CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-G72G-W36F-8RF4
Vulnerability from github – Published: 2024-08-22 06:30 – Updated: 2024-08-22 21:31In the Linux kernel, the following vulnerability has been resolved:
nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac()
ida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX) inclusive. So NFP_MAX_MAC_INDEX (0xff) is a valid id.
In order for the error handling path to work correctly, the 'invalid' value for 'ida_idx' should not be in the 0..NFP_MAX_MAC_INDEX range, inclusive.
So set it to -1.
{
"affected": [],
"aliases": [
"CVE-2022-48934"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T04:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac()\n\nida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX)\ninclusive.\nSo NFP_MAX_MAC_INDEX (0xff) is a valid id.\n\nIn order for the error handling path to work correctly, the \u0027invalid\u0027\nvalue for \u0027ida_idx\u0027 should not be in the 0..NFP_MAX_MAC_INDEX range,\ninclusive.\n\nSo set it to -1.",
"id": "GHSA-g72g-w36f-8rf4",
"modified": "2024-08-22T21:31:29Z",
"published": "2024-08-22T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48934"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a14d0888eb4b0045884126acc69abfb7b87814d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4086d2433576baf85f0e538511df97c8101e0a10"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5ad5886f85b6bd893e3ed19013765fb0c243c069"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9d8097caa73200710d52b9f4d9f430548f46a900"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af4bc921d39dffdb83076e0a7eed1321242b7d87"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G77R-J94W-3WM3
Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2024-11-05 18:31In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: fix a memleak in gss_import_v2_context
The ctx->mech_used.data allocated by kmemdup is not freed in neither gss_import_v2_context nor it only caller gss_krb5_import_sec_context, which frees ctx on error.
Thus, this patch reform the last call of gss_import_v2_context to the gss_krb5_import_ctx_v2, preventing the memleak while keepping the return formation.
{
"affected": [],
"aliases": [
"CVE-2023-52653"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T13:15:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix a memleak in gss_import_v2_context\n\nThe ctx-\u003emech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\n\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.",
"id": "GHSA-g77r-j94w-3wm3",
"modified": "2024-11-05T18:31:58Z",
"published": "2024-05-01T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52653"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G7GX-QMJ4-GXRC
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-23 18:30In the Linux kernel, the following vulnerability has been resolved:
driver core: auxiliary bus: Fix memory leak when driver_register() fail
If driver_register() returns with error we need to free the memory allocated for auxdrv->driver.name before returning from __auxiliary_driver_register()
{
"affected": [],
"aliases": [
"CVE-2021-47287"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: auxiliary bus: Fix memory leak when driver_register() fail\n\nIf driver_register() returns with error we need to free the memory\nallocated for auxdrv-\u003edriver.name before returning from\n__auxiliary_driver_register()",
"id": "GHSA-g7gx-qmj4-gxrc",
"modified": "2024-12-23T18:30:47Z",
"published": "2024-05-21T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47287"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4afa0c22eed33cfe0c590742387f0d16f32412f3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce5b3de58fc21303722df46551f7eb9a91afb409"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G7XF-GG8W-VW6H
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix potential unbounded skb queue
virtio_transport_inc_rx_pkt() checks vvs->rx_bytes + len > vvs->buf_alloc.
virtio_transport_recv_enqueue() skips coalescing for packets with VIRTIO_VSOCK_SEQ_EOM.
If fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM, a very large number of packets can be queued because vvs->rx_bytes stays at 0.
Fix this by estimating the skb metadata size:
(Number of skbs in the queue) * SKB_TRUESIZE(0)
{
"affected": [],
"aliases": [
"CVE-2026-53132"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:30Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix potential unbounded skb queue\n\nvirtio_transport_inc_rx_pkt() checks vvs-\u003erx_bytes + len \u003e vvs-\u003ebuf_alloc.\n\nvirtio_transport_recv_enqueue() skips coalescing for packets\nwith VIRTIO_VSOCK_SEQ_EOM.\n\nIf fed with packets with len == 0 and VIRTIO_VSOCK_SEQ_EOM,\na very large number of packets can be queued\nbecause vvs-\u003erx_bytes stays at 0.\n\nFix this by estimating the skb metadata size:\n\n\t(Number of skbs in the queue) * SKB_TRUESIZE(0)",
"id": "GHSA-g7xf-gg8w-vw6h",
"modified": "2026-06-28T09:31:42Z",
"published": "2026-06-25T09:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53132"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/059b7dbd20a6f0c539a45ddff1573cb8946685b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/100d5b2ffdc6468b9e48532641f29e83efdcb63c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1eca304f97a34ed5e921e1f0e06c8b241f25bf12"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9bdc637fde66b63d6cad0caacd034888bb7bf5f5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G86R-9849-44WQ
Vulnerability from github – Published: 2023-02-23 21:30 – Updated: 2025-03-12 21:31A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.
{
"affected": [],
"aliases": [
"CVE-2023-0597"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-23T20:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.",
"id": "GHSA-g86r-9849-44wq",
"modified": "2025-03-12T21:31:27Z",
"published": "2023-02-23T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597"
},
{
"type": "WEB",
"url": "https://git.kernel.org/linus/97e3d26b5e5f371b3ee223d94dd123e6c442ba80"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/07/28/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/07/28/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G89H-FPVV-HMHH
Vulnerability from github – Published: 2022-10-14 19:00 – Updated: 2022-10-18 19:00A vulnerability found in jasper. This security vulnerability happens because of a memory leak bug in function cmdopts_parse that can cause a crash or segmentation fault.
{
"affected": [],
"aliases": [
"CVE-2022-2963"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-14T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability found in jasper. This security vulnerability happens because of a memory leak bug in function cmdopts_parse that can cause a crash or segmentation fault.",
"id": "GHSA-g89h-fpvv-hmhh",
"modified": "2022-10-18T19:00:31Z",
"published": "2022-10-14T19:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2963"
},
{
"type": "WEB",
"url": "https://github.com/jasper-software/jasper/issues/332"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-2963"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2118587"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G8FC-H787-JHV2
Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2025-01-14 18:31In the Linux kernel, the following vulnerability has been resolved:
platform/x86: intel_pmc_core: fix memleak on registration failure
In case device registration fails during module initialisation, the platform device structure needs to be freed using platform_device_put() to properly free all resources (e.g. the device name).
{
"affected": [],
"aliases": [
"CVE-2021-47093"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T18:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel_pmc_core: fix memleak on registration failure\n\nIn case device registration fails during module initialisation, the\nplatform device structure needs to be freed using platform_device_put()\nto properly free all resources (e.g. the device name).",
"id": "GHSA-g8fc-h787-jhv2",
"modified": "2025-01-14T18:31:49Z",
"published": "2024-03-04T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47093"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26a8b09437804fabfb1db080d676b96c0de68e7c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a37f2e370699e2feca3dca6c8178c71ceee7e8a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ca1324755f1f8629a370af5cc315b175331f5d1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G8GM-98GJ-8FWR
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 21:31In the Linux kernel, the following vulnerability has been resolved:
net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()
When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(), priv->regions is not released.
{
"affected": [],
"aliases": [
"CVE-2022-48959"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()\n\nWhen dsa_devlink_region_create failed in sja1105_setup_devlink_regions(),\npriv-\u003eregions is not released.",
"id": "GHSA-g8gm-98gj-8fwr",
"modified": "2024-10-24T21:31:02Z",
"published": "2024-10-21T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48959"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4be43e46c3f945fc7dd9e23c73a7a66927a3b814"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78a9ea43fc1a7c06a420b132d2d47cbf4344a5df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e5e59629654b8826f0167dae480d0e3fa0f8f038"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3b5dda26cd0535aac09ed09c5d83f19b979ec9f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G97V-HF56-5335
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-04-30 15:30In the Linux kernel, the following vulnerability has been resolved:
scsi: core: Fix error handling of scsi_host_alloc()
After device is initialized via device_initialize(), or its name is set via dev_set_name(), the device has to be freed via put_device(). Otherwise device name will be leaked because it is allocated dynamically in dev_set_name().
Fix the leak by replacing kfree() with put_device(). Since scsi_host_dev_release() properly handles IDA and kthread removal, remove special-casing these from the error handling as well.
{
"affected": [],
"aliases": [
"CVE-2021-47258"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix error handling of scsi_host_alloc()\n\nAfter device is initialized via device_initialize(), or its name is set via\ndev_set_name(), the device has to be freed via put_device(). Otherwise\ndevice name will be leaked because it is allocated dynamically in\ndev_set_name().\n\nFix the leak by replacing kfree() with put_device(). Since\nscsi_host_dev_release() properly handles IDA and kthread removal, remove\nspecial-casing these from the error handling as well.",
"id": "GHSA-g97v-hf56-5335",
"modified": "2025-04-30T15:30:43Z",
"published": "2024-05-21T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47258"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2dc85045ae65b9302a1d2e2ddd7ce4c030153a6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/45d83db4728127944b237c0c8248987df9d478e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/66a834d092930cf41d809c0e989b13cd6f9ca006"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/79296e292d67fa7b5fb8d8c27343683e823872c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a696ce1d5d16a33a6cd6400bbcc0339b2460e11"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8958181c1663e24a13434448e7d6b96b5d04900a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db08ce595dd64ea9859f7d088b51cbfc8e685c66"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G98G-PPQ9-G757
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-04 15:30In the Linux kernel, the following vulnerability has been resolved:
spi: imx: Don't skip cleanup in remove's error path
Returning early in a platform driver's remove callback is wrong. In this case the dma resources are not released in the error path. this is never retried later and so this is a permanent leak. To fix this, only skip hardware disabling if waking the device fails.
{
"affected": [],
"aliases": [
"CVE-2023-53225"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:49Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: imx: Don\u0027t skip cleanup in remove\u0027s error path\n\nReturning early in a platform driver\u0027s remove callback is wrong. In this\ncase the dma resources are not released in the error path. this is never\nretried later and so this is a permanent leak. To fix this, only skip\nhardware disabling if waking the device fails.",
"id": "GHSA-g98g-ppq9-g757",
"modified": "2025-12-04T15:30:32Z",
"published": "2025-09-15T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53225"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/11951c9e3f364d7ae3b568a0e52c8335d43066b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/57a463226638f1ceabbb029cbd21b0c94640f1b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d16305a1535873e0a8a8ae92ea2d9106ec2d7df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aa93a46f998a9069368026ac52bba96868c59157"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b64cb3f085fed296103c91f0db6acad30a021b36"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f90822ad63d11301e425311dac0c8e12ca1737b8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.