Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-H96R-XQWG-W67W

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()

A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers.

pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be reset and each completion will add another fragment via skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), subsequent frag stores overwrite memory adjacent to the shinfo on the heap.

Drop the skb and account a length error when the frag limit is reached, matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:40Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()\n\nA broken/bored/mean USB host can overflow the skb_shared_info-\u003efrags[]\narray on a Linux gadget exposing a Phonet function by sending an\nunbounded sequence of full-page OUT transfers.\n\npn_rx_complete() finalizes the skb only when req-\u003eactual \u003c req-\u003elength,\nwhere req-\u003elength is set to PAGE_SIZE by the gadget.  If the host always\nsends exactly PAGE_SIZE bytes per transfer, fp-\u003erx.skb will never be\nreset and each completion will add another fragment via\nskb_add_rx_frag().  Once nr_frags exceeds MAX_SKB_FRAGS (default 17),\nsubsequent frag stores overwrite memory adjacent to the shinfo on the\nheap.\n\nDrop the skb and account a length error when the frag limit is reached,\nmatching the fix applied in t7xx by commit f0813bcd2d9d (\"net: wwan:\nt7xx: fix potential skb-\u003efrags overflow in RX path\").",
  "id": "GHSA-h96r-xqwg-w67w",
  "modified": "2026-06-01T18:31:27Z",
  "published": "2026-04-24T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31616"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d7f7e0c842242878c24b2facff8d6eda23ee1e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7424f0287da73d3d8c5fa5e9d25d26fce762708e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b5ec49fa198bd08967a3102bd41f53ccadce72c9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H9JC-64QV-H9CG

Vulnerability from github – Published: 2026-03-09 18:31 – Updated: 2026-06-26 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/xattr: missing fdput() in fremovexattr error path

In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument. In multi-threaded processes where fdget() takes the slow path, this permanently leaks one file reference per call, pinning the struct file and associated kernel objects in memory. An unprivileged local user can exploit this to cause kernel memory exhaustion. The issue was inadvertently fixed by commit a71874379ec8 ("xattr: switch to CLASS(fd)").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-14027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-09T16:16:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/xattr: missing fdput() in fremovexattr error path\n\nIn the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a\nfile reference but returns early without calling fdput() when\nstrncpy_from_user() fails on the name argument. In multi-threaded processes\nwhere fdget() takes the slow path, this permanently leaks one\nfile reference per call, pinning the struct file and associated kernel\nobjects in memory. An unprivileged local user can exploit this to cause\nkernel memory exhaustion. The issue was inadvertently fixed by commit\na71874379ec8 (\"xattr: switch to CLASS(fd)\").",
  "id": "GHSA-h9jc-64qv-h9cg",
  "modified": "2026-06-26T21:32:03Z",
  "published": "2026-03-09T18:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-14027"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a1e865e51063d6c56f673ec8ad4b6604321b455"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a3a2ae5efbbcaed37551218abed94e23c537157"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a71874379ec8c6e788a61d71b3ad014a8d9a5c08"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d151b94967c8247005435b63fc60f8f4baa320da"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H9WV-H3G7-2R2R

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-08-06 00:00
VLAI
Details

Multiple vulnerabilities in the implementation of the Cisco Discovery Protocol and Link Layer Discovery Protocol (LLDP) for Cisco Video Surveillance 7000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service (DoS) condition on an affected device. These vulnerabilities are due to incorrect processing of certain Cisco Discovery Protocol and LLDP packets at ingress time. An attacker could exploit these vulnerabilities by sending crafted Cisco Discovery Protocol or LLDP packets to an affected device. A successful exploit could allow the attacker to cause the affected device to continuously consume memory, which could cause the device to crash and reload, resulting in a DoS condition. Note: Cisco Discovery Protocol and LLDP are Layer 2 protocols. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-04T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple vulnerabilities in the implementation of the Cisco Discovery Protocol and Link Layer Discovery Protocol (LLDP) for Cisco Video Surveillance 7000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause a memory leak, which could lead to a denial of service (DoS) condition on an affected device. These vulnerabilities are due to incorrect processing of certain Cisco Discovery Protocol and LLDP packets at ingress time. An attacker could exploit these vulnerabilities by sending crafted Cisco Discovery Protocol or LLDP packets to an affected device. A successful exploit could allow the attacker to cause the affected device to continuously consume memory, which could cause the device to crash and reload, resulting in a DoS condition. Note: Cisco Discovery Protocol and LLDP are Layer 2 protocols. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).",
  "id": "GHSA-h9wv-h3g7-2r2r",
  "modified": "2022-08-06T00:00:48Z",
  "published": "2022-05-24T19:04:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1564"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipcamera-lldpcdp-mem-yTQDmjRO"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HC4H-PG37-34F7

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-17 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix memory leak on the deferred close

xfstests on smb21 report kmemleak as below:

unreferenced object 0xffff8881767d6200 (size 64): comm "xfs_io", pid 1284, jiffies 4294777434 (age 20.789s) hex dump (first 32 bytes): 80 5a d0 11 81 88 ff ff 78 8a aa 63 81 88 ff ff .Z......x..c.... 00 71 99 76 81 88 ff ff 00 00 00 00 00 00 00 00 .q.v............ backtrace: [<00000000ad04e6ea>] cifs_close+0x92/0x2c0 [<0000000028b93c82>] __fput+0xff/0x3f0 [<00000000d8116851>] task_work_run+0x85/0xc0 [<0000000027e14f9e>] do_exit+0x5e5/0x1240 [<00000000fb492b95>] do_group_exit+0x58/0xe0 [<00000000129a32d9>] __x64_sys_exit_group+0x28/0x30 [<00000000e3f7d8e9>] do_syscall_64+0x35/0x80 [<00000000102e8a0b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

When cancel the deferred close work, we should also cleanup the struct cifs_deferred_close.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:36Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix memory leak on the deferred close\n\nxfstests on smb21 report kmemleak as below:\n\n  unreferenced object 0xffff8881767d6200 (size 64):\n    comm \"xfs_io\", pid 1284, jiffies 4294777434 (age 20.789s)\n    hex dump (first 32 bytes):\n      80 5a d0 11 81 88 ff ff 78 8a aa 63 81 88 ff ff  .Z......x..c....\n      00 71 99 76 81 88 ff ff 00 00 00 00 00 00 00 00  .q.v............\n    backtrace:\n      [\u003c00000000ad04e6ea\u003e] cifs_close+0x92/0x2c0\n      [\u003c0000000028b93c82\u003e] __fput+0xff/0x3f0\n      [\u003c00000000d8116851\u003e] task_work_run+0x85/0xc0\n      [\u003c0000000027e14f9e\u003e] do_exit+0x5e5/0x1240\n      [\u003c00000000fb492b95\u003e] do_group_exit+0x58/0xe0\n      [\u003c00000000129a32d9\u003e] __x64_sys_exit_group+0x28/0x30\n      [\u003c00000000e3f7d8e9\u003e] do_syscall_64+0x35/0x80\n      [\u003c00000000102e8a0b\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nWhen cancel the deferred close work, we should also cleanup the struct\ncifs_deferred_close.",
  "id": "GHSA-hc4h-pg37-34f7",
  "modified": "2025-11-17T21:31:17Z",
  "published": "2025-06-18T12:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50076"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/60b6d38add7b9c17d6e5d49ee8e930ea1a5650c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/860efae127888ae535bc4eda1b7f27642727c69e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca08d0eac020d48a3141dbec0a3cf64fbdb17cde"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HC53-772H-HRGP

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17
VLAI
Details

A vulnerability in the VPN System Logging functionality for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak that can deplete system memory over time, which can cause unexpected system behaviors or device crashes. The vulnerability is due to the system memory not being properly freed for a VPN System Logging event generated when a VPN session is created or deleted. An attacker could exploit this vulnerability by repeatedly creating or deleting a VPN tunnel connection, which could leak a small amount of system memory for each logging event. A successful exploit could allow the attacker to cause system memory depletion, which can lead to a systemwide denial of service (DoS) condition. The attacker does not have any control of whether VPN System Logging is configured or not on the device, but it is enabled by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-3189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-06T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the VPN System Logging functionality for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a memory leak that can deplete system memory over time, which can cause unexpected system behaviors or device crashes. The vulnerability is due to the system memory not being properly freed for a VPN System Logging event generated when a VPN session is created or deleted. An attacker could exploit this vulnerability by repeatedly creating or deleting a VPN tunnel connection, which could leak a small amount of system memory for each logging event. A successful exploit could allow the attacker to cause system memory depletion, which can lead to a systemwide denial of service (DoS) condition. The attacker does not have any control of whether VPN System Logging is configured or not on the device, but it is enabled by default.",
  "id": "GHSA-hc53-772h-hrgp",
  "modified": "2022-05-24T17:17:18Z",
  "published": "2022-05-24T17:17:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3189"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-dos-Rdpe34sd8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HC55-23QR-XX8H

Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-09-19 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()

If clk_get_sys(..., "pll_d2_out0") fails, the clk_get_sys() call must be undone.

Add the missing clk_put and a new 'put_pll_d_out0' label in the error handling path, and use it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()\n\nIf clk_get_sys(..., \"pll_d2_out0\") fails, the clk_get_sys() call must be\nundone.\n\nAdd the missing clk_put and a new \u0027put_pll_d_out0\u0027 label in the error\nhandling path, and use it.",
  "id": "GHSA-hc55-23qr-xx8h",
  "modified": "2025-09-19T15:31:07Z",
  "published": "2024-05-17T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52661"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2388c36e028fff7f8ffd515681a14c6c2c07fea7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/45c8034db47842b25a3ab6139d71e13b4e67b9b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c8dc26e31b8b410ad1895e0d314def50c76eed0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/845322a9c06dd1dcf35b6c4e3af89684297c23cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f3f407ccbe84a34de9be3195d22cdd5969f3fd9f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa74e4f5d0821829545b9f7034a0e577c205c101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCF7-CJ24-HF8M

Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-12-23 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm: Fix a fence leak in submit error path

In error paths, we could unref the submit without calling drm_sched_entity_push_job(), so msm_job_free() will never get called. Since drm_sched_job_cleanup() will NULL out the s_fence, we can use that to detect this case.

Patchwork: https://patchwork.freedesktop.org/patch/653584/

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T14:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix a fence leak in submit error path\n\nIn error paths, we could unref the submit without calling\ndrm_sched_entity_push_job(), so msm_job_free() will never get\ncalled.  Since drm_sched_job_cleanup() will NULL out the\ns_fence, we can use that to detect this case.\n\nPatchwork: https://patchwork.freedesktop.org/patch/653584/",
  "id": "GHSA-hcf7-cj24-hf8m",
  "modified": "2025-12-23T21:30:22Z",
  "published": "2025-07-25T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38410"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0dc817f852e5f8ec8501d19ef7dcc01affa181d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0eaa495b3d5710e5ba72051d2e01bb28292c625c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/201eba5c9652a900c0b248070263f9acd3735689"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d319f75ccf7f0927425a7545aa1a22b3eedc189"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5deab0fa6cfd0cd7def17598db15ceb84f950584"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe2695b2f63bd77e0e03bc0fc779164115bb4699"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCFF-4P4Q-XJMC

Vulnerability from github – Published: 2023-10-04 12:30 – Updated: 2024-04-04 08:16
VLAI
Details

A flaw was found in JSS. A memory leak in JSS requires non-standard configuration but is a low-effort DoS vector if configured that way (repeatedly hitting the login page).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-04T12:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in JSS. A memory leak in JSS requires non-standard configuration but is a low-effort DoS vector if configured that way (repeatedly hitting the login page).",
  "id": "GHSA-hcff-4p4q-xjmc",
  "modified": "2024-04-04T08:16:12Z",
  "published": "2023-10-04T12:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4132"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-4132"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2147372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCPW-H46R-3C39

Vulnerability from github – Published: 2022-11-01 19:00 – Updated: 2025-05-06 15:30
VLAI
Details

Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-01T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction",
  "id": "GHSA-hcpw-h46r-3c39",
  "modified": "2025-05-06T15:30:38Z",
  "published": "2022-11-01T19:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42311"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5272"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xenproject.org/xsa/advisory-326.txt"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-326.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HFQR-838F-PJ36

Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-16 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix memory leak on ntfs_fill_super() error path

syzbot reported kmemleak as below:

BUG: memory leak unreferenced object 0xffff8880122f1540 (size 32): comm "a.out", pid 6664, jiffies 4294939771 (age 25.500s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00 ................ backtrace: [] ntfs_init_fs_context+0x22/0x1c0 [] alloc_fs_context+0x217/0x430 [] path_mount+0x704/0x1080 [] __x64_sys_mount+0x18c/0x1d0 [] do_syscall_64+0x34/0xb0 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd

This patch fixes this issue by freeing mount options on error path of ntfs_fill_super().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50451"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:38Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix memory leak on ntfs_fill_super() error path\n\nsyzbot reported kmemleak as below:\n\nBUG: memory leak\nunreferenced object 0xffff8880122f1540 (size 32):\n  comm \"a.out\", pid 6664, jiffies 4294939771 (age 25.500s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 ed ff ed ff 00 00 00 00  ................\n  backtrace:\n    [\u003cffffffff81b16052\u003e] ntfs_init_fs_context+0x22/0x1c0\n    [\u003cffffffff8164aaa7\u003e] alloc_fs_context+0x217/0x430\n    [\u003cffffffff81626dd4\u003e] path_mount+0x704/0x1080\n    [\u003cffffffff81627e7c\u003e] __x64_sys_mount+0x18c/0x1d0\n    [\u003cffffffff84593e14\u003e] do_syscall_64+0x34/0xb0\n    [\u003cffffffff84600087\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes this issue by freeing mount options on error path of\nntfs_fill_super().",
  "id": "GHSA-hfqr-838f-pj36",
  "modified": "2026-01-16T21:30:28Z",
  "published": "2025-10-01T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50451"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2600c80ea7b39f987c3fa89287e73d62e322bbbd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2dd9ccfb06bcdad30ad92d96c3affa38a458679e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51e76a232f8c037f1d9e9922edc25b003d5f3414"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff0df7d9cdbb12878155168b5234e99029e5377f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.