CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-HGG3-J5PH-4M9J
Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-04 18:30In the Linux kernel, the following vulnerability has been resolved:
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
If clk_register() fails, @pll->rate_table may have allocated memory by kmemdup(), so it needs to be freed, otherwise will cause memory leak issue, this patch fixes it.
{
"affected": [],
"aliases": [
"CVE-2022-50523"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-07T16:15:36Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: rockchip: Fix memory leak in rockchip_clk_register_pll()\n\nIf clk_register() fails, @pll-\u003erate_table may have allocated memory by\nkmemdup(), so it needs to be freed, otherwise will cause memory leak\nissue, this patch fixes it.",
"id": "GHSA-hgg3-j5ph-4m9j",
"modified": "2026-02-04T18:30:19Z",
"published": "2025-10-07T18:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50523"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/20201c3a0a32f127fa4bdf379d6ac01c2978702d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26b94635f1c84d7f6cb482179125cb17e59c90a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b0a1f1247cd42ac5e0d369f8dbb58762692edee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/739a6a6bbdb793bd57938cb24aa5a6df89983546"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/86e1e080ad14c5fb6c14a5f0eb530b1b38cbc968"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dcd4ba068b194c6ef0071491aa3f12bec8c14d5b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f02c1d8dc8d880cbaaf9094b4f396fe868ee23ff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f2ffb8653ea85ae39ce44347751fcc4c3e41f6bb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f4d70c139d313948e02360304a6cbcd3a4f5deb5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HGP5-3FHG-P5CF
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-12 21:31In the Linux kernel, the following vulnerability has been resolved:
most: core: fix resource leak in most_register_interface error paths
The function most_register_interface() did not correctly release resources if it failed early (before registering the device). In these cases, it returned an error code immediately, leaking the memory allocated for the interface.
Fix this by initializing the device early via device_initialize() and calling put_device() on all error paths.
The most_register_interface() is expected to call put_device() on error which frees the resources allocated in the caller. The put_device() either calls release_mdev() or dim2_release(), depending on the caller.
Switch to using device_add() instead of device_register() to handle the split initialization.
{
"affected": [],
"aliases": [
"CVE-2025-71272"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T12:16:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: core: fix resource leak in most_register_interface error paths\n\nThe function most_register_interface() did not correctly release resources\nif it failed early (before registering the device). In these cases, it\nreturned an error code immediately, leaking the memory allocated for the\ninterface.\n\nFix this by initializing the device early via device_initialize() and\ncalling put_device() on all error paths.\n\nThe most_register_interface() is expected to call put_device() on\nerror which frees the resources allocated in the caller. The\nput_device() either calls release_mdev() or dim2_release(),\ndepending on the caller.\n\nSwitch to using device_add() instead of device_register() to handle\nthe split initialization.",
"id": "GHSA-hgp5-3fhg-p5cf",
"modified": "2026-05-12T21:31:26Z",
"published": "2026-05-06T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71272"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f4c9d8a1021281750c6cda126d6f8a40cc24e71"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f483f3817fb0e4209ac5de928778b1da0cc8574"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a49028a796d7b94f8e3ab9bd34b18f36be235459"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/af0b99b2214a10554adb5b868240d23af6e64e71"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HH4J-JWJV-8726
Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-11-04 00:32When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.
{
"affected": [],
"aliases": [
"CVE-2025-0241"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T16:15:38Z",
"severity": "HIGH"
},
"details": "When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox \u003c 134 and Firefox ESR \u003c 128.6.",
"id": "GHSA-hh4j-jwjv-8726",
"modified": "2025-11-04T00:32:17Z",
"published": "2025-01-07T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0241"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1933023"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-01"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-02"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-04"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HH4Q-F8CF-8P2P
Vulnerability from github – Published: 2024-12-29 12:30 – Updated: 2025-11-03 21:32In the Linux kernel, the following vulnerability has been resolved:
scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()
Hook "qedi_ops->common->sb_init = qed_sb_init" does not release the DMA memory sb_virt when it fails. Add dma_free_coherent() to free it. This is the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().
{
"affected": [],
"aliases": [
"CVE-2024-56747"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-29T12:15:08Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()\n\nHook \"qedi_ops-\u003ecommon-\u003esb_init = qed_sb_init\" does not release the DMA\nmemory sb_virt when it fails. Add dma_free_coherent() to free it. This\nis the same way as qedr_alloc_mem_sb() and qede_alloc_mem_sb().",
"id": "GHSA-hh4q-f8cf-8p2p",
"modified": "2025-11-03T21:32:02Z",
"published": "2024-12-29T12:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56747"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/10a6fc486ac40a410f0fb84cc15161238eccd20a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/20b775cf274cfbfa3da871a1108877e17b8b19e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4e48e5b26b3edc0e1dd329201ffc924a7a1f9337"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95bbdca4999bc59a72ebab01663d421d6ce5775d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4d2011cbe039b25024831427b60ab91ee247066"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b778b5240485106abf665eb509cc01779ed0cb00"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bb8b45883eb072adba297922b67d1467082ac880"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cfc76acaf2c4b43d1e140f1e4cbde15adb540bc5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eaf92fad1f21be63427920c12f22227e5f757424"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HH9M-7VG3-WPG4
Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-04 00:30In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of remain_skbs
hif_dev->remain_skb is allocated and used exclusively in ath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is processed and subsequently freed (in error paths) only during the next call of ath9k_hif_usb_rx_stream().
So, if the urbs are deallocated between those two calls due to the device deinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream() is not called next time and the allocated remain_skb is leaked. Our local Syzkaller instance was able to trigger that.
remain_skb makes sense when receiving two consecutive urbs which are logically linked together, i.e. a specific data field from the first skb indicates a cached skb to be allocated, memcpy'd with some data and subsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs deallocation supposedly makes that link irrelevant so we need to free the cached skb in those cases.
Fix the leak by introducing a function to explicitly free remain_skb (if it is not NULL) when the rx urbs have been deallocated. remain_skb is NULL when it has not been allocated at all (hif_dev struct is kzalloced) or when it has been processed in next call to ath9k_hif_usb_rx_stream().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
{
"affected": [],
"aliases": [
"CVE-2023-53641"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-07T16:15:47Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of remain_skbs\n\nhif_dev-\u003eremain_skb is allocated and used exclusively in\nath9k_hif_usb_rx_stream(). It is implied that an allocated remain_skb is\nprocessed and subsequently freed (in error paths) only during the next\ncall of ath9k_hif_usb_rx_stream().\n\nSo, if the urbs are deallocated between those two calls due to the device\ndeinitialization or suspend, it is possible that ath9k_hif_usb_rx_stream()\nis not called next time and the allocated remain_skb is leaked. Our local\nSyzkaller instance was able to trigger that.\n\nremain_skb makes sense when receiving two consecutive urbs which are\nlogically linked together, i.e. a specific data field from the first skb\nindicates a cached skb to be allocated, memcpy\u0027d with some data and\nsubsequently processed in the next call to ath9k_hif_usb_rx_stream(). Urbs\ndeallocation supposedly makes that link irrelevant so we need to free the\ncached skb in those cases.\n\nFix the leak by introducing a function to explicitly free remain_skb (if\nit is not NULL) when the rx urbs have been deallocated. remain_skb is NULL\nwhen it has not been allocated at all (hif_dev struct is kzalloced) or\nwhen it has been processed in next call to ath9k_hif_usb_rx_stream().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.",
"id": "GHSA-hh9m-7vg3-wpg4",
"modified": "2026-02-04T00:30:27Z",
"published": "2025-10-07T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53641"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/320d760a35273aa815d58b57e4fd9ba5279a3489"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59073060fe0950c6ecbe12bdc06469dcac62128d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6719e3797ec52cd144c8a5ba8aaab36674800585"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7654cc03eb699297130b693ec34e25f77b17c947"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8f02d538878c9b1501f624595eb22ee4e5e0ff84"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b9356a3014123f0ce4b50d9278c1265173150ab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9899318660791141ea6002fda5577b2c5d7386e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f0931fc8f4b6847c72e170d2326861c0a081d680"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHCF-PXCH-R4CF
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-09-26 18:31In the Linux kernel, the following vulnerability has been resolved:
io_uring: Fix release of pinned pages when __io_uaddr_map fails
Looking at the error path of __io_uaddr_map, if we fail after pinning the pages for any reasons, ret will be set to -EINVAL and the error handler won't properly release the pinned pages.
I didn't manage to trigger it without forcing a failure, but it can happen in real life when memory is heavily fragmented.
{
"affected": [],
"aliases": [
"CVE-2024-35831"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T14:15:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: Fix release of pinned pages when __io_uaddr_map fails\n\nLooking at the error path of __io_uaddr_map, if we fail after pinning\nthe pages for any reasons, ret will be set to -EINVAL and the error\nhandler won\u0027t properly release the pinned pages.\n\nI didn\u0027t manage to trigger it without forcing a failure, but it can\nhappen in real life when memory is heavily fragmented.",
"id": "GHSA-hhcf-pxch-r4cf",
"modified": "2025-09-26T18:31:17Z",
"published": "2024-05-17T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35831"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0b6f39c175ba5f0ef72bdb3b9d2a06ad78621d62"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d376d7ad62b6a8e8dfff56b559d9d275e5b9b3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67d1189d1095d471ed7fa426c7e384a7140a5dd7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/712e2c8415f55a4a4ddaa98a430b87f624109f69"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHG8-WXRJ-M3CF
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory after effective lifetime. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-47482"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T20:17:03Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause missing release of memory after effective lifetime. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-hhg8-wxrj-m3cf",
"modified": "2026-07-14T21:32:17Z",
"published": "2026-07-14T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47482"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47482"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHMC-3CVV-PMFW
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-02 21:31In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix leak of 'r10bio->remaining' for recovery
raid10_sync_request() will add 'r10bio->remaining' for both rdev and replacement rdev. However, if the read io fails, recovery_request_write() returns without issuing the write io, in this case, end_sync_request() is only called once and 'remaining' is leaked, cause an io hang.
Fix the problem by decreasing 'remaining' according to if 'bio' and 'repl_bio' is valid.
{
"affected": [],
"aliases": [
"CVE-2023-53299"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T08:15:39Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix leak of \u0027r10bio-\u003eremaining\u0027 for recovery\n\nraid10_sync_request() will add \u0027r10bio-\u003eremaining\u0027 for both rdev and\nreplacement rdev. However, if the read io fails, recovery_request_write()\nreturns without issuing the write io, in this case, end_sync_request()\nis only called once and \u0027remaining\u0027 is leaked, cause an io hang.\n\nFix the problem by decreasing \u0027remaining\u0027 according to if \u0027bio\u0027 and\n\u0027repl_bio\u0027 is valid.",
"id": "GHSA-hhmc-3cvv-pmfw",
"modified": "2025-12-02T21:31:27Z",
"published": "2025-09-16T15:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53299"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/11141630f03efffdfe260b3582b2d93d38171b97"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1697fb124c6d6c5237e9cbd78890310154738084"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1d2c6c6e37fe5de11fd01a82badf03390e12df7a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26208a7cffd0c7cbf14237ccd20c7270b3ffeb7e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3481dec5ecbbbbe44ab23e22c2b14bd65c644ec6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4f82e7e07cdaf2947d71968e3d6b73370a217093"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c5d5d7ffd1e76734811b8ea5417cf0432b9952c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d09065802c53cc938d162b62f6c4150b392c90e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb827ed2bb34480dc102146d3a1f89fdbcafc028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHPM-97GW-PCV3
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-19 15:31In the Linux kernel, the following vulnerability has been resolved:
selinux: fix memleak in security_read_state_kernel()
In this function, it directly returns the result of __security_read_policy without freeing the allocated memory in *data, cause memory leak issue, so free the memory if __security_read_policy failed.
[PM: subject line tweak]
{
"affected": [],
"aliases": [
"CVE-2022-50201"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix memleak in security_read_state_kernel()\n\nIn this function, it directly returns the result of __security_read_policy\nwithout freeing the allocated memory in *data, cause memory leak issue,\nso free the memory if __security_read_policy failed.\n\n[PM: subject line tweak]",
"id": "GHSA-hhpm-97gw-pcv3",
"modified": "2025-11-19T15:31:30Z",
"published": "2025-06-18T12:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50201"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1fc1f72aad2070d34022d0823e4cf09706b53f25"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/73de1befcc53a7c68b0c5e76b9b5ac41c517760f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c877c5217145bda8fd95f506bf42f8d981afa57d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3cd7562c0a6774fc62d79654482014020e574f5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJ2G-7C54-G4V7
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45A flaw was found in Privoxy in versions before 3.0.29. Memory leak if multiple filters are executed and the last one is skipped due to a pcre error leading to a system crash.
{
"affected": [],
"aliases": [
"CVE-2021-20212"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-25T19:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in Privoxy in versions before 3.0.29. Memory leak if multiple filters are executed and the last one is skipped due to a pcre error leading to a system crash.",
"id": "GHSA-hj2g-7c54-g4v7",
"modified": "2022-05-24T17:45:22Z",
"published": "2022-05-24T17:45:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20212"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928736"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-16"
},
{
"type": "WEB",
"url": "https://www.privoxy.org/3.0.29/user-manual/whatsnew.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.