Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-P73W-X3R8-72C9

Vulnerability from github – Published: 2025-03-14 00:30 – Updated: 2025-03-14 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

watch_queue: Free the page array when watch_queue is dismantled

Commit 7ea1a0124b6d ("watch_queue: Free the alloc bitmap when the watch_queue is torn down") took care of the bitmap, but not the page array.

BUG: memory leak unreferenced object 0xffff88810d9bc140 (size 32): comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s) hex dump (first 32 bytes): 40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: kmalloc_array include/linux/slab.h:621 [inline] kcalloc include/linux/slab.h:652 [inline] watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251 pipe_ioctl+0x82/0x140 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:51Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Free the page array when watch_queue is dismantled\n\nCommit 7ea1a0124b6d (\"watch_queue: Free the alloc bitmap when the\nwatch_queue is torn down\") took care of the bitmap, but not the page\narray.\n\n  BUG: memory leak\n  unreferenced object 0xffff88810d9bc140 (size 32):\n  comm \"syz-executor335\", pid 3603, jiffies 4294946994 (age 12.840s)\n  hex dump (first 32 bytes):\n    40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00  @.@.............\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n     kmalloc_array include/linux/slab.h:621 [inline]\n     kcalloc include/linux/slab.h:652 [inline]\n     watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251\n     pipe_ioctl+0x82/0x140 fs/pipe.c:632\n     vfs_ioctl fs/ioctl.c:51 [inline]\n     __do_sys_ioctl fs/ioctl.c:874 [inline]\n     __se_sys_ioctl fs/ioctl.c:860 [inline]\n     __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860\n     do_syscall_x64 arch/x86/entry/common.c:50 [inline]",
  "id": "GHSA-p73w-x3r8-72c9",
  "modified": "2025-03-14T00:30:50Z",
  "published": "2025-03-14T00:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49148"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/375cd2536494cfbcdda84ae8b3e35bf19d0250b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3963a5d1ff75585bddf0c3a918566a6be09d7520"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4913daecd04addb41bc96a9175a885e1c19862a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7169f60110915c8b53bffd43741fa020a75eb87a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b490207017ba237d97b735b2aa66dc241ccd18f5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7FX-58MJ-Q5FX

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-09-26 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommufd: Fix out_fput in iommufd_fault_alloc()

As fput() calls the file->f_op->release op, where fault obj and ictx are getting released, there is no need to release these two after fput() one more time, which would result in imbalanced refcounts: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230 Call trace: refcount_warn_saturate+0x60/0x230 (P) refcount_warn_saturate+0x60/0x230 (L) iommufd_fault_fops_release+0x9c/0xe0 [iommufd] ... VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd]) WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0 Call trace: filp_flush+0x3c/0xf0 (P) filp_flush+0x3c/0xf0 (L) __arm64_sys_close+0x34/0x98 ... imbalanced put on file reference count WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138 Call trace: __file_ref_put+0x100/0x138 (P) __file_ref_put+0x100/0x138 (L) __fput_sync+0x4c/0xd0

Drop those two lines to fix the warnings above.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:21Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix out_fput in iommufd_fault_alloc()\n\nAs fput() calls the file-\u003ef_op-\u003erelease op, where fault obj and ictx are\ngetting released, there is no need to release these two after fput() one\nmore time, which would result in imbalanced refcounts:\n  refcount_t: decrement hit 0; leaking memory.\n  WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230\n  Call trace:\n   refcount_warn_saturate+0x60/0x230 (P)\n   refcount_warn_saturate+0x60/0x230 (L)\n   iommufd_fault_fops_release+0x9c/0xe0 [iommufd]\n  ...\n  VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd])\n  WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0\n  Call trace:\n   filp_flush+0x3c/0xf0 (P)\n   filp_flush+0x3c/0xf0 (L)\n   __arm64_sys_close+0x34/0x98\n  ...\n  imbalanced put on file reference count\n  WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138\n  Call trace:\n   __file_ref_put+0x100/0x138 (P)\n   __file_ref_put+0x100/0x138 (L)\n   __fput_sync+0x4c/0xd0\n\nDrop those two lines to fix the warnings above.",
  "id": "GHSA-p7fx-58mj-q5fx",
  "modified": "2025-09-26T18:31:18Z",
  "published": "2024-12-27T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56624"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b3f30c8edbf9a122ce01f13f0f41fbca5f1d41d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af7f4780514f850322b2959032ecaa96e4b26472"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7Q6-69W3-PPV9

Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13
VLAI
Details

Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-16T15:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand.",
  "id": "GHSA-p7q6-69w3-ppv9",
  "modified": "2022-05-13T01:13:37Z",
  "published": "2022-05-13T01:13:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5857"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1418382"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201702-28"
    },
    {
      "type": "WEB",
      "url": "http://git.qemu-project.org/?p=qemu.git%3Ba=commit%3Bh=5e8e3c4c75c199aa1017db816fca02be2a9f8798"
    },
    {
      "type": "WEB",
      "url": "http://git.qemu-project.org/?p=qemu.git;a=commit;h=5e8e3c4c75c199aa1017db816fca02be2a9f8798"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/02/01/21"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/02/02/16"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95993"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7Q8-377Q-PX25

Vulnerability from github – Published: 2023-10-02 21:30 – Updated: 2025-02-13 18:31
VLAI
Details

In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-02T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.",
  "id": "GHSA-p7q8-377q-px25",
  "modified": "2025-02-13T18:31:54Z",
  "published": "2023-10-02T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3592"
    },
    {
      "type": "WEB",
      "url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8MJ-X7W2-CP95

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: usb: smsc75xx: Limit packet length to skb->len

Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:31Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Limit packet length to skb-\u003elen\n\nPacket length retrieved from skb data may be larger than\nthe actual socket buffer length (up to 9026 bytes). In such\ncase the cloned skb passed up the network stack will leak\nkernel memory contents.",
  "id": "GHSA-p8mj-x7w2-cp95",
  "modified": "2025-11-10T18:30:29Z",
  "published": "2025-05-02T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53125"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/105db6574281e1e03fcbf87983f4fee111682306"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a4de0a68b18485c68ab4f0cfa665b1633c6d277"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/53966d572d056d6b234cfe76a5f9d60049d3c178"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ee5df9c039e37b9d8eb5e3de08bfb7f53d31cb6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9fabdd79051a9fe51388df099aff6e4b660fedd2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c7bdc137ca163b90917c1eeba4f1937684bd4f8b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8b228318935044dafe3a5bc07ee71a1f1424b8d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e294f0aa47e4844f3d3c8766c02accd5a76a7d4e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8QM-MXFJ-7VC2

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34
VLAI
Details

An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-35505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T22:16:46Z",
    "severity": "HIGH"
  },
  "details": "An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.",
  "id": "GHSA-p8qm-mxfj-7vc2",
  "modified": "2026-07-01T00:34:00Z",
  "published": "2026-07-01T00:34:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35505"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DCMTK/dcmtk/releases/tag/latest"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-181-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P8WH-6XV6-4499

Vulnerability from github – Published: 2024-03-15 21:30 – Updated: 2025-01-07 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: caif: fix memory leak in caif_device_notify

In case of caif_enroll_dev() fail, allocated link_support won't be assigned to the corresponding structure. So simply free allocated pointer in case of error

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-15T21:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: fix memory leak in caif_device_notify\n\nIn case of caif_enroll_dev() fail, allocated\nlink_support won\u0027t be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error",
  "id": "GHSA-p8wh-6xv6-4499",
  "modified": "2025-01-07T18:30:39Z",
  "published": "2024-03-15T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47122"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3be863c11cab725add9fef4237ed4e232c3fc3bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bca2034b41c15b62d47a19158bb76235fd4455d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a0e317f61094d377335547e015dd2ff12caf893"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9348c1f10932f13b299cbc8b1bd5f780751fae49"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af2806345a37313f01b1c9f15e046745b8ee2daa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b042e2b2039565eb8f0eb51c14fbe1ef463c8cd8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b53558a950a89824938e9811eddfc8efcd94e1bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f52f4fd67264c70cd0b4ba326962ebe12d9cba94"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P98W-XRC8-4W6X

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix memory leak in vhci_write

Syzkaller reports a memory leak as follows:

BUG: memory leak unreferenced object 0xffff88810d81ac00 (size 240): [...] hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418 [] alloc_skb include/linux/skbuff.h:1257 [inline] [] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline] [] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline] [] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511 [] call_write_iter include/linux/fs.h:2192 [inline] [] new_sync_write fs/read_write.c:491 [inline] [] vfs_write+0x42d/0x540 fs/read_write.c:578 [] ksys_write+0x9d/0x160 fs/read_write.c:631 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd ====================================

HCI core will uses hci_rx_work() to process frame, which is queued to the hdev->rx_q tail in hci_recv_frame() by HCI driver.

Yet the problem is that, HCI core may not free the skb after handling ACL data packets. To be more specific, when start fragment does not contain the L2CAP length, HCI core just copies skb into conn->rx_skb and finishes frame process in l2cap_recv_acldata(), without freeing the skb, which triggers the above memory leak.

This patch solves it by releasing the relative skb, after processing the above case in l2cap_recv_acldata().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix memory leak in vhci_write\n\nSyzkaller reports a memory leak as follows:\n====================================\nBUG: memory leak\nunreferenced object 0xffff88810d81ac00 (size 240):\n  [...]\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    [\u003cffffffff838733d9\u003e] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418\n    [\u003cffffffff833f742f\u003e] alloc_skb include/linux/skbuff.h:1257 [inline]\n    [\u003cffffffff833f742f\u003e] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]\n    [\u003cffffffff833f742f\u003e] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]\n    [\u003cffffffff833f742f\u003e] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511\n    [\u003cffffffff815e398d\u003e] call_write_iter include/linux/fs.h:2192 [inline]\n    [\u003cffffffff815e398d\u003e] new_sync_write fs/read_write.c:491 [inline]\n    [\u003cffffffff815e398d\u003e] vfs_write+0x42d/0x540 fs/read_write.c:578\n    [\u003cffffffff815e3cdd\u003e] ksys_write+0x9d/0x160 fs/read_write.c:631\n    [\u003cffffffff845e0645\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n    [\u003cffffffff845e0645\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n    [\u003cffffffff84600087\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n====================================\n\nHCI core will uses hci_rx_work() to process frame, which is queued to\nthe hdev-\u003erx_q tail in hci_recv_frame() by HCI driver.\n\nYet the problem is that, HCI core may not free the skb after handling\nACL data packets. To be more specific, when start fragment does not\ncontain the L2CAP length, HCI core just copies skb into conn-\u003erx_skb and\nfinishes frame process in l2cap_recv_acldata(), without freeing the skb,\nwhich triggers the above memory leak.\n\nThis patch solves it by releasing the relative skb, after processing\nthe above case in l2cap_recv_acldata().",
  "id": "GHSA-p98w-xrc8-4w6x",
  "modified": "2025-05-07T15:31:26Z",
  "published": "2025-05-01T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49908"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b4f039a2f487c5edae681d763fe1af505f84c13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c9524d929648935bac2bbb4c20437df8f9c3f42"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa16cac06b752e5f609c106735bd7838f444784c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PC3Q-7XFR-H5H3

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2026-01-30 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: csa unmap use uninterruptible lock

After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace.

Change to use uninterruptible wait lock fix the issue.

WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0

(cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T10:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: csa unmap use uninterruptible lock\n\nAfter process exit to unmap csa and free GPU vm, if signal is accepted\nand then waiting to take vm lock is interrupted and return, it causes\nmemory leaking and below warning backtrace.\n\nChange to use uninterruptible wait lock fix the issue.\n\nWARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525\n amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu]\n Call Trace:\n  \u003cTASK\u003e\n  drm_file_free.part.0+0x1da/0x230 [drm]\n  drm_close_helper.isra.0+0x65/0x70 [drm]\n  drm_release+0x6a/0x120 [drm]\n  amdgpu_drm_release+0x51/0x60 [amdgpu]\n  __fput+0x9f/0x280\n  ____fput+0xe/0x20\n  task_work_run+0x67/0xa0\n  do_exit+0x217/0x3c0\n  do_group_exit+0x3b/0xb0\n  get_signal+0x14a/0x8d0\n  arch_do_signal_or_restart+0xde/0x100\n  exit_to_user_mode_loop+0xc1/0x1a0\n  exit_to_user_mode_prepare+0xf4/0x100\n  syscall_exit_to_user_mode+0x17/0x40\n  do_syscall_64+0x69/0xc0\n\n(cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)",
  "id": "GHSA-pc3q-7xfr-h5h3",
  "modified": "2026-01-30T12:31:20Z",
  "published": "2025-06-18T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38011"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d2979b9bb1be0f4a52dff600e56d780403e04ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d71c3231b33e24a911b8f2d8c3a17ee40aa32d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a0fa7873f2f869087b1e7793f7fac3713a1e3afe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1adc8d9a0d219d4e88672c30dbc9ea960d73136"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PC3V-MPGJ-WXWQ

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-19 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: qrtr: ns: Free the node during ctrl_cmd_bye()

A node sends the BYE packet when it is about to go down. So the nameserver should advertise the removal of the node to all remote and local observers and free the node finally. But currently, the nameserver doesn't free the node memory even after processing the BYE packet. This causes the node memory to leak.

Hence, remove the node from Xarray list and free the node memory during both success and failure case of ctrl_cmd_bye().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:23Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Free the node during ctrl_cmd_bye()\n\nA node sends the BYE packet when it is about to go down. So the nameserver\nshould advertise the removal of the node to all remote and local observers\nand free the node finally. But currently, the nameserver doesn\u0027t free the\nnode memory even after processing the BYE packet. This causes the node\nmemory to leak.\n\nHence, remove the node from Xarray list and free the node memory during\nboth success and failure case of ctrl_cmd_bye().",
  "id": "GHSA-pc3v-mpgj-wxwq",
  "modified": "2026-06-19T15:33:13Z",
  "published": "2026-05-27T15:33:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46038"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/25d580a46b079a7963ff024a5195e547baf12b64"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c9cca46acb6f22e63f015ea7b2ed6032d2badf5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5a454f3364877b22f0e5a165df8b3702ff96ae7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.