CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-F6C4-25W9-79F8
Vulnerability from github – Published: 2025-08-16 12:30 – Updated: 2026-01-07 21:31In the Linux kernel, the following vulnerability has been resolved:
atm: clip: Fix memory leak of struct clip_vcc.
ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back.
The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc.
However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in atm_init_atmarp(), resulting in memory leak.
Let's serialise two ioctl() by lock_sock() and check vcc->push() in atm_init_atmarp() to prevent memleak.
{
"affected": [],
"aliases": [
"CVE-2025-38546"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-16T12:15:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix memory leak of struct clip_vcc.\n\nioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to\nvcc-\u003euser_back.\n\nThe code assumes that vcc_destroy_socket() passes NULL skb\nto vcc-\u003epush() when the socket is close()d, and then clip_push()\nfrees clip_vcc.\n\nHowever, ioctl(ATMARPD_CTRL) sets NULL to vcc-\u003epush() in\natm_init_atmarp(), resulting in memory leak.\n\nLet\u0027s serialise two ioctl() by lock_sock() and check vcc-\u003epush()\nin atm_init_atmarp() to prevent memleak.",
"id": "GHSA-f6c4-25w9-79f8",
"modified": "2026-01-07T21:31:39Z",
"published": "2025-08-16T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38546"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c075e88d5859a2c6b43b27e0e46fb281cef8039"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1fb9fb5a4b5cec2d56e26525ef8c519de858fa60"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2fb37ab3226606cbfc9b2b6f9e301b0b735734c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/62dba28275a9a3104d4e33595c7b3328d4032d8d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9e4dbeee56f614e3f1e166e5d0655a999ea185ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f771816f14da6d6157a8c30069091abf6b566fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb2e4a2f8f268d8fba6662f663a2e57846f14a8d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F6CH-PGG4-HHV4
Vulnerability from github – Published: 2022-11-01 19:00 – Updated: 2022-11-02 19:00open5gs v2.4.11 was discovered to contain a memory leak in the component ngap-handler.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted UE attachment.
{
"affected": [],
"aliases": [
"CVE-2022-43223"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T14:15:00Z",
"severity": "HIGH"
},
"details": "open5gs v2.4.11 was discovered to contain a memory leak in the component ngap-handler.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted UE attachment.",
"id": "GHSA-f6ch-pgg4-hhv4",
"modified": "2022-11-02T19:00:31Z",
"published": "2022-11-01T19:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43223"
},
{
"type": "WEB",
"url": "https://github.com/ToughRunner/Open5gs_bugreport2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F6PW-44QX-H3W9
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 21:31In the Linux kernel, the following vulnerability has been resolved:
net: thunderbolt: fix memory leak in tbnet_open()
When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in tb_xdomain_alloc_out_hopid() is not released. Add tb_xdomain_release_out_hopid() to the error path to release ida.
{
"affected": [],
"aliases": [
"CVE-2022-48955"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: thunderbolt: fix memory leak in tbnet_open()\n\nWhen tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in\ntb_xdomain_alloc_out_hopid() is not released. Add\ntb_xdomain_release_out_hopid() to the error path to release ida.",
"id": "GHSA-f6pw-44qx-h3w9",
"modified": "2024-10-24T21:31:02Z",
"published": "2024-10-21T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48955"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9274dbe399952a8175db2e1ee148b7c9ba2b538"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ed14e5903638f6eb868e3e2b4e610985e6a6c876"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ed6e955f3b7e0e622c080f4bcb5427a5e1af4c2a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F6QM-C27V-QR5C
Vulnerability from github – Published: 2023-06-01 03:30 – Updated: 2024-04-04 04:27mp4v2 v2.1.3 was discovered to contain a memory leak via MP4SdpAtom::Read() at atom_sdp.cpp
{
"affected": [],
"aliases": [
"CVE-2023-33719"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T03:15:20Z",
"severity": "MODERATE"
},
"details": "mp4v2 v2.1.3 was discovered to contain a memory leak via MP4SdpAtom::Read() at atom_sdp.cpp",
"id": "GHSA-f6qm-c27v-qr5c",
"modified": "2024-04-04T04:27:37Z",
"published": "2023-06-01T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33719"
},
{
"type": "WEB",
"url": "https://github.com/enzo1982/mp4v2/issues/37"
},
{
"type": "WEB",
"url": "https://github.com/enzo1982/mp4v2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F6RF-QWCR-G39Q
Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32ImageMagick before 7.1.2-26 and 6.9.x before 6.9.13-51 contains a memory leak in the YUV decoder that occurs when opening of the blob fails. Repeated triggering can lead to resource exhaustion (denial of service).
{
"affected": [],
"aliases": [
"CVE-2026-61868"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T12:18:21Z",
"severity": "MODERATE"
},
"details": "ImageMagick before 7.1.2-26 and 6.9.x before 6.9.13-51 contains a memory leak in the YUV decoder that occurs when opening of the blob fails. Repeated triggering can lead to resource exhaustion (denial of service).",
"id": "GHSA-f6rf-qwcr-g39q",
"modified": "2026-07-15T12:32:05Z",
"published": "2026-07-15T12:32:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h7f2-f9cc-h2gv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61868"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/imagemagick-before-26-memory-leak-in-yuv-decoder"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F76M-Q4G4-C63M
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-12 18:31In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix ulist leaks in error paths of qgroup self tests
In the test_no_shared_qgroup() and test_multiple_refs() qgroup self tests, if we fail to add the tree ref, remove the extent item or remove the extent ref, we are returning from the test function without freeing the "old_roots" ulist that was allocated by the previous calls to btrfs_find_all_roots(). Fix that by calling ulist_free() before returning.
{
"affected": [],
"aliases": [
"CVE-2022-49912"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix ulist leaks in error paths of qgroup self tests\n\nIn the test_no_shared_qgroup() and test_multiple_refs() qgroup self tests,\nif we fail to add the tree ref, remove the extent item or remove the\nextent ref, we are returning from the test function without freeing the\n\"old_roots\" ulist that was allocated by the previous calls to\nbtrfs_find_all_roots(). Fix that by calling ulist_free() before returning.",
"id": "GHSA-f76m-q4g4-c63m",
"modified": "2025-11-12T18:31:03Z",
"published": "2025-05-01T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49912"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a0dead4ad1a2e2a9bdf133ef45111d7c8daef84"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/203204798831c35d855ecc6417d98267d2d2184b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f58283d83a588ff5da62fc150de19e798ed2ec2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d1a47ebf84540e40b5b43fc21aef0d6c0f627d9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d37de92b38932d40e4a251e876cc388f9aee5f42"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d81370396025cf63a7a1b5f8bb25a3479203b2ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da7003434bcab0ae9aba3f2c003e734cae093326"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f46ea5fa3320dca4fe0c0926b49a5f14cb85de62"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F7PW-25Q4-98V7
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()
The buffer in the loop should be released under the exception path, otherwise there may be a memory leak here.
To mitigate this, free the buffer when allegro_alloc_buffer fails.
{
"affected": [],
"aliases": [
"CVE-2024-56572"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T15:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()\n\nThe buffer in the loop should be released under the exception path,\notherwise there may be a memory leak here.\n\nTo mitigate this, free the buffer when allegro_alloc_buffer fails.",
"id": "GHSA-f7pw-25q4-98v7",
"modified": "2025-11-03T21:31:51Z",
"published": "2024-12-27T15:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56572"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f514068fbc5d4d189c817adc7c4e32cffdc2e47"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/17e5613666209be4e5be1f1894f1a6014a8a0658"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64f72a738864b506ab50b4a6cb3ce3c3e04b71af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6712a28a4f923ffdf51cff267ad05a634ee1babc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74a65313578b35e1239966adfa7ac2bdd60caf00"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/891b5790bee8fc6ddba17874dd87a646128d0b99"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf642904be39ae0d441dbdfa8f485e0a46260be4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F7RM-GV39-R2J5
Vulnerability from github – Published: 2025-04-09 21:31 – Updated: 2025-04-09 21:31A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated adjacent attacker to cause a Denial-of-Service (DoS).
In a subscriber management scenario, login/logout activity triggers a memory leak, and the leaked memory gradually increments and eventually results in a crash. user@host> show chassis fpc Temp CPU Utilization (%) CPU Utilization (%) Memory Utilization (%) Slot State (C) Total Interrupt 1min 5min 15min DRAM (MB) Heap Buffer
2 Online 36 10 0 9 8 9 32768 26 0
This issue affects Junos OS on MX Series: * All versions before 21.2R3-S9 * from 21.4 before 21.4R3-S10 * from 22.2 before 22.2R3-S6 * from 22.4 before 22.4R3-S5 * from 23.2 before 23.2R2-S3 * from 23.4 before 23.4R2-S3 * from 24.2 before 24.2R2.
{
"affected": [],
"aliases": [
"CVE-2025-30647"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T20:15:28Z",
"severity": "HIGH"
},
"details": "A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated adjacent attacker to cause a Denial-of-Service (DoS).\n\nIn a subscriber management scenario, login/logout activity triggers a memory leak, and the leaked memory gradually increments and eventually results in a\u00a0crash.\u00a0\n\u00a0 \u00a0\n\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003user@host\u003e show chassis fpc\n\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003Temp \u2003\u2003 CPU Utilization (%) \u2003\u2003CPU Utilization (%) \u2003 Memory \u00a0 \u2003\u2003Utilization (%)\n\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003Slot State\u00a0 \u00a0 \u00a0 \u00a0(C) \u2003\u2003\u00a0 Total\u00a0 \u00a0Interrupt \u00a0 \u00a0 1min\u00a0 \u00a05min\u00a0 15min \u2003 \u2003DRAM (MB) \u2003Heap \u00a0 Buffer\n\n\u00a0 \u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u2003\u20032 Online\u00a0 \u00a0 \u00a0 \u00a0 \u00a036 \u00a0 \u2003\u2003\u2003 10 \u00a0 \u00a0 \u00a0 \u00a0 0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 9 \u00a0 \u00a0 8 \u00a0 \u00a0 9 \u00a0 \u2003\u2003\u2003\u2003\u200332768 \u00a0 \u00a0 \u200326 \u00a0 \u00a0 \u00a0 \u00a0 0\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\n\nThis issue affects Junos OS on MX Series: \n * All versions before 21.2R3-S9\n * from 21.4 before 21.4R3-S10\n * from 22.2 before 22.2R3-S6\n * from 22.4 before 22.4R3-S5\n * from 23.2 before 23.2R2-S3\n * from 23.4 before 23.4R2-S3\n * from 24.2 before 24.2R2.",
"id": "GHSA-f7rm-gv39-r2j5",
"modified": "2025-04-09T21:31:43Z",
"published": "2025-04-09T21:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30647"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA96457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F7XM-7MW8-VGHC
Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2025-03-17 18:31In the Linux kernel, the following vulnerability has been resolved:
amt: fix memory leak for advertisement message
When a gateway receives an advertisement message, it extracts relay information and then it should be freed. But the advertisement handler doesn't free it. So, memory leak would occur.
{
"affected": [],
"aliases": [
"CVE-2022-49461"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\namt: fix memory leak for advertisement message\n\nWhen a gateway receives an advertisement message, it extracts relay\ninformation and then it should be freed.\nBut the advertisement handler doesn\u0027t free it.\nSo, memory leak would occur.",
"id": "GHSA-f7xm-7mw8-vghc",
"modified": "2025-03-17T18:31:50Z",
"published": "2025-03-17T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49461"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/19bb2d57eac86a368839a92117d8a10ab7183623"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7322da399fb86a2072f008b56f7160afa1b2051"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe29794c3585d039fefebaa2b5a4932a627ad4fd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F888-6PH8-HVGC
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2024-03-21 03:33A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering devm_add_action_or_reset() failures, aka CID-d3b0ffa1d75d.
{
"affected": [],
"aliases": [
"CVE-2019-19070"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-18T06:15:00Z",
"severity": "HIGH"
},
"details": "A memory leak in the spi_gpio_probe() function in drivers/spi/spi-gpio.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering devm_add_action_or_reset() failures, aka CID-d3b0ffa1d75d.",
"id": "GHSA-f888-6ph8-hvgc",
"modified": "2024-03-21T03:33:47Z",
"published": "2022-05-24T17:01:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19070"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/d3b0ffa1d75d5305ebe34735598993afbb8a869d"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1157294"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.