Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-GGV4-4QFX-2GH6

Vulnerability from github – Published: 2024-11-09 12:30 – Updated: 2025-09-26 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

lib: alloc_tag_module_unload must wait for pending kfree_rcu calls

Ben Greear reports following splat: ------------[ cut here ]------------ net/netfilter/nf_nat_core.c:1114 module nf_nat func:nf_nat_register_fn has 256 allocated at module unload WARNING: CPU: 1 PID: 10421 at lib/alloc_tag.c:168 alloc_tag_module_unload+0x22b/0x3f0 Modules linked in: nf_nat(-) btrfs ufs qnx4 hfsplus hfs minix vfat msdos fat ... Hardware name: Default string Default string/SKYBAY, BIOS 5.12 08/04/2020 RIP: 0010:alloc_tag_module_unload+0x22b/0x3f0 codetag_unload_module+0x19b/0x2a0 ? codetag_load_module+0x80/0x80

nf_nat module exit calls kfree_rcu on those addresses, but the free operation is likely still pending by the time alloc_tag checks for leaks.

Wait for outstanding kfree_rcu operations to complete before checking resolves this warning.

Reproducer: unshare -n iptables-nft -t nat -A PREROUTING -p tcp grep nf_nat /proc/allocinfo # will list 4 allocations rmmod nft_chain_nat rmmod nf_nat # will WARN.

[akpm@linux-foundation.org: add comment]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50212"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T11:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib: alloc_tag_module_unload must wait for pending kfree_rcu calls\n\nBen Greear reports following splat:\n ------------[ cut here ]------------\n net/netfilter/nf_nat_core.c:1114 module nf_nat func:nf_nat_register_fn has 256 allocated at module unload\n WARNING: CPU: 1 PID: 10421 at lib/alloc_tag.c:168 alloc_tag_module_unload+0x22b/0x3f0\n Modules linked in: nf_nat(-) btrfs ufs qnx4 hfsplus hfs minix vfat msdos fat\n...\n Hardware name: Default string Default string/SKYBAY, BIOS 5.12 08/04/2020\n RIP: 0010:alloc_tag_module_unload+0x22b/0x3f0\n  codetag_unload_module+0x19b/0x2a0\n  ? codetag_load_module+0x80/0x80\n\nnf_nat module exit calls kfree_rcu on those addresses, but the free\noperation is likely still pending by the time alloc_tag checks for leaks.\n\nWait for outstanding kfree_rcu operations to complete before checking\nresolves this warning.\n\nReproducer:\nunshare -n iptables-nft -t nat -A PREROUTING -p tcp\ngrep nf_nat /proc/allocinfo # will list 4 allocations\nrmmod nft_chain_nat\nrmmod nf_nat                # will WARN.\n\n[akpm@linux-foundation.org: add comment]",
  "id": "GHSA-ggv4-4qfx-2gh6",
  "modified": "2025-09-26T18:31:18Z",
  "published": "2024-11-09T12:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50212"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24211fb49c9ac1b576470b7e393a5a0b50af2707"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dc783ba4b9df3fb3e76e968b2cbeb9960069263c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GGWM-QQ5R-J28W

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-08-06 00:00
VLAI
Details

On Juniper Networks MX Series and EX9200 Series platforms with Trio-based MPC (Modular Port Concentrator) where Integrated Routing and Bridging (IRB) interface is configured and it is mapped to a VPLS instance or a Bridge-Domain, certain network events at Customer Edge (CE) device may cause memory leak in the MPC which can cause an out of memory and MPC restarts. When this issue occurs, there will be temporary traffic interruption until the MPC is restored. An administrator can use the following CLI command to monitor the status of memory usage level of the MPC: user@device> show system resource-monitor fpc FPC Resource Usage Summary Free Heap Mem Watermark : 20 % Free NH Mem Watermark : 20 % Free Filter Mem Watermark : 20 % * - Watermark reached Slot # % Heap Free RTT Average RTT 1 87 PFE # % ENCAP mem Free % NH mem Free % FW mem Free 0 NA 88 99 1 NA 89 99 When the issue is occurring, the value of “% NH mem Free” will go down until the MPC restarts. This issue affects MX Series and EX9200 Series with Trio-based PFEs (Packet Forwarding Engines). Please refer to https://kb.juniper.net/KB25385 for the list of Trio-based PFEs. This issue affects Juniper Networks Junos OS on MX Series, EX9200 Series: 17.3R3-S8; 17.4R3-S2; 18.2R3-S4, 18.2R3-S5; 18.3R3-S2, 18.3R3-S3; 18.4 versions starting from 18.4R3-S1 and later versions prior to 18.4R3-S6; 19.2 versions starting from 19.2R2 and later versions prior to 19.2R3-S1; 19.4 versions starting from 19.4R2 and later versions prior to 19.4R2-S3, 19.4R3; 20.2 versions starting from 20.2R1 and later versions prior to 20.2R1-S3, 20.2R2. This issue does not affect Juniper Networks Junos OS: 18.1, 19.1, 19.3, 20.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-15T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "On Juniper Networks MX Series and EX9200 Series platforms with Trio-based MPC (Modular Port Concentrator) where Integrated Routing and Bridging (IRB) interface is configured and it is mapped to a VPLS instance or a Bridge-Domain, certain network events at Customer Edge (CE) device may cause memory leak in the MPC which can cause an out of memory and MPC restarts. When this issue occurs, there will be temporary traffic interruption until the MPC is restored. An administrator can use the following CLI command to monitor the status of memory usage level of the MPC: user@device\u003e show system resource-monitor fpc FPC Resource Usage Summary Free Heap Mem Watermark : 20 % Free NH Mem Watermark : 20 % Free Filter Mem Watermark : 20 % * - Watermark reached Slot # % Heap Free RTT Average RTT 1 87 PFE # % ENCAP mem Free % NH mem Free % FW mem Free 0 NA 88 99 1 NA 89 99 When the issue is occurring, the value of \u201c% NH mem Free\u201d will go down until the MPC restarts. This issue affects MX Series and EX9200 Series with Trio-based PFEs (Packet Forwarding Engines). Please refer to https://kb.juniper.net/KB25385 for the list of Trio-based PFEs. This issue affects Juniper Networks Junos OS on MX Series, EX9200 Series: 17.3R3-S8; 17.4R3-S2; 18.2R3-S4, 18.2R3-S5; 18.3R3-S2, 18.3R3-S3; 18.4 versions starting from 18.4R3-S1 and later versions prior to 18.4R3-S6; 19.2 versions starting from 19.2R2 and later versions prior to 19.2R3-S1; 19.4 versions starting from 19.4R2 and later versions prior to 19.4R2-S3, 19.4R3; 20.2 versions starting from 20.2R1 and later versions prior to 20.2R1-S3, 20.2R2. This issue does not affect Juniper Networks Junos OS: 18.1, 19.1, 19.3, 20.1.",
  "id": "GHSA-ggwm-qq5r-j28w",
  "modified": "2022-08-06T00:00:38Z",
  "published": "2022-05-24T22:28:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0202"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GH8C-2875-38XV

Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2024-11-23 03:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table()

If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop of iio_gts_build_avail_scale_table(), the err_free_out will fail to call kfree() each time when i is reduced to 0, so all the per_time_scales[0] and per_time_gains[0] will not be freed, which will cause memory leaks.

Fix it by checking if i >= 0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T18:15:27Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table()\n\nIf per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop\nof iio_gts_build_avail_scale_table(), the err_free_out will fail to call\nkfree() each time when i is reduced to 0, so all the per_time_scales[0]\nand per_time_gains[0] will not be freed, which will cause memory leaks.\n\nFix it by checking if i \u003e= 0.",
  "id": "GHSA-gh8c-2875-38xv",
  "modified": "2024-11-23T03:31:57Z",
  "published": "2024-11-19T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53076"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/369f05688911b05216cfcd6ca74473bec87948d7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62c11896683129790b8f5ab6eb7e695818b0b723"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b304362ce836968b803e5d4c5f84dcb51a7bf0f2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GH9Q-398W-69GX

Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-01-23 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ntb_netdev: Use dev_kfree_skb_any() in interrupt context

TX/RX callback handlers (ntb_netdev_tx_handler(), ntb_netdev_rx_handler()) can be called in interrupt context via the DMA framework when the respective DMA operations have completed. As such, any calls by these routines to free skb's, should use the interrupt context safe dev_kfree_skb_any() function.

Previously, these callback handlers would call the interrupt unsafe version of dev_kfree_skb(). This has not presented an issue on Intel IOAT DMA engines as that driver utilizes tasklets rather than a hard interrupt handler, like the AMD PTDMA DMA driver. On AMD systems, a kernel WARNING message is encountered, which is being issued from skb_release_head_state() due to in_hardirq() being true.

Besides the user visible WARNING from the kernel, the other symptom of this bug was that TCP/IP performance across the ntb_netdev interface was very poor, i.e. approximately an order of magnitude below what was expected. With the repair to use dev_kfree_skb_any(), kernel WARNINGs from skb_release_head_state() ceased and TCP/IP performance, as measured by iperf, was on par with expected results, approximately 20 Gb/s on AMD Milan based server. Note that this performance is comparable with Intel based servers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50476"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nntb_netdev: Use dev_kfree_skb_any() in interrupt context\n\nTX/RX callback handlers (ntb_netdev_tx_handler(),\nntb_netdev_rx_handler()) can be called in interrupt\ncontext via the DMA framework when the respective\nDMA operations have completed. As such, any calls\nby these routines to free skb\u0027s, should use the\ninterrupt context safe dev_kfree_skb_any() function.\n\nPreviously, these callback handlers would call the\ninterrupt unsafe version of dev_kfree_skb(). This has\nnot presented an issue on Intel IOAT DMA engines as\nthat driver utilizes tasklets rather than a hard\ninterrupt handler, like the AMD PTDMA DMA driver.\nOn AMD systems, a kernel WARNING message is\nencountered, which is being issued from\nskb_release_head_state() due to in_hardirq()\nbeing true.\n\nBesides the user visible WARNING from the kernel,\nthe other symptom of this bug was that TCP/IP performance\nacross the ntb_netdev interface was very poor, i.e.\napproximately an order of magnitude below what was\nexpected. With the repair to use dev_kfree_skb_any(),\nkernel WARNINGs from skb_release_head_state() ceased\nand TCP/IP performance, as measured by iperf, was on\npar with expected results, approximately 20 Gb/s on\nAMD Milan based server. Note that this performance\nis comparable with Intel based servers.",
  "id": "GHSA-gh9q-398w-69gx",
  "modified": "2026-01-23T18:31:23Z",
  "published": "2025-10-04T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50476"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07e28a8f450217db679802ebd4de0915556ce846"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/13286ad1c7c49c606fdcba4cf66f953a1a16c1ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14d245da57a11e80277ab455aa9b6dcc5ed38a19"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/21296a52caa6a6bad6debdfe40ad81d4f1a27e69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f7d78b2b12a9d561f48fa00bab29b40f4616dad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b78493968ed3cef0326183ed059c55e42f24d5b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6b9e09403102bdf8402dae734800e4916c7ea58"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d4460c82177899751975180c268f352893302221"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd860b39aa7c7b82e6c99b6fdb99d4610ce49d67"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHFF-7R8P-2PR4

Vulnerability from github – Published: 2024-11-09 12:30 – Updated: 2024-11-13 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table()

modprobe iio-test-gts and rmmod it, then the following memory leak occurs:

unreferenced object 0xffffff80c810be00 (size 64):
  comm "kunit_try_catch", pid 1654, jiffies 4294913981
  hex dump (first 32 bytes):
    02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00  ........ ...@...
    80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00  ................
  backtrace (crc a63d875e):
    [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40
    [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0
    [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4
    [<0000000071bb4b09>] 0xffffffdf052a62e0
    [<000000000315bc18>] 0xffffffdf052a6488
    [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac
    [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec
    [<00000000f505065d>] kthread+0x2e8/0x374
    [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20
unreferenced object 0xffffff80cbfe9e70 (size 16):
  comm "kunit_try_catch", pid 1658, jiffies 4294914015
  hex dump (first 16 bytes):
    10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00  ....@...........
  backtrace (crc 857f0cb4):
    [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40
    [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0
    [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4
    [<0000000071bb4b09>] 0xffffffdf052a62e0
    [<000000007d089d45>] 0xffffffdf052a6864
    [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac
    [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec
    [<00000000f505065d>] kthread+0x2e8/0x374
    [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20
......

It includes 55 times "size 64" memory leaks, which correspond to 5 times test_init_iio_gain_scale() calls with gts_test_gains size 10 (10size(int)) and gts_test_itimes size 5. It also includes 51 times "size 16" memory leak, which correspond to one time __test_init_iio_gain_scale() call with gts_test_gains_gain_low size 3 (3size(int)) and gts_test_itimes size 5.

The reason is that the per_time_gains[i] is not freed which is allocated in the "gts->num_itime" for loop in iio_gts_build_avail_scale_table().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-09T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table()\n\nmodprobe iio-test-gts and rmmod it, then the following memory leak\noccurs:\n\n\tunreferenced object 0xffffff80c810be00 (size 64):\n\t  comm \"kunit_try_catch\", pid 1654, jiffies 4294913981\n\t  hex dump (first 32 bytes):\n\t    02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00  ........ ...@...\n\t    80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00  ................\n\t  backtrace (crc a63d875e):\n\t    [\u003c0000000028c1b3c2\u003e] kmemleak_alloc+0x34/0x40\n\t    [\u003c000000001d6ecc87\u003e] __kmalloc_noprof+0x2bc/0x3c0\n\t    [\u003c00000000393795c1\u003e] devm_iio_init_iio_gts+0x4b4/0x16f4\n\t    [\u003c0000000071bb4b09\u003e] 0xffffffdf052a62e0\n\t    [\u003c000000000315bc18\u003e] 0xffffffdf052a6488\n\t    [\u003c00000000f9dc55b5\u003e] kunit_try_run_case+0x13c/0x3ac\n\t    [\u003c00000000175a3fd4\u003e] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t    [\u003c00000000f505065d\u003e] kthread+0x2e8/0x374\n\t    [\u003c00000000bbfb0e5d\u003e] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cbfe9e70 (size 16):\n\t  comm \"kunit_try_catch\", pid 1658, jiffies 4294914015\n\t  hex dump (first 16 bytes):\n\t    10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00  ....@...........\n\t  backtrace (crc 857f0cb4):\n\t    [\u003c0000000028c1b3c2\u003e] kmemleak_alloc+0x34/0x40\n\t    [\u003c000000001d6ecc87\u003e] __kmalloc_noprof+0x2bc/0x3c0\n\t    [\u003c00000000393795c1\u003e] devm_iio_init_iio_gts+0x4b4/0x16f4\n\t    [\u003c0000000071bb4b09\u003e] 0xffffffdf052a62e0\n\t    [\u003c000000007d089d45\u003e] 0xffffffdf052a6864\n\t    [\u003c00000000f9dc55b5\u003e] kunit_try_run_case+0x13c/0x3ac\n\t    [\u003c00000000175a3fd4\u003e] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t    [\u003c00000000f505065d\u003e] kthread+0x2e8/0x374\n\t    [\u003c00000000bbfb0e5d\u003e] ret_from_fork+0x10/0x20\n\t......\n\nIt includes 5*5 times \"size 64\" memory leaks, which correspond to 5 times\ntest_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int))\nand gts_test_itimes size 5. It also includes 5*1 times \"size 16\"\nmemory leak, which correspond to one time __test_init_iio_gain_scale()\ncall with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes\nsize 5.\n\nThe reason is that the per_time_gains[i] is not freed which is allocated in\nthe \"gts-\u003enum_itime\" for loop in iio_gts_build_avail_scale_table().",
  "id": "GHSA-ghff-7r8p-2pr4",
  "modified": "2024-11-13T18:31:53Z",
  "published": "2024-11-09T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50231"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16e41593825c3044efca0eb34b2d6ffba306e4ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38d6e8be234d87b0eedca50309e25051888b39d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/691e79ffc42154a9c91dc3b7e96a307037b4be74"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHM8-6M3X-WV66

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-11-07 19:00
VLAI
Details

A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpmsg/rpmsg_char.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy_from_iter_full() failures, aka CID-bbe692e349e2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-18T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpmsg/rpmsg_char.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering copy_from_iter_full() failures, aka CID-bbe692e349e2.",
  "id": "GHSA-ghm8-6m3x-wv66",
  "modified": "2022-11-07T19:00:18Z",
  "published": "2022-05-24T17:01:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19053"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/bbe692e349e2a1edf3fe0a29a0e05899c9c94d51"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191205-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4300-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4301-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHPP-GWGC-8PQ9

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-15 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: restore failed global reservations to subpool

Commit a833a693a490 ("mm: hugetlb: fix incorrect fallback for subpool") fixed an underflow error for hstate->resv_huge_pages caused by incorrectly attributing globally requested pages to the subpool's reservation.

Unfortunately, this fix also introduced the opposite problem, which would leave spool->used_hpages elevated if the globally requested pages could not be acquired. This is because while a subpool's reserve pages only accounts for what is requested and allocated from the subpool, its "used" counter keeps track of what is consumed in total, both from the subpool and globally. Thus, we need to adjust spool->used_hpages in the other direction, and make sure that globally requested pages are uncharged from the subpool's used counter.

Each failed allocation attempt increments the used_hpages counter by how many pages were requested from the global pool. Ultimately, this renders the subpool unusable, as used_hpages approaches the max limit.

The issue can be reproduced as follows: 1. Allocate 4 hugetlb pages 2. Create a hugetlb mount with max=4, min=2 3. Consume 2 pages globally 4. Request 3 pages from the subpool (2 from subpool + 1 from global) 4.1 hugepage_subpool_get_pages(spool, 3) succeeds. used_hpages += 3 4.2 hugetlb_acct_memory(h, 1) fails: no global pages left used_hpages -= 2 5. Subpool now has used_hpages = 1, despite not being able to successfully allocate any hugepages. It believes it can now only allocate 3 more hugepages, not 4.

With each failed allocation attempt incrementing the used counter, the subpool eventually reaches a point where its used counter equals its max counter. At that point, any future allocations that try to allocate hugeTLB pages from the subpool will fail, despite the subpool not having any of its hugeTLB pages consumed by any user.

Once this happens, there is no way to make the subpool usable again, since there is no way to decrement the used counter as no process is really consuming the hugeTLB pages.

The underflow issue that the original commit fixes still remains fixed as well.

Without this fix, used_hpages would keep on leaking if hugetlb_acct_memory() fails.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T14:16:35Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: restore failed global reservations to subpool\n\nCommit a833a693a490 (\"mm: hugetlb: fix incorrect fallback for subpool\")\nfixed an underflow error for hstate-\u003eresv_huge_pages caused by incorrectly\nattributing globally requested pages to the subpool\u0027s reservation.\n\nUnfortunately, this fix also introduced the opposite problem, which would\nleave spool-\u003eused_hpages elevated if the globally requested pages could\nnot be acquired.  This is because while a subpool\u0027s reserve pages only\naccounts for what is requested and allocated from the subpool, its \"used\"\ncounter keeps track of what is consumed in total, both from the subpool\nand globally.  Thus, we need to adjust spool-\u003eused_hpages in the other\ndirection, and make sure that globally requested pages are uncharged from\nthe subpool\u0027s used counter.\n\nEach failed allocation attempt increments the used_hpages counter by how\nmany pages were requested from the global pool.  Ultimately, this renders\nthe subpool unusable, as used_hpages approaches the max limit.\n\nThe issue can be reproduced as follows:\n1. Allocate 4 hugetlb pages\n2. Create a hugetlb mount with max=4, min=2\n3. Consume 2 pages globally\n4. Request 3 pages from the subpool (2 from subpool + 1 from global)\n\t4.1 hugepage_subpool_get_pages(spool, 3) succeeds.\n\t\tused_hpages += 3\n\t4.2 hugetlb_acct_memory(h, 1) fails: no global pages left\n\t\tused_hpages -= 2\n5. Subpool now has used_hpages = 1, despite not being able to\n   successfully allocate any hugepages. It believes it can now only\n   allocate 3 more hugepages, not 4.\n\nWith each failed allocation attempt incrementing the used counter, the\nsubpool eventually reaches a point where its used counter equals its\nmax counter.  At that point, any future allocations that try to\nallocate hugeTLB pages from the subpool will fail, despite the subpool\nnot having any of its hugeTLB pages consumed by any user.\n\nOnce this happens, there is no way to make the subpool usable again,\nsince there is no way to decrement the used counter as no process is\nreally consuming the hugeTLB pages.\n\nThe underflow issue that the original commit fixes still remains fixed\nas well.\n\nWithout this fix, used_hpages would keep on leaking if\nhugetlb_acct_memory() fails.",
  "id": "GHSA-ghpp-gwgc-8pq9",
  "modified": "2026-05-15T18:30:29Z",
  "published": "2026-05-08T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43286"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5eac1322a7b14b8cd05ec896618278b90fba7f39"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f055897c975d079a90af873c791ab58cf0f6f2a5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHW9-6H55-QJ7V

Vulnerability from github – Published: 2024-07-30 09:32 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nvmet: fix a possible leak when destroy a ctrl during qp establishment

In nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we know that a ctrl was allocated (in the admin connect request handler) and we need to release pending AERs, clear ctrl->sqs and sq->ctrl (for nvme-loop primarily), and drop the final reference on the ctrl.

However, a small window is possible where nvmet_sq_destroy starts (as a result of the client giving up and disconnecting) concurrently with the nvme admin connect cmd (which may be in an early stage). But before kill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq live reference). In this case, sq->ctrl was allocated however after it was captured in a local variable in nvmet_sq_destroy. This prevented the final reference drop on the ctrl.

Solve this by re-capturing the sq->ctrl after all inflight request has completed, where for sure sq->ctrl reference is final, and move forward based on that.

This issue was observed in an environment with many hosts connecting multiple ctrls simoutanuosly, creating a delay in allocating a ctrl leading up to this race window.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T08:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix a possible leak when destroy a ctrl during qp establishment\n\nIn nvmet_sq_destroy we capture sq-\u003ectrl early and if it is non-NULL we\nknow that a ctrl was allocated (in the admin connect request handler)\nand we need to release pending AERs, clear ctrl-\u003esqs and sq-\u003ectrl\n(for nvme-loop primarily), and drop the final reference on the ctrl.\n\nHowever, a small window is possible where nvmet_sq_destroy starts (as\na result of the client giving up and disconnecting) concurrently with\nthe nvme admin connect cmd (which may be in an early stage). But *before*\nkill_and_confirm of sq-\u003eref (i.e. the admin connect managed to get an sq\nlive reference). In this case, sq-\u003ectrl was allocated however after it was\ncaptured in a local variable in nvmet_sq_destroy.\nThis prevented the final reference drop on the ctrl.\n\nSolve this by re-capturing the sq-\u003ectrl after all inflight request has\ncompleted, where for sure sq-\u003ectrl reference is final, and move forward\nbased on that.\n\nThis issue was observed in an environment with many hosts connecting\nmultiple ctrls simoutanuosly, creating a delay in allocating a ctrl\nleading up to this race window.",
  "id": "GHSA-ghw9-6h55-qj7v",
  "modified": "2025-11-04T00:31:08Z",
  "published": "2024-07-30T09:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42152"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f3c22b1d3d7e86712253244797a651998c141fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5502c1f1d0d7472706cc1f201aecf1c935d302d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/818004f2a380420c19872171be716174d4985e33"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/940a71f08ef153ef807f751310b0648d1fa5d0da"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4fed1443a6571d49c6ffe7d97af3bbe5ee6dff5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJ59-54PG-84P6

Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-15 15:30
VLAI
Details

When SNMP is configured on F5OS Appliance and Chassis systems, undisclosed requests can cause an increase in SNMP memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T14:15:47Z",
    "severity": "HIGH"
  },
  "details": "When SNMP is configured on F5OS Appliance and Chassis systems, undisclosed requests can cause an increase in SNMP memory resource utilization.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-gj59-54pg-84p6",
  "modified": "2025-10-15T15:30:28Z",
  "published": "2025-10-15T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47150"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000149820"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GJH2-VJQ2-JQWC

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfc: nxp-nci: Fix potential memory leak in nxp_nci_send()

nxp_nci_send() will call nxp_nci_i2c_write(), and only free skb when nxp_nci_i2c_write() failed. However, even if the nxp_nci_i2c_write() run succeeds, the skb will not be freed in nxp_nci_i2c_write(). As the result, the skb will memleak. nxp_nci_send() should also free the skb when nxp_nci_i2c_write() succeeds.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nxp-nci: Fix potential memory leak in nxp_nci_send()\n\nnxp_nci_send() will call nxp_nci_i2c_write(), and only free skb when\nnxp_nci_i2c_write() failed. However, even if the nxp_nci_i2c_write()\nrun succeeds, the skb will not be freed in nxp_nci_i2c_write(). As the\nresult, the skb will memleak. nxp_nci_send() should also free the skb\nwhen nxp_nci_i2c_write() succeeds.",
  "id": "GHSA-gjh2-vjq2-jqwc",
  "modified": "2025-05-07T15:31:27Z",
  "published": "2025-05-01T15:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49923"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cba1f061bfe23fece2841129ca2862cdec29d5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ecf0f4227029b2c42e036b10ff6e5d09e20821e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7bf1ed6aff0f70434bd0cdd45495e83f1dffb551"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ae2c9a91ff068f4c3e392f47e8e26a1c9f85ebb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.