Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-M45C-8X83-Q7FX

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

can: ucan: fix devres lifetime

USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).

Fix the control message buffer lifetime so that it is released on driver unbind.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ucan: fix devres lifetime\n\nUSB drivers bind to USB interfaces and any device managed resources\nshould have their lifetime tied to the interface rather than parent USB\ndevice. This avoids issues like memory leaks when drivers are unbound\nwithout their devices being physically disconnected (e.g. on probe\ndeferral or configuration changes).\n\nFix the control message buffer lifetime so that it is released on driver\nunbind.",
  "id": "GHSA-m45c-8x83-q7fx",
  "modified": "2026-06-25T21:31:22Z",
  "published": "2026-05-27T15:33:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46103"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3df5b9110ac08f67ccfe382fc172bfee95688eec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a90f0815aaa9c629ac4750e7c71c357dd7f231d7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb2e41e87a2893345859440017e7178bf7a4c70d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M467-8FV2-X525

Vulnerability from github – Published: 2022-01-20 00:01 – Updated: 2022-01-27 00:03
VLAI
Details

An Improper Validation of Specified Type of Input vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to trigger a Missing Release of Memory after Effective Lifetime vulnerability. Continued exploitation of this vulnerability will eventually lead to an FPC reboot and thereby a Denial of Service (DoS). This issue affects: Juniper Networks Junos OS on vMX and MX150: All versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S5; 19.4 versions prior to 19.4R2-S5, 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2-S1, 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2; 21.3 versions prior to 21.3R1-S1, 21.3R2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-19T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Validation of Specified Type of Input vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to trigger a Missing Release of Memory after Effective Lifetime vulnerability. Continued exploitation of this vulnerability will eventually lead to an FPC reboot and thereby a Denial of Service (DoS). This issue affects: Juniper Networks Junos OS on vMX and MX150: All versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S5; 19.4 versions prior to 19.4R2-S5, 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2-S1, 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2; 21.3 versions prior to 21.3R1-S1, 21.3R2.",
  "id": "GHSA-m467-8fv2-x525",
  "modified": "2022-01-27T00:03:45Z",
  "published": "2022-01-20T00:01:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22168"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11275"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M4CX-FWW5-G6W9

Vulnerability from github – Published: 2025-09-23 21:30 – Updated: 2025-09-23 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: ir_toy: free before error exiting

Fix leak in error path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T06:37:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ir_toy: free before error exiting\n\nFix leak in error path.",
  "id": "GHSA-m4cx-fww5-g6w9",
  "modified": "2025-09-23T21:30:54Z",
  "published": "2025-09-23T21:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47643"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2011363c196846c083649c91ed30aeef64358d52"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/382e0f6958ef34eb093127b6d74c12f3b8fd0904"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52cdb013036391d9d87aba5b4fc49cdfc6ea4b23"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93ef3fdf3b6633c58f049e5a6be755777dde4340"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99e3f83539cac6884a4df02cb204a57a184ea12b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M4VR-JMC8-6XRJ

Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2024-12-23 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: go7007: fix a memleak in go7007_load_encoder

In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without a deallocation thereafter. After the following call chain:

saa7134_go7007_init |-> go7007_boot_encoder |-> go7007_load_encoder |-> kfree(go)

go is freed and thus bounce is leaked.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T13:15:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: go7007: fix a memleak in go7007_load_encoder\n\nIn go7007_load_encoder, bounce(i.e. go-\u003eboot_fw), is allocated without\na deallocation thereafter. After the following call chain:\n\nsaa7134_go7007_init\n  |-\u003e go7007_boot_encoder\n        |-\u003e go7007_load_encoder\n  |-\u003e kfree(go)\n\ngo is freed and thus bounce is leaked.",
  "id": "GHSA-m4vr-jmc8-6xrj",
  "modified": "2024-12-23T15:30:47Z",
  "published": "2024-05-01T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27074"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/291cda0b805fc0d6e90d201710311630c8667159"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7405a0d4442792988e9ae834e7d84f9d163731a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/790fa2c04dfb9f095ec372bf17909424d6e864b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7f11dd3d165b178e738fe73dfeea513e383bedb5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b49fe84c6cefcc1c2336d793b53442e716c95073"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b9b683844b01d171a72b9c0419a2d760d946ee12"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d43988a23c32588ccd0c74219637afb96cd78661"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e04d15c8bb3e111dd69f98894acd92d63e87aac3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f31c1cc37411f5f7bcb266133f9a7e1b4bdf2975"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M4WX-PP34-V6V9

Vulnerability from github – Published: 2026-06-12 06:33 – Updated: 2026-06-12 06:33
VLAI
Details

Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T04:17:04Z",
    "severity": "MODERATE"
  },
  "details": "Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when\u00a0recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.",
  "id": "GHSA-m4wx-pp34-v6v9",
  "modified": "2026-06-12T06:33:19Z",
  "published": "2026-06-12T06:33:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20746"
    },
    {
      "type": "WEB",
      "url": "https://docs.pingidentity.com/pingdirectory/11.0/release_notes/pd_release_notes.html#pingdirectory-suite-of-products-11-0-0-1-march-2026"
    },
    {
      "type": "WEB",
      "url": "https://support.pingidentity.com/s/article/SECADV052-Denial-of-Service-via-copying-virtual-attributes"
    },
    {
      "type": "WEB",
      "url": "https://www.pingidentity.com/en/resources/downloads/pingdirectory-downloads.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M54V-VM86-CJ7G

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2023-01-18 00:30
VLAI
Details

A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-18T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.",
  "id": "GHSA-m54v-vm86-cj7g",
  "modified": "2023-01-18T00:30:22Z",
  "published": "2022-05-24T17:01:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19071"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/d563131ef23cbc756026f839a82598c8445bc45f"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3PSDE6PTOTVBK2YTKB2TFQP2SUBVSNF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PY7LJMSPAGRIKABJPDKQDTXYW3L5RX2T"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191205-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4258-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4284-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4287-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4287-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M582-2RRJ-GCV3

Vulnerability from github – Published: 2025-09-18 15:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drivers: base: component: fix memory leak with using debugfs_lookup()

When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T14:15:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: base: component: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time.  To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once.",
  "id": "GHSA-m582-2rrj-gcv3",
  "modified": "2025-12-11T15:30:30Z",
  "published": "2025-09-18T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53409"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09709a49283f79184c998d6dafcc01590e4d654d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79ac2b01e033181e21cc84216ace1f4160eb8950"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8deb87b1e810dd558371e88ffd44339fbef27870"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf0fd01c7cc1061fb2cfda3e2044371642108e6c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M5GJ-W75C-GCXX

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-13 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: tegra-video: Fix memory leak in __tegra_channel_try_format()

The state object allocated by __v4l2_subdev_state_alloc() must be freed with __v4l2_subdev_state_free() when it is no longer needed.

In __tegra_channel_try_format(), two error paths return directly after v4l2_subdev_call() fails, without freeing the allocated 'sd_state' object. This violates the requirement and causes a memory leak.

Fix this by introducing a cleanup label and using goto statements in the error paths to ensure that __v4l2_subdev_state_free() is always called before the function returns.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:34Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tegra-video: Fix memory leak in __tegra_channel_try_format()\n\nThe state object allocated by __v4l2_subdev_state_alloc() must be freed\nwith __v4l2_subdev_state_free() when it is no longer needed.\n\nIn __tegra_channel_try_format(), two error paths return directly after\nv4l2_subdev_call() fails, without freeing the allocated \u0027sd_state\u0027\nobject. This violates the requirement and causes a memory leak.\n\nFix this by introducing a cleanup label and using goto statements in the\nerror paths to ensure that __v4l2_subdev_state_free() is always called\nbefore the function returns.",
  "id": "GHSA-m5gj-w75c-gcxx",
  "modified": "2026-05-13T21:31:58Z",
  "published": "2026-05-06T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43162"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2dff8966a3a889dd9d248a7e15d963b4097efcc5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ca2f09061736e72ef25eec2597d00f7f44094d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43e5302d22334f1183dec3e0d5d8007eefe2817c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c6f419fa9c44a4b7149b0292e01bff47308ba14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca921be7a1174d5d58b28f84b683c2c0079f18c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d92e9a18f97a1d19d4c2ff81dcfbe43591f75b5a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M5JC-WWPP-562G

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

Memory leak in the sgpd_parse_entry function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22679"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-12T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Memory leak in the sgpd_parse_entry function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input.",
  "id": "GHSA-m5jc-wwpp-562g",
  "modified": "2022-05-24T19:17:15Z",
  "published": "2022-05-24T19:17:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22679"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/1345"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M5MW-GF4C-PWC3

Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-18 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: t7xx: fix potential skb->frags overflow in RX path

When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and potentially causing kernel crashes or other undefined behavior.

This issue was identified through static code analysis by comparing with a similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: fix array overflow on receiving too many fragments for a packet").

The vulnerability could be triggered if the modem firmware sends packets with excessive fragments. While under normal protocol conditions (MTU 3080 bytes, BAT buffer 3584 bytes), a single packet should not require additional fragments, the kernel should not blindly trust firmware behavior. Malicious, buggy, or compromised firmware could potentially craft packets with more fragments than the kernel expects.

Fix this by adding a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS.

The check must be performed before unmapping to avoid a page leak and double DMA unmap during device teardown.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T16:15:57Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: fix potential skb-\u003efrags overflow in RX path\n\nWhen receiving data in the DPMAIF RX path,\nthe t7xx_dpmaif_set_frag_to_skb() function adds\npage fragments to an skb without checking if the number of\nfragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow\nin skb_shinfo(skb)-\u003efrags[] array, corrupting adjacent memory and\npotentially causing kernel crashes or other undefined behavior.\n\nThis issue was identified through static code analysis by comparing with a\nsimilar vulnerability fixed in the mt76 driver commit b102f0c522cf (\"mt76:\nfix array overflow on receiving too many fragments for a packet\").\n\nThe vulnerability could be triggered if the modem firmware sends packets\nwith excessive fragments. While under normal protocol conditions (MTU 3080\nbytes, BAT buffer 3584 bytes),\na single packet should not require additional\nfragments, the kernel should not blindly trust firmware behavior.\nMalicious, buggy, or compromised firmware could potentially craft packets\nwith more fragments than the kernel expects.\n\nFix this by adding a bounds check before calling skb_add_rx_frag() to\nensure nr_frags does not exceed MAX_SKB_FRAGS.\n\nThe check must be performed before unmapping to avoid a page leak\nand double DMA unmap during device teardown.",
  "id": "GHSA-m5mw-gf4c-pwc3",
  "modified": "2026-03-18T15:30:41Z",
  "published": "2026-02-14T18:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23172"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a0522f564acd34442652ea083091c329fa7c5d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9747a7521a48afded5bff2faf1f2dcfff48c577"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.