undici/issues/3895
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.29.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.21.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47279"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-15T14:15:06Z",
"nvd_published_at": "2025-05-15T18:15:38Z",
"severity": "LOW"
},
"details": "### Impact\n\nApplications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. \n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/pull/4088.\n\n### Workarounds\n\nIf a webhook fails, avoid keep calling it repeatedly.\n\n### References\n\nReported as: https://github.com/nodejs/undici/issues/3895",
"id": "GHSA-cxrh-j4jr-qwg3",
"modified": "2026-02-06T21:35:53Z",
"published": "2025-05-15T14:15:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47279"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/issues/3895"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/pull/4088"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "undici Denial of Service attack via bad certificate data"
}
GHSA-F23R-PCV3-C69Q
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-02 03:31In the Linux kernel, the following vulnerability has been resolved:
tty: pcn_uart: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once.
{
"affected": [],
"aliases": [
"CVE-2023-53173"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T14:15:39Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: pcn_uart: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.",
"id": "GHSA-f23r-pcv3-c69q",
"modified": "2025-12-02T03:31:32Z",
"published": "2025-09-15T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53173"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/04a189c720aa2b6091442113ce9b9bc93552dff8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/139769c4bd8273b5e3f85ea474aa37018fe7e436"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4459d1e7bd0421b3b6fcd745773d8823f71615ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf042964c2fa72950bbbf25b2cdd732b873e89db"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F248-RM72-P5MX
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-07 21:31In the Linux kernel, the following vulnerability has been resolved:
mmc: sdhci-pci: Fix possible memory leak caused by missing pci_dev_put()
pci_get_device() will increase the reference count for the returned pci_dev. We need to use pci_dev_put() to decrease the reference count before amd_probe() returns. There is no problem for the 'smbus_dev == NULL' branch because pci_dev_put() can also handle the NULL input parameter case.
{
"affected": [],
"aliases": [
"CVE-2022-49787"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:01Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sdhci-pci: Fix possible memory leak caused by missing pci_dev_put()\n\npci_get_device() will increase the reference count for the returned\npci_dev. We need to use pci_dev_put() to decrease the reference count\nbefore amd_probe() returns. There is no problem for the \u0027smbus_dev ==\nNULL\u0027 branch because pci_dev_put() can also handle the NULL input\nparameter case.",
"id": "GHSA-f248-rm72-p5mx",
"modified": "2025-11-07T21:31:17Z",
"published": "2025-05-01T15:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49787"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/222cfa0118aa68687ace74aab8fdf77ce8fbd7e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/27f712cd47d65e14cd52cc32a23d42aeef583d5d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35bca18092685b488003509fef7055aa2d4f2ebc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4423866d31a06a810db22062ed13389416a66b22"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5dbd6378dbf96787d6dbcca44156c511ae085ea3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7570e5b5419ffd34b6dc45a88c51e113a9a187e3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a99a547658e5d451f01ed307426286716b6f01bf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F26P-P2HG-C5QG
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-11 15:32In the Linux kernel, the following vulnerability has been resolved:
kcm: fix zero-frag skb in frag_list on partial sendmsg error
Syzkaller reported a warning in kcm_write_msgs() when processing a message with a zero-fragment skb in the frag_list.
When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb, it allocates a new skb (tskb) and links it into the frag_list before copying data. If the copy subsequently fails (e.g. -EFAULT from user memory), tskb remains in the frag_list with zero fragments:
head skb (msg being assembled, NOT yet in sk_write_queue) +-----------+ | frags[17] | (MAX_SKB_FRAGS, all filled with data) | frag_list-+--> tskb +-----------+ +----------+ | frags[0] | (empty! copy failed before filling) +----------+
For SOCK_SEQPACKET with partial data already copied, the error path saves this message via partial_message for later completion. For SOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so a subsequent zero-length write(fd, NULL, 0) completes the message and queues it to sk_write_queue. kcm_write_msgs() then walks the frag_list and hits:
WARN_ON(!skb_shinfo(skb)->nr_frags)
TCP has a similar pattern where skbs are enqueued before data copy and cleaned up on failure via tcp_remove_empty_skb(). KCM was missing the equivalent cleanup.
Fix this by tracking the predecessor skb (frag_prev) when allocating a new frag_list entry. On error, if the tail skb has zero frags, use frag_prev to unlink and free it in O(1) without walking the singly-linked frag_list. frag_prev is safe to dereference because the entire message chain is only held locally (or in kcm->seq_skb) and is not added to sk_write_queue until MSG_EOR, so the send path cannot free it underneath us.
Also change the WARN_ON to WARN_ON_ONCE to avoid flooding the log if the condition is somehow hit repeatedly.
There are currently no KCM selftests in the kernel tree; a simple reproducer is available at [1].
[1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa
{
"affected": [],
"aliases": [
"CVE-2026-43244"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:44Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: fix zero-frag skb in frag_list on partial sendmsg error\n\nSyzkaller reported a warning in kcm_write_msgs() when processing a\nmessage with a zero-fragment skb in the frag_list.\n\nWhen kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb,\nit allocates a new skb (tskb) and links it into the frag_list before\ncopying data. If the copy subsequently fails (e.g. -EFAULT from\nuser memory), tskb remains in the frag_list with zero fragments:\n\n head skb (msg being assembled, NOT yet in sk_write_queue)\n +-----------+\n | frags[17] | (MAX_SKB_FRAGS, all filled with data)\n | frag_list-+--\u003e tskb\n +-----------+ +----------+\n | frags[0] | (empty! copy failed before filling)\n +----------+\n\nFor SOCK_SEQPACKET with partial data already copied, the error path\nsaves this message via partial_message for later completion. For\nSOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so a\nsubsequent zero-length write(fd, NULL, 0) completes the message and\nqueues it to sk_write_queue. kcm_write_msgs() then walks the\nfrag_list and hits:\n\n WARN_ON(!skb_shinfo(skb)-\u003enr_frags)\n\nTCP has a similar pattern where skbs are enqueued before data copy\nand cleaned up on failure via tcp_remove_empty_skb(). KCM was\nmissing the equivalent cleanup.\n\nFix this by tracking the predecessor skb (frag_prev) when allocating\na new frag_list entry. On error, if the tail skb has zero frags,\nuse frag_prev to unlink and free it in O(1) without walking the\nsingly-linked frag_list. frag_prev is safe to dereference because\nthe entire message chain is only held locally (or in kcm-\u003eseq_skb)\nand is not added to sk_write_queue until MSG_EOR, so the send path\ncannot free it underneath us.\n\nAlso change the WARN_ON to WARN_ON_ONCE to avoid flooding the log\nif the condition is somehow hit repeatedly.\n\nThere are currently no KCM selftests in the kernel tree; a simple\nreproducer is available at [1].\n\n[1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa",
"id": "GHSA-f26p-p2hg-c5qg",
"modified": "2026-05-11T15:32:08Z",
"published": "2026-05-06T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43244"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7af58f76e4b404a74c836881a845e6652db8a09f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ea3671d70ee07480d80bebe86696397c4e99fb7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b1e3edf688a88c1a3ac41657055d9c136a08cd25"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca220141fa8ebae09765a242076b2b77338106b0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F27V-G69J-2X4Q
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-23 21:30In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix a memory leak
Add a forgotten kfree().
{
"affected": [],
"aliases": [
"CVE-2023-53512"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:55Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix a memory leak\n\nAdd a forgotten kfree().",
"id": "GHSA-f27v-g69j-2x4q",
"modified": "2026-01-23T21:30:36Z",
"published": "2025-10-01T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53512"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/28137ea3eb05a87329a7154a8ff410d9e8bcc0a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30c7c72b6cf9d8c95f9b219c9d2e4e31b15bebe5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/378cc0eec4aa546ce1ae17515e2dfab719d4fb1e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54dd96015e8d7a2a07359e2dfebf05b529d1780c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/847cdbdcd5a24c1eec9595161a23b88fef91ff42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2J7-H8J9-XXJC
Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-11-14 18:31In the Linux kernel, the following vulnerability has been resolved:
virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()
The selftests added to our CI by Bui Quang Minh recently reveals that there is a mem leak on the error path of virtnet_xsk_pool_enable():
unreferenced object 0xffff88800a68a000 (size 2048): comm "xdp_helper", pid 318, jiffies 4294692778 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): __kvmalloc_node_noprof+0x402/0x570 virtnet_xsk_pool_enable+0x293/0x6a0 (drivers/net/virtio_net.c:5882) xp_assign_dev+0x369/0x670 (net/xdp/xsk_buff_pool.c:226) xsk_bind+0x6a5/0x1ae0 __sys_bind+0x15e/0x230 __x64_sys_bind+0x72/0xb0 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
{
"affected": [],
"aliases": [
"CVE-2025-37955"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-20T16:15:33Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()\n\nThe selftests added to our CI by Bui Quang Minh recently reveals\nthat there is a mem leak on the error path of virtnet_xsk_pool_enable():\n\nunreferenced object 0xffff88800a68a000 (size 2048):\n comm \"xdp_helper\", pid 318, jiffies 4294692778\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 0):\n __kvmalloc_node_noprof+0x402/0x570\n virtnet_xsk_pool_enable+0x293/0x6a0 (drivers/net/virtio_net.c:5882)\n xp_assign_dev+0x369/0x670 (net/xdp/xsk_buff_pool.c:226)\n xsk_bind+0x6a5/0x1ae0\n __sys_bind+0x15e/0x230\n __x64_sys_bind+0x72/0xb0\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f",
"id": "GHSA-f2j7-h8j9-xxjc",
"modified": "2025-11-14T18:31:19Z",
"published": "2025-05-20T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37955"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4397684a292a71fbc1e815c3e283f7490ddce5ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94a6f6c204abb2b2dcd2ce287536cc924469cfb5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba6917810bb4a5a32661fa941717399052b3f0d9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F37V-5R8J-33M9
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
esp: fix skb leak with espintcp and async crypto
When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us.
With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error.
{
"affected": [],
"aliases": [
"CVE-2026-31518"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:51Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error.",
"id": "GHSA-f37v-5r8j-33m9",
"modified": "2026-07-14T15:31:53Z",
"published": "2026-04-22T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31518"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41aafca57de4a4c026701622bd4648f112a9edcd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4820847e036ff1035b01b69ad68dfc17e7028fe9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6a3ec6efbc4f90e0ccb2e71574f07351f19996f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6aa9841d917532d0f2d932d1ff2f3a94305aaf47"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/88d386243ed374ac969dabd3bbc1409a31d81818"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aca3ad0c262f54a5b5c95dda80a48365997d1224"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df6f995358dc1f3c42484f5cfe241d7bd3e1cd15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3JW-96PP-6M3W
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2024-12-30 18:30In the Linux kernel, the following vulnerability has been resolved:
net: bcmasp: fix memory leak when bringing down interface
When bringing down the TX rings we flush the rings but forget to reclaimed the flushed packets. This leads to a memory leak since we do not free the dma mapped buffers. This also leads to tx control block corruption when bringing down the interface for power management.
{
"affected": [],
"aliases": [
"CVE-2024-35858"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T15:15:23Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmasp: fix memory leak when bringing down interface\n\nWhen bringing down the TX rings we flush the rings but forget to\nreclaimed the flushed packets. This leads to a memory leak since we\ndo not free the dma mapped buffers. This also leads to tx control\nblock corruption when bringing down the interface for power\nmanagement.",
"id": "GHSA-f3jw-96pp-6m3w",
"modified": "2024-12-30T18:30:40Z",
"published": "2024-05-17T15:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35858"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/09040baf8779ad880e0e0d0ea10e57aa929ef3ab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2389ad1990163d29cba5480d693b4c2e31cc545c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f898fc2c31fbf0ac5ecd289f528a716464cb005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3M4-27M2-3P6Q
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-06-19 15:33In the Linux kernel, the following vulnerability has been resolved:
smb: server: fix active_num_conn leak on transport allocation failure
Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()") addressed the kthread_run() failure path. The earlier alloc_transport() == NULL path in the same function has the same leak, is reachable pre-authentication via any TCP connect to port 445, and was empirically reproduced on UML (ARCH=um, v7.0-rc7): a small number of forced allocation failures were sufficient to put ksmbd into a state where every subsequent connection attempt was rejected for the remainder of the boot.
ksmbd_kthread_fn() increments active_num_conn before calling ksmbd_tcp_new_connection() and discards the return value, so when alloc_transport() returns NULL the socket is released and -ENOMEM returned without decrementing the counter. Each such failure permanently consumes one slot from the max_connections pool; once cumulative failures reach the cap, atomic_inc_return() hits the threshold on every subsequent accept and every new connection is rejected. The counter is only reset by module reload.
An unauthenticated remote attacker can drive the server toward the memory pressure that makes alloc_transport() fail by holding open connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN (0x00FFFFFF); natural transient allocation failures on a loaded host produce the same drift more slowly.
Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the alloc_transport() failure path, decrement active_num_conn gated on server_conf.max_connections.
Repro details: with the patch reverted, forced alloc_transport() NULL returns leaked counter slots and subsequent connection attempts -- including legitimate connects issued after the forced-fail window had closed -- were all rejected with "Limit the maximum number of connections". With this patch applied, the same connect sequence produces no rejections and the counter cycles cleanly between zero and one on every accept.
{
"affected": [],
"aliases": [
"CVE-2026-31711"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T14:16:21Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: fix active_num_conn leak on transport allocation failure\n\nCommit 77ffbcac4e56 (\"smb: server: fix leak of active_num_conn in\nksmbd_tcp_new_connection()\") addressed the kthread_run() failure\npath. The earlier alloc_transport() == NULL path in the same\nfunction has the same leak, is reachable pre-authentication via any\nTCP connect to port 445, and was empirically reproduced on UML\n(ARCH=um, v7.0-rc7): a small number of forced allocation failures\nwere sufficient to put ksmbd into a state where every subsequent\nconnection attempt was rejected for the remainder of the boot.\n\nksmbd_kthread_fn() increments active_num_conn before calling\nksmbd_tcp_new_connection() and discards the return value, so when\nalloc_transport() returns NULL the socket is released and -ENOMEM\nreturned without decrementing the counter. Each such failure\npermanently consumes one slot from the max_connections pool; once\ncumulative failures reach the cap, atomic_inc_return() hits the\nthreshold on every subsequent accept and every new connection is\nrejected. The counter is only reset by module reload.\n\nAn unauthenticated remote attacker can drive the server toward the\nmemory pressure that makes alloc_transport() fail by holding open\nconnections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN\n(0x00FFFFFF); natural transient allocation failures on a loaded\nhost produce the same drift more slowly.\n\nMirror the existing rollback pattern in ksmbd_kthread_fn(): on the\nalloc_transport() failure path, decrement active_num_conn gated on\nserver_conf.max_connections.\n\nRepro details: with the patch reverted, forced alloc_transport()\nNULL returns leaked counter slots and subsequent connection\nattempts -- including legitimate connects issued after the\nforced-fail window had closed -- were all rejected with \"Limit the\nmaximum number of connections\". With this patch applied, the same\nconnect sequence produces no rejections and the counter cycles\ncleanly between zero and one on every accept.",
"id": "GHSA-f3m4-27m2-3p6q",
"modified": "2026-06-19T15:33:08Z",
"published": "2026-05-01T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31711"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/283027aa93380380a0994f35dde3ec95318f2654"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/295a9fc6789d1011c36ded9f0f2907bb34fa0de4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60734c8bc3b4aa0672e251f08dda81977e4b5387"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6551300dc452ac16a855a83dbd1e74899542d3b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97f8d2648ef4871e4cd335e2d769cb40054a6772"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc2e7d595d68cf1be1ba64e3d30ebf3266bf7242"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb48185bcd946d42de7017cf27f912f8ab26acf0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F3RV-HPW2-W8HV
Vulnerability from github – Published: 2025-03-12 00:31 – Updated: 2025-03-12 00:31In the Linux kernel, the following vulnerability has been resolved:
usb: dwc2: Fix memory leak in dwc2_hcd_init
usb_create_hcd will alloc memory for hcd, and we should call usb_put_hcd to free it when platform_get_resource() fails to prevent memory leak. goto error2 label instead error1 to fix this.
{
"affected": [],
"aliases": [
"CVE-2022-49713"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:47Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: Fix memory leak in dwc2_hcd_init\n\nusb_create_hcd will alloc memory for hcd, and we should\ncall usb_put_hcd to free it when platform_get_resource()\nfails to prevent memory leak.\ngoto error2 label instead error1 to fix this.",
"id": "GHSA-f3rv-hpw2-w8hv",
"modified": "2025-03-12T00:31:49Z",
"published": "2025-03-12T00:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49713"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3755278f078460b021cd0384562977bf2039a57a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52bfcedbfd5bf962dbdcb6e761f4d0dd3ba26dfd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6506aff2dc2f7059aa3d45ee2e8639b25e87090f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/701d8ec01e0f229d4db6f43d3d64ee479120cbeb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84e6d0af87e27bbc0db94f2e7323b34abe17b6e5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/981ee40649e5fd9550f82db1fbb3bfab037da346"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a44a8a762f7fe9ad3c065813d058e835a6180cb2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.