Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-P29H-V652-9MXM

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-11-07 19:00
VLAI
Details

Two memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/drm/v3d/v3d_gem.c in the Linux kernel before 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering kcalloc() or v3d_job_init() failures, aka CID-29cd13cfd762.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-18T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "Two memory leaks in the v3d_submit_cl_ioctl() function in drivers/gpu/drm/v3d/v3d_gem.c in the Linux kernel before 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering kcalloc() or v3d_job_init() failures, aka CID-29cd13cfd762.",
  "id": "GHSA-p29h-v652-9mxm",
  "modified": "2022-11-07T19:00:21Z",
  "published": "2022-05-24T17:01:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19044"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/29cd13cfd7624726d9e6becbae9aa419ef35af7f"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.11"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191205-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4225-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P2PX-RPHP-6XX6

Vulnerability from github – Published: 2022-09-09 00:00 – Updated: 2022-09-14 00:00
VLAI
Details

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). cyassl_connect_step2 in curl/vtls/cyassl.c has a missing X509_free after SSL_get_peer_certificate, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-08T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). cyassl_connect_step2 in curl/vtls/cyassl.c has a missing X509_free after SSL_get_peer_certificate, leading to information disclosure.",
  "id": "GHSA-p2px-rphp-6xx6",
  "modified": "2022-09-14T00:00:46Z",
  "published": "2022-09-09T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Samsung/TizenRT/issues/5626"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Samsung/TizenRT/blob/f8f776dd183246ad8890422c1ee5e8f33ab2aaaf/external/curl/vtls/cyassl.c#L545"
    },
    {
      "type": "WEB",
      "url": "https://www.openssl.org/docs/man1.1.1/man3/SSL_get_peer_certificate.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P326-98P9-WPRV

Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2024-02-13 21:30
VLAI
Details

Insufficient memory cleanup in the AMD Secure Processor (ASP) Trusted Execution Environment (TEE) may allow an authenticated attacker with privileges to generate a valid signed TA and potentially poison the contents of the process memory with attacker controlled data resulting in a loss of confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient memory cleanup in the AMD Secure Processor (ASP) Trusted Execution Environment (TEE) may allow an authenticated attacker with privileges to generate a valid signed TA and potentially poison the contents of the process memory with attacker controlled data resulting in a loss of confidentiality.",
  "id": "GHSA-p326-98p9-wprv",
  "modified": "2024-02-13T21:30:21Z",
  "published": "2022-11-10T12:01:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26393"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1029"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-5001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P346-PX87-VF2H

Vulnerability from github – Published: 2024-10-29 03:31 – Updated: 2024-10-30 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test()

Commit a3c1e45156ad ("net: microchip: vcap: Fix use-after-free error in kunit test") fixed the use-after-free error, but introduced below memory leaks by removing necessary vcap_free_rule(), add it to fix it.

unreferenced object 0xffffff80ca58b700 (size 192):
  comm "kunit_try_catch", pid 1215, jiffies 4294898264
  hex dump (first 32 bytes):
    00 12 7a 00 05 00 00 00 0a 00 00 00 64 00 00 00  ..z.........d...
    00 00 00 00 00 00 00 00 00 04 0b cc 80 ff ff ff  ................
  backtrace (crc 9c09c3fe):
    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
    [<0000000040a01b8d>] vcap_alloc_rule+0x3cc/0x9c4
    [<000000003fe86110>] vcap_api_encode_rule_test+0x1ac/0x16b0
    [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac
    [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec
    [<00000000c5d82c9a>] kthread+0x2e8/0x374
    [<00000000f4287308>] ret_from_fork+0x10/0x20
unreferenced object 0xffffff80cc0b0400 (size 64):
  comm "kunit_try_catch", pid 1215, jiffies 4294898265
  hex dump (first 32 bytes):
    80 04 0b cc 80 ff ff ff 18 b7 58 ca 80 ff ff ff  ..........X.....
    39 00 00 00 02 00 00 00 06 05 04 03 02 01 ff ff  9...............
  backtrace (crc daf014e9):
    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
    [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528
    [<00000000dfdb1e81>] vcap_api_encode_rule_test+0x224/0x16b0
    [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac
    [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec
    [<00000000c5d82c9a>] kthread+0x2e8/0x374
    [<00000000f4287308>] ret_from_fork+0x10/0x20
unreferenced object 0xffffff80cc0b0700 (size 64):
  comm "kunit_try_catch", pid 1215, jiffies 4294898265
  hex dump (first 32 bytes):
    80 07 0b cc 80 ff ff ff 28 b7 58 ca 80 ff ff ff  ........(.X.....
    3c 00 00 00 00 00 00 00 01 2f 03 b3 ec ff ff ff  <......../......
  backtrace (crc 8d877792):
    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
    [<000000006eadfab7>] vcap_rule_add_action+0x2d0/0x52c
    [<00000000323475d1>] vcap_api_encode_rule_test+0x4d4/0x16b0
    [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac
    [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec
    [<00000000c5d82c9a>] kthread+0x2e8/0x374
    [<00000000f4287308>] ret_from_fork+0x10/0x20
unreferenced object 0xffffff80cc0b0900 (size 64):
  comm "kunit_try_catch", pid 1215, jiffies 4294898266
  hex dump (first 32 bytes):
    80 09 0b cc 80 ff ff ff 80 06 0b cc 80 ff ff ff  ................
    7d 00 00 00 01 00 00 00 00 00 00 00 ff 00 00 00  }...............
  backtrace (crc 34181e56):
    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
    [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528
    [<00000000991e3564>] vcap_val_rule+0xcf0/0x13e8
    [<00000000fc9868e5>] vcap_api_encode_rule_test+0x678/0x16b0
    [<00000000b3595fc4>] kunit_try_run_case+0x13c/0x3ac
    [<0000000010f5d2bf>] kunit_generic_run_threadfn_adapter+0x80/0xec
    [<00000000c5d82c9a>] kthread+0x2e8/0x374
    [<00000000f4287308>] ret_from_fork+0x10/0x20
unreferenced object 0xffffff80cc0b0980 (size 64):
  comm "kunit_try_catch", pid 1215, jiffies 4294898266
  hex dump (first 32 bytes):
    18 b7 58 ca 80 ff ff ff 00 09 0b cc 80 ff ff ff  ..X.............
    67 00 00 00 00 00 00 00 01 01 74 88 c0 ff ff ff  g.........t.....
  backtrace (crc 275fd9be):
    [<0000000052a0be73>] kmemleak_alloc+0x34/0x40
    [<0000000043605459>] __kmalloc_cache_noprof+0x26c/0x2f4
    [<000000000ff63fd4>] vcap_rule_add_key+0x2cc/0x528
    [<000000001396a1a2>] test_add_de

---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T01:15:05Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test()\n\nCommit a3c1e45156ad (\"net: microchip: vcap: Fix use-after-free error in\nkunit test\") fixed the use-after-free error, but introduced below\nmemory leaks by removing necessary vcap_free_rule(), add it to fix it.\n\n\tunreferenced object 0xffffff80ca58b700 (size 192):\n\t  comm \"kunit_try_catch\", pid 1215, jiffies 4294898264\n\t  hex dump (first 32 bytes):\n\t    00 12 7a 00 05 00 00 00 0a 00 00 00 64 00 00 00  ..z.........d...\n\t    00 00 00 00 00 00 00 00 00 04 0b cc 80 ff ff ff  ................\n\t  backtrace (crc 9c09c3fe):\n\t    [\u003c0000000052a0be73\u003e] kmemleak_alloc+0x34/0x40\n\t    [\u003c0000000043605459\u003e] __kmalloc_cache_noprof+0x26c/0x2f4\n\t    [\u003c0000000040a01b8d\u003e] vcap_alloc_rule+0x3cc/0x9c4\n\t    [\u003c000000003fe86110\u003e] vcap_api_encode_rule_test+0x1ac/0x16b0\n\t    [\u003c00000000b3595fc4\u003e] kunit_try_run_case+0x13c/0x3ac\n\t    [\u003c0000000010f5d2bf\u003e] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t    [\u003c00000000c5d82c9a\u003e] kthread+0x2e8/0x374\n\t    [\u003c00000000f4287308\u003e] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cc0b0400 (size 64):\n\t  comm \"kunit_try_catch\", pid 1215, jiffies 4294898265\n\t  hex dump (first 32 bytes):\n\t    80 04 0b cc 80 ff ff ff 18 b7 58 ca 80 ff ff ff  ..........X.....\n\t    39 00 00 00 02 00 00 00 06 05 04 03 02 01 ff ff  9...............\n\t  backtrace (crc daf014e9):\n\t    [\u003c0000000052a0be73\u003e] kmemleak_alloc+0x34/0x40\n\t    [\u003c0000000043605459\u003e] __kmalloc_cache_noprof+0x26c/0x2f4\n\t    [\u003c000000000ff63fd4\u003e] vcap_rule_add_key+0x2cc/0x528\n\t    [\u003c00000000dfdb1e81\u003e] vcap_api_encode_rule_test+0x224/0x16b0\n\t    [\u003c00000000b3595fc4\u003e] kunit_try_run_case+0x13c/0x3ac\n\t    [\u003c0000000010f5d2bf\u003e] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t    [\u003c00000000c5d82c9a\u003e] kthread+0x2e8/0x374\n\t    [\u003c00000000f4287308\u003e] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cc0b0700 (size 64):\n\t  comm \"kunit_try_catch\", pid 1215, jiffies 4294898265\n\t  hex dump (first 32 bytes):\n\t    80 07 0b cc 80 ff ff ff 28 b7 58 ca 80 ff ff ff  ........(.X.....\n\t    3c 00 00 00 00 00 00 00 01 2f 03 b3 ec ff ff ff  \u003c......../......\n\t  backtrace (crc 8d877792):\n\t    [\u003c0000000052a0be73\u003e] kmemleak_alloc+0x34/0x40\n\t    [\u003c0000000043605459\u003e] __kmalloc_cache_noprof+0x26c/0x2f4\n\t    [\u003c000000006eadfab7\u003e] vcap_rule_add_action+0x2d0/0x52c\n\t    [\u003c00000000323475d1\u003e] vcap_api_encode_rule_test+0x4d4/0x16b0\n\t    [\u003c00000000b3595fc4\u003e] kunit_try_run_case+0x13c/0x3ac\n\t    [\u003c0000000010f5d2bf\u003e] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t    [\u003c00000000c5d82c9a\u003e] kthread+0x2e8/0x374\n\t    [\u003c00000000f4287308\u003e] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cc0b0900 (size 64):\n\t  comm \"kunit_try_catch\", pid 1215, jiffies 4294898266\n\t  hex dump (first 32 bytes):\n\t    80 09 0b cc 80 ff ff ff 80 06 0b cc 80 ff ff ff  ................\n\t    7d 00 00 00 01 00 00 00 00 00 00 00 ff 00 00 00  }...............\n\t  backtrace (crc 34181e56):\n\t    [\u003c0000000052a0be73\u003e] kmemleak_alloc+0x34/0x40\n\t    [\u003c0000000043605459\u003e] __kmalloc_cache_noprof+0x26c/0x2f4\n\t    [\u003c000000000ff63fd4\u003e] vcap_rule_add_key+0x2cc/0x528\n\t    [\u003c00000000991e3564\u003e] vcap_val_rule+0xcf0/0x13e8\n\t    [\u003c00000000fc9868e5\u003e] vcap_api_encode_rule_test+0x678/0x16b0\n\t    [\u003c00000000b3595fc4\u003e] kunit_try_run_case+0x13c/0x3ac\n\t    [\u003c0000000010f5d2bf\u003e] kunit_generic_run_threadfn_adapter+0x80/0xec\n\t    [\u003c00000000c5d82c9a\u003e] kthread+0x2e8/0x374\n\t    [\u003c00000000f4287308\u003e] ret_from_fork+0x10/0x20\n\tunreferenced object 0xffffff80cc0b0980 (size 64):\n\t  comm \"kunit_try_catch\", pid 1215, jiffies 4294898266\n\t  hex dump (first 32 bytes):\n\t    18 b7 58 ca 80 ff ff ff 00 09 0b cc 80 ff ff ff  ..X.............\n\t    67 00 00 00 00 00 00 00 01 01 74 88 c0 ff ff ff  g.........t.....\n\t  backtrace (crc 275fd9be):\n\t    [\u003c0000000052a0be73\u003e] kmemleak_alloc+0x34/0x40\n\t    [\u003c0000000043605459\u003e] __kmalloc_cache_noprof+0x26c/0x2f4\n\t    [\u003c000000000ff63fd4\u003e] vcap_rule_add_key+0x2cc/0x528\n\t    [\u003c000000001396a1a2\u003e] test_add_de\n---truncated---",
  "id": "GHSA-p346-px87-vf2h",
  "modified": "2024-10-30T15:30:46Z",
  "published": "2024-10-29T03:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50084"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/170792097bb21e5da77443b6a03d35489813eabe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/20b5342de51bda794791e013b90754774003a515"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/217a3d98d1e9891a8b1438a27dfbc64ddf01f691"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P34F-RW7F-C723

Vulnerability from github – Published: 2025-01-09 18:32 – Updated: 2025-01-09 18:32
VLAI
Details

A Missing Release of Memory after Effective Lifetime vulnerability in the Juniper Tunnel Driver (jtd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to cause Denial of Service. 

Receipt of specifically malformed IPv6 packets, destined to the device, causes kernel memory to not be freed, resulting in memory exhaustion leading to a system crash and Denial of Service (DoS). Continuous receipt and processing of these packets will continue to exhaust kernel memory, creating a sustained Denial of Service (DoS) condition. This issue only affects systems configured with IPv6.

This issue affects Junos OS Evolved: 

  • from 22.4-EVO before 22.4R3-S5-EVO, 
  • from 23.2-EVO before 23.2R2-S2-EVO, 
  • from 23.4-EVO before 23.4R2-S2-EVO, 
  • from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.

This issue does not affect Juniper Networks Junos OS Evolved versions prior to 22.4R1-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T17:15:18Z",
    "severity": "HIGH"
  },
  "details": "A\u00a0Missing Release of Memory after Effective Lifetime vulnerability in the Juniper Tunnel Driver (jtd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to cause Denial of Service.\u00a0\n\nReceipt of specifically malformed IPv6 packets, destined to the device, causes kernel memory to not be freed, resulting in memory exhaustion leading to a system crash and Denial of Service (DoS).\u00a0Continuous receipt and processing of these packets will continue to exhaust kernel memory, creating a sustained Denial of Service (DoS) condition.\nThis issue only affects systems configured with IPv6.\n\nThis issue affects Junos OS Evolved:\u00a0\n\n\n\n  *  from 22.4-EVO before 22.4R3-S5-EVO,\u00a0\n  *  from 23.2-EVO before 23.2R2-S2-EVO,\u00a0\n  *  from 23.4-EVO before 23.4R2-S2-EVO,\u00a0\n  *  from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\n\n\n\n\nThis issue does not affect Juniper Networks Junos OS Evolved versions prior to 22.4R1-EVO.",
  "id": "GHSA-p34f-rw7f-c723",
  "modified": "2025-01-09T18:32:15Z",
  "published": "2025-01-09T18:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21599"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA92869"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P39F-F66F-X437

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, verifier: Fix memory leak in array reallocation for stack state

If an error (NULL) is returned by krealloc(), callers of realloc_array() were setting their allocation pointers to NULL, but on error krealloc() does not touch the original allocation. This would result in a memory resource leak. Instead, free the old allocation on the error handling path.

The memory leak information is as follows as also reported by Zhengchao:

unreferenced object 0xffff888019801800 (size 256): comm "bpf_repo", pid 6490, jiffies 4294959200 (age 17.170s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000b211474b>] __kmalloc_node_track_caller+0x45/0xc0 [<0000000086712a0b>] krealloc+0x83/0xd0 [<00000000139aab02>] realloc_array+0x82/0xe2 [<00000000b1ca41d1>] grow_stack_state+0xfb/0x186 [<00000000cd6f36d2>] check_mem_access.cold+0x141/0x1341 [<0000000081780455>] do_check_common+0x5358/0xb350 [<0000000015f6b091>] bpf_check.cold+0xc3/0x29d [<000000002973c690>] bpf_prog_load+0x13db/0x2240 [<00000000028d1644>] __sys_bpf+0x1605/0x4ce0 [<00000000053f29bd>] __x64_sys_bpf+0x75/0xb0 [<0000000056fedaf5>] do_syscall_64+0x35/0x80 [<000000002bd58261>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, verifier: Fix memory leak in array reallocation for stack state\n\nIf an error (NULL) is returned by krealloc(), callers of realloc_array()\nwere setting their allocation pointers to NULL, but on error krealloc()\ndoes not touch the original allocation. This would result in a memory\nresource leak. Instead, free the old allocation on the error handling\npath.\n\nThe memory leak information is as follows as also reported by Zhengchao:\n\n  unreferenced object 0xffff888019801800 (size 256):\n  comm \"bpf_repo\", pid 6490, jiffies 4294959200 (age 17.170s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [\u003c00000000b211474b\u003e] __kmalloc_node_track_caller+0x45/0xc0\n    [\u003c0000000086712a0b\u003e] krealloc+0x83/0xd0\n    [\u003c00000000139aab02\u003e] realloc_array+0x82/0xe2\n    [\u003c00000000b1ca41d1\u003e] grow_stack_state+0xfb/0x186\n    [\u003c00000000cd6f36d2\u003e] check_mem_access.cold+0x141/0x1341\n    [\u003c0000000081780455\u003e] do_check_common+0x5358/0xb350\n    [\u003c0000000015f6b091\u003e] bpf_check.cold+0xc3/0x29d\n    [\u003c000000002973c690\u003e] bpf_prog_load+0x13db/0x2240\n    [\u003c00000000028d1644\u003e] __sys_bpf+0x1605/0x4ce0\n    [\u003c00000000053f29bd\u003e] __x64_sys_bpf+0x75/0xb0\n    [\u003c0000000056fedaf5\u003e] do_syscall_64+0x35/0x80\n    [\u003c000000002bd58261\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd",
  "id": "GHSA-p39f-f66f-x437",
  "modified": "2025-05-07T15:31:25Z",
  "published": "2025-05-01T15:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49878"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06615967d4889b08b19ff3dda96e8b131282f73d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e210891c4a4c2d858cd6f9f61d5809af251d4df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42378a9ca55347102bbf86708776061d8fe3ece2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3FV-P9HP-V9H2

Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-01-23 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

macintosh: fix possible memory leak in macio_add_one_device()

Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically. It needs to be freed when of_device_register() fails. Call put_device() to give up the reference that's taken in device_initialize(), so that it can be freed in kobject_cleanup() when the refcount hits 0.

macio device is freed in macio_release_dev(), so the kfree() can be removed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacintosh: fix possible memory leak in macio_add_one_device()\n\nAfer commit 1fa5ae857bb1 (\"driver core: get rid of struct device\u0027s\nbus_id string array\"), the name of device is allocated dynamically. It\nneeds to be freed when of_device_register() fails. Call put_device() to\ngive up the reference that\u0027s taken in device_initialize(), so that it\ncan be freed in kobject_cleanup() when the refcount hits 0.\n\nmacio device is freed in macio_release_dev(), so the kfree() can be\nremoved.",
  "id": "GHSA-p3fv-p9hp-v9h2",
  "modified": "2026-01-23T18:31:23Z",
  "published": "2025-10-04T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50474"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/19ded60b40e86b0903c8d5bd0161437ed5107a8b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ac0a7059b7bcbed35bfffa34a82c9a9e99638ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35858b87a943917fa30172aa4bf01ce7adbcb42c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a866ff6fc2232c8e393cdb55ffb8ce947349e03"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ca86eae55a2f006e6c1edd2029b2cacb6979515"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76837e7f6b30da72ad59f56291e22804a219e015"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa9054267366ff0a382d403d17728e21951ddbb9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b29a2f1dd33ae9b94821ab2f4d398b9081786748"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca765257feb89dacf604ced9cd233db5f865dee0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P44J-49F8-CP36

Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2025-03-17 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: rga: fix possible memory leak in rga_probe

rga->m2m_dev needs to be freed when rga_probe fails.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rga: fix possible memory leak in rga_probe\n\nrga-\u003em2m_dev needs to be freed when rga_probe fails.",
  "id": "GHSA-p44j-49f8-cp36",
  "modified": "2025-03-17T18:31:51Z",
  "published": "2025-03-17T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49502"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1cdc768468c25d6b10ab83ec1efd4a8554532d69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ddc89437ccefa18279918c19a61fd81527f40b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a71eb6025305192e646040cd76ccacb5bd48a1b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7bbca4d08471bc8404a946bab1aa017dd05199b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eeb4819e94aa69767b9e5591e70c63e8b7c5786a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P47R-WJHF-X2FG

Vulnerability from github – Published: 2025-10-24 18:30 – Updated: 2025-10-24 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix request_sock leak in sk lookup helpers

A customer reported a request_socket leak in a Calico cloud environment. We found that a BPF program was doing a socket lookup with takes a refcnt on the socket and that it was finding the request_socket but returning the parent LISTEN socket via sk_to_full_sk() without decrementing the child request socket 1st, resulting in request_sock slab object leak. This patch retains the existing behaviour of returning full socks to the caller but it also decrements the child request_socket if one is present before doing so to prevent the leak.

Thanks to Curtis Taylor for all the help in diagnosing and testing this. And thanks to Antoine Tenart for the reproducer and patch input.

v2 of this patch contains, refactor as per Daniel Borkmann's suggestions to validate RCU flags on the listen socket so that it balances with bpf_sk_release() and update comments as per Martin KaFai Lau's suggestion. One small change to Daniels suggestion, put "sk = sk2" under "if (sk2 != sk)" to avoid an extra instruction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix request_sock leak in sk lookup helpers\n\nA customer reported a request_socket leak in a Calico cloud environment. We\nfound that a BPF program was doing a socket lookup with takes a refcnt on\nthe socket and that it was finding the request_socket but returning the parent\nLISTEN socket via sk_to_full_sk() without decrementing the child request socket\n1st, resulting in request_sock slab object leak. This patch retains the\nexisting behaviour of returning full socks to the caller but it also decrements\nthe child request_socket if one is present before doing so to prevent the leak.\n\nThanks to Curtis Taylor for all the help in diagnosing and testing this. And\nthanks to Antoine Tenart for the reproducer and patch input.\n\nv2 of this patch contains, refactor as per Daniel Borkmann\u0027s suggestions to\nvalidate RCU flags on the listen socket so that it balances with bpf_sk_release()\nand update comments as per Martin KaFai Lau\u0027s suggestion. One small change to\nDaniels suggestion, put \"sk = sk2\" under \"if (sk2 != sk)\" to avoid an extra\ninstruction.",
  "id": "GHSA-p47r-wjhf-x2fg",
  "modified": "2025-10-24T18:30:56Z",
  "published": "2025-10-24T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49697"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3046a827316c0e55fc563b4fb78c93b9ca5c7c37"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/516760f1d2979903eaad5b437256913c5cd98416"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a62b5ba4c0ce8315b6382cd4ace81b48cd121cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ffe2e50e9678c8373027492035f094b130437f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b03607437ea81b850599f705096b05b85e7a4a71"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P47X-Q59Q-2MPW

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-11-06 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

can: mcba_usb: fix memory leak in mcba_usb

Syzbot reported memory leak in SocketCAN driver for Microchip CAN BUS Analyzer Tool. The problem was in unfreed usb_coherent.

In mcba_usb_start() 20 coherent buffers are allocated and there is nothing, that frees them:

1) In callback function the urb is resubmitted and that's all 2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER is not set (see mcba_usb_start) and this flag cannot be used with coherent buffers.

Fail log: | [ 1354.053291][ T8413] mcba_usb 1-1:0.0 can0: device disconnected | [ 1367.059384][ T8420] kmemleak: 20 new suspected memory leaks (see /sys/kernel/debug/kmem)

So, all allocated buffers should be freed with usb_free_coherent() explicitly

NOTE: The same pattern for allocating and freeing coherent buffers is used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: fix memory leak in mcba_usb\n\nSyzbot reported memory leak in SocketCAN driver for Microchip CAN BUS\nAnalyzer Tool. The problem was in unfreed usb_coherent.\n\nIn mcba_usb_start() 20 coherent buffers are allocated and there is\nnothing, that frees them:\n\n1) In callback function the urb is resubmitted and that\u0027s all\n2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER\n   is not set (see mcba_usb_start) and this flag cannot be used with\n   coherent buffers.\n\nFail log:\n| [ 1354.053291][ T8413] mcba_usb 1-1:0.0 can0: device disconnected\n| [ 1367.059384][ T8420] kmemleak: 20 new suspected memory leaks (see /sys/kernel/debug/kmem)\n\nSo, all allocated buffers should be freed with usb_free_coherent()\nexplicitly\n\nNOTE:\nThe same pattern for allocating and freeing coherent buffers\nis used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c",
  "id": "GHSA-p47x-q59q-2mpw",
  "modified": "2024-11-06T21:30:54Z",
  "published": "2024-05-21T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47231"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bd3d80d1f019cefa7011056c54b323f1d8b8e83"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f87c0e21ad20dd3d22108e33db1c552dfa352a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89df95ce32be204eef2e7d4b2f6fb552fb191a68"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91c02557174be7f72e46ed7311e3bea1939840b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a115198caaab6d663bef75823a3c5f0802306d60"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d0760a4ef85697bc756d06eae17ae27f3f055401"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.