CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-WGF5-7HQ7-35G6
Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-11-17 15:30In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()
When snd_soc_dapm_new_controls() or snd_soc_dapm_add_routes() fails, wcd937x_soc_codec_probe() returns without releasing 'wcd937x->clsh_info', which is allocated by wcd_clsh_ctrl_alloc. Add wcd_clsh_ctrl_free() to prevent potential memory leak.
{
"affected": [],
"aliases": [
"CVE-2025-37941"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-20T16:15:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()\n\nWhen snd_soc_dapm_new_controls() or snd_soc_dapm_add_routes() fails,\nwcd937x_soc_codec_probe() returns without releasing \u0027wcd937x-\u003eclsh_info\u0027,\nwhich is allocated by wcd_clsh_ctrl_alloc. Add wcd_clsh_ctrl_free()\nto prevent potential memory leak.",
"id": "GHSA-wgf5-7hq7-35g6",
"modified": "2025-11-17T15:30:31Z",
"published": "2025-05-20T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37941"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3e330acf4efd63876d673c046cd073a1d4ed57a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aafb5325aca3e806b3ea3707402189263473d257"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/acadb2e2b3c5b9977a843a3a94fece9bdcf6aea1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b573e04116fd33b9143fa276bbab2f0afad0a1ae"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGRH-WQ84-J2XM
Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2025-11-26 18:30In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Remove skb secpath if xfrm state is not found
Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this lookup.
Currently, if the state is not found, only a counter is incremented. The secpath (sp) extension on the skb is not removed, resulting in sp->len becoming 0.
Subsequently, functions like __xfrm_policy_check() attempt to access fields such as xfrm_input_state(skb)->xso.type (which dereferences sp->xvec[sp->len - 1]) without first validating sp->len. This leads to a crash when dereferencing an invalid state pointer.
This patch prevents the crash by explicitly removing the secpath extension from the skb if the xfrm state is not found after hardware decryption. This ensures downstream functions do not operate on a zero-length secpath.
BUG: unable to handle page fault for address: ffffffff000002c8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 282e067 P4D 282e067 PUD 0 Oops: Oops: 0000 [#1] SMP CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:__xfrm_policy_check+0x61a/0xa30 Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 <0f> b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa RSP: 0018:ffff88885fb04918 EFLAGS: 00010297 RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353 R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8 R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00 FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? try_to_wake_up+0x108/0x4c0 ? udp4_lib_lookup2+0xbe/0x150 ? udp_lib_lport_inuse+0x100/0x100 ? __udp4_lib_lookup+0x2b0/0x410 __xfrm_policy_check2.constprop.0+0x11e/0x130 udp_queue_rcv_one_skb+0x1d/0x530 udp_unicast_rcv_skb+0x76/0x90 __udp4_lib_rcv+0xa64/0xe90 ip_protocol_deliver_rcu+0x20/0x130 ip_local_deliver_finish+0x75/0xa0 ip_local_deliver+0xc1/0xd0 ? ip_protocol_deliver_rcu+0x130/0x130 ip_sublist_rcv+0x1f9/0x240 ? ip_rcv_finish_core+0x430/0x430 ip_list_rcv+0xfc/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x200/0x360 ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core] gro_receive_skb+0xfd/0x210 mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core] mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core] ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core] mlx5e_napi_poll+0x114/0xab0 [mlx5_core] __napi_poll+0x25/0x170 net_rx_action+0x32d/0x3a0 ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core] ? notifier_call_chain+0x33/0xa0 handle_softirqs+0xda/0x250 irq_exit_rcu+0x6d/0xc0 common_interrupt+0x81/0xa0
{
"affected": [],
"aliases": [
"CVE-2025-38590"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T17:15:36Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Remove skb secpath if xfrm state is not found\n\nHardware returns a unique identifier for a decrypted packet\u0027s xfrm\nstate, this state is looked up in an xarray. However, the state might\nhave been freed by the time of this lookup.\n\nCurrently, if the state is not found, only a counter is incremented.\nThe secpath (sp) extension on the skb is not removed, resulting in\nsp-\u003elen becoming 0.\n\nSubsequently, functions like __xfrm_policy_check() attempt to access\nfields such as xfrm_input_state(skb)-\u003exso.type (which dereferences\nsp-\u003exvec[sp-\u003elen - 1]) without first validating sp-\u003elen. This leads to\na crash when dereferencing an invalid state pointer.\n\nThis patch prevents the crash by explicitly removing the secpath\nextension from the skb if the xfrm state is not found after hardware\ndecryption. This ensures downstream functions do not operate on a\nzero-length secpath.\n\n BUG: unable to handle page fault for address: ffffffff000002c8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 282e067 P4D 282e067 PUD 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__xfrm_policy_check+0x61a/0xa30\n Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 \u003c0f\u003e b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa\n RSP: 0018:ffff88885fb04918 EFLAGS: 00010297\n RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000\n RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353\n R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8\n R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00\n FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cIRQ\u003e\n ? try_to_wake_up+0x108/0x4c0\n ? udp4_lib_lookup2+0xbe/0x150\n ? udp_lib_lport_inuse+0x100/0x100\n ? __udp4_lib_lookup+0x2b0/0x410\n __xfrm_policy_check2.constprop.0+0x11e/0x130\n udp_queue_rcv_one_skb+0x1d/0x530\n udp_unicast_rcv_skb+0x76/0x90\n __udp4_lib_rcv+0xa64/0xe90\n ip_protocol_deliver_rcu+0x20/0x130\n ip_local_deliver_finish+0x75/0xa0\n ip_local_deliver+0xc1/0xd0\n ? ip_protocol_deliver_rcu+0x130/0x130\n ip_sublist_rcv+0x1f9/0x240\n ? ip_rcv_finish_core+0x430/0x430\n ip_list_rcv+0xfc/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x200/0x360\n ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core]\n gro_receive_skb+0xfd/0x210\n mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core]\n mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core]\n ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core]\n mlx5e_napi_poll+0x114/0xab0 [mlx5_core]\n __napi_poll+0x25/0x170\n net_rx_action+0x32d/0x3a0\n ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core]\n ? notifier_call_chain+0x33/0xa0\n handle_softirqs+0xda/0x250\n irq_exit_rcu+0x6d/0xc0\n common_interrupt+0x81/0xa0\n \u003c/IRQ\u003e",
"id": "GHSA-wgrh-wq84-j2xm",
"modified": "2025-11-26T18:30:58Z",
"published": "2025-08-19T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38590"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/137b12a4900eb6971b889839eab6036f72cbb217"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/314f568b84b01f6eac1e4313ca47f9ade4349443"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a5782431d84716b66302b07ff1b32fea1023bd5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d19c44b5c6dd72f9a357d0399604ec16a77de3c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/781a0bbf377443ef06f3248221f06cb555935530"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGVC-GHV9-3PMM
Vulnerability from github – Published: 2026-03-18 13:01 – Updated: 2026-03-20 21:19Summary
ujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers.
Exploitability
Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks.
Details
The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.
ujson.loads(str(2 ** 64 - 1)) # No leak
ujson.loads(str(2 ** 64)) # Leaks
ujson.loads(str(10 ** sys.get_int_max_str_digits())) # Leaks and raises ValueError
Fix
The leak is fixed in ujson 5.12.0 (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.
Credits
Discovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.11.0"
},
"package": {
"ecosystem": "PyPI",
"name": "ujson"
},
"ranges": [
{
"events": [
{
"introduced": "5.4.0"
},
{
"fixed": "5.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32874"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T13:01:15Z",
"nvd_published_at": "2026-03-20T02:16:35Z",
"severity": "HIGH"
},
"details": "#### Summary\n\nujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing _large_ (outside of the range [-2^63, 2^64 - 1]) integers.\n\n#### Exploitability\n\nAny service that calls `ujson.load()`/`ujson.loads()`/`ujson.decode()` on untrusted inputs is affected and vulnerable to denial of service attacks.\n\n#### Details\n\nThe leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than `sys.get_int_max_str_digits()` digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.\n\n```python\nujson.loads(str(2 ** 64 - 1)) # No leak\nujson.loads(str(2 ** 64)) # Leaks\nujson.loads(str(10 ** sys.get_int_max_str_digits())) # Leaks and raises ValueError\n```\n\n#### Fix\n\nThe leak is fixed in `ujson 5.12.0` (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.\n\n#### Credits\n\nDiscovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)",
"id": "GHSA-wgvc-ghv9-3pmm",
"modified": "2026-03-20T21:19:48Z",
"published": "2026-03-18T13:01:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32874"
},
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2"
},
{
"type": "PACKAGE",
"url": "https://github.com/ultrajson/ultrajson"
},
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "UltraJSON has a Memory Leak parsing large integers allows DoS "
}
GHSA-WGXR-CXXG-W4CJ
Vulnerability from github – Published: 2025-07-04 15:31 – Updated: 2025-12-18 18:30In the Linux kernel, the following vulnerability has been resolved:
atm: atmtcp: Free invalid length skb in atmtcp_c_send().
syzbot reported the splat below. [0]
vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send().
atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough.
Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert atm_account_tx() in vcc_sendmsg(), which is expected to be done in atm_pop_raw().
Let's properly free skb with an invalid length in atmtcp_c_send().
[0]: BUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294 atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294 vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 _syssendmsg+0x7e0/0xd80 net/socket.c:2566 _sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655 x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670 alloc_skb include/linux/skbuff.h:1336 [inline] vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 _syssendmsg+0x7e0/0xd80 net/socket.c:2566 _sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655 x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
{
"affected": [],
"aliases": [
"CVE-2025-38185"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T14:15:25Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Free invalid length skb in atmtcp_c_send().\n\nsyzbot reported the splat below. [0]\n\nvcc_sendmsg() copies data passed from userspace to skb and passes\nit to vcc-\u003edev-\u003eops-\u003esend().\n\natmtcp_c_send() accesses skb-\u003edata as struct atmtcp_hdr after\nchecking if skb-\u003elen is 0, but it\u0027s not enough.\n\nAlso, when skb-\u003elen == 0, skb and sk (vcc) were leaked because\ndev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing\nto revert atm_account_tx() in vcc_sendmsg(), which is expected\nto be done in atm_pop_raw().\n\nLet\u0027s properly free skb with an invalid length in atmtcp_c_send().\n\n[0]:\nBUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294\n vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4154 [inline]\n slab_alloc_node mm/slub.c:4197 [inline]\n kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579\n __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670\n alloc_skb include/linux/skbuff.h:1336 [inline]\n vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x330/0x3d0 net/socket.c:727\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620\n __sys_sendmsg net/socket.c:2652 [inline]\n __do_sys_sendmsg net/socket.c:2657 [inline]\n __se_sys_sendmsg net/socket.c:2655 [inline]\n __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655\n x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025",
"id": "GHSA-wgxr-cxxg-w4cj",
"modified": "2025-12-18T18:30:28Z",
"published": "2025-07-04T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38185"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b0ad18704913c92a3ad53748fbc0f219a75b876"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f370ae1fb6317985f3497b1bb80d457508ca2f7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3261c017a7c5d2815c6a388c5a3280d1fba0e8db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4b0fd8c25a7583f8564af6cc910418fb8954e89"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c19c0943424b412a84fdf178e6c71fe5480e4f0f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c9260c837de1d2b454960a4a2e44a81272fbcd22"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca00f0e6d733ecd9150716d1fd0138d26e674706"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e996507f59610e5752b8702537f13f551e7a2c96"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WH29-5H6C-273F
Vulnerability from github – Published: 2025-09-18 15:30 – Updated: 2025-12-12 21:31In the Linux kernel, the following vulnerability has been resolved:
time/debug: Fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once.
{
"affected": [],
"aliases": [
"CVE-2023-53403"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T14:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntime/debug: Fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic at\nonce.",
"id": "GHSA-wh29-5h6c-273f",
"modified": "2025-12-12T21:31:31Z",
"published": "2025-09-18T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53403"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/15cffd01ed80e3506e29ba9f441e2358413b7317"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b268d8abaec6cbd4bd70d062e769098d96670aa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b588b42d077ce93c98704b41003bcec6a564b738"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dc39fbd865a9819db4b622f610ba17b2ebc294f4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WH8G-PFMC-586J
Vulnerability from github – Published: 2024-08-22 03:31 – Updated: 2024-09-12 15:32In the Linux kernel, the following vulnerability has been resolved:
ibmvnic: free reset-work-item when flushing
Fix a tiny memory leak when flushing the reset work queue.
{
"affected": [],
"aliases": [
"CVE-2022-48905"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T02:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: free reset-work-item when flushing\n\nFix a tiny memory leak when flushing the reset work queue.",
"id": "GHSA-wh8g-pfmc-586j",
"modified": "2024-09-12T15:32:59Z",
"published": "2024-08-22T03:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48905"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39738a2346b270e8f72f88d8856de2c167bd2899"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4c26745e4576cec224092e6cc12e37829333b183"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58b07100c20e95c78b8cb4d6d28ca53eb9ef81f2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6acbc8875282d3ca8a73fa93cd7a9b166de5019c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/786576c03b313a9ff6585458aa0dfd039d897f51"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d0657f39f487d904fca713e0bc39c2707382553"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WHMQ-CFM5-J8MJ
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-09-26 14:38An issue was discovered in NFStream 5.2.0. Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it will cause a memory leak that may result in a local denial of service (DoS).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nfstream"
},
"versions": [
"5.2.0"
]
}
],
"aliases": [
"CVE-2020-25340"
],
"database_specific": {
"cwe_ids": [
"CWE-401",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T22:57:23Z",
"nvd_published_at": "2021-02-16T15:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in NFStream 5.2.0. Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it will cause a memory leak that may result in a local denial of service (DoS).",
"id": "GHSA-whmq-cfm5-j8mj",
"modified": "2024-09-26T14:38:49Z",
"published": "2022-05-24T17:42:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25340"
},
{
"type": "WEB",
"url": "https://github.com/ntop/nDPI/issues/994"
},
{
"type": "PACKAGE",
"url": "https://github.com/nfstream/nfstream"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/nfstream/PYSEC-2021-68.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "NFStream Local Denial of Service (DoS)"
}
GHSA-WHQX-PWJM-Q9PC
Vulnerability from github – Published: 2025-03-18 21:32 – Updated: 2025-03-18 21:32In the Linux kernel, the following vulnerability has been resolved:
rtw88: fix memory overrun and memory leak during hw_scan
Previously we allocated less memory than actual required, overwrite to the buffer causes the mm module to complaint and raise access violation faults. Along with potential memory leaks when returned early. Fix these by passing the correct size and proper deinit flow.
{
"affected": [],
"aliases": [
"CVE-2022-49231"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtw88: fix memory overrun and memory leak during hw_scan\n\nPreviously we allocated less memory than actual required, overwrite\nto the buffer causes the mm module to complaint and raise access\nviolation faults. Along with potential memory leaks when returned\nearly. Fix these by passing the correct size and proper deinit flow.",
"id": "GHSA-whqx-pwjm-q9pc",
"modified": "2025-03-18T21:32:00Z",
"published": "2025-03-18T21:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49231"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d95984b5580dcb8b1c0036577c52b609990a1dab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec5da191bfcd5fd22b95459b623694f66c1cc10b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WHRX-8QVW-6P89
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2026-07-04 12:30In the Linux kernel, the following vulnerability has been resolved:
netdevsim: Fix memory leak of nsim_dev->fa_cookie
kmemleak reports this issue:
unreferenced object 0xffff8881bac872d0 (size 8): comm "sh", pid 58603, jiffies 4481524462 (age 68.065s) hex dump (first 8 bytes): 04 00 00 00 de ad be ef ........ backtrace: [<00000000c80b8577>] __kmalloc+0x49/0x150 [<000000005292b8c6>] nsim_dev_trap_fa_cookie_write+0xc1/0x210 [netdevsim] [<0000000093d78e77>] full_proxy_write+0xf3/0x180 [<000000005a662c16>] vfs_write+0x1c5/0xaf0 [<000000007aabf84a>] ksys_write+0xed/0x1c0 [<000000005f1d2e47>] do_syscall_64+0x3b/0x90 [<000000006001c6ec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
The issue occurs in the following scenarios:
nsim_dev_trap_fa_cookie_write() kmalloc() fa_cookie nsim_dev->fa_cookie = fa_cookie .. nsim_drv_remove()
The fa_cookie allocked in nsim_dev_trap_fa_cookie_write() is not freed. To fix, add kfree(nsim_dev->fa_cookie) to nsim_drv_remove().
{
"affected": [],
"aliases": [
"CVE-2022-49803"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: Fix memory leak of nsim_dev-\u003efa_cookie\n\nkmemleak reports this issue:\n\nunreferenced object 0xffff8881bac872d0 (size 8):\n comm \"sh\", pid 58603, jiffies 4481524462 (age 68.065s)\n hex dump (first 8 bytes):\n 04 00 00 00 de ad be ef ........\n backtrace:\n [\u003c00000000c80b8577\u003e] __kmalloc+0x49/0x150\n [\u003c000000005292b8c6\u003e] nsim_dev_trap_fa_cookie_write+0xc1/0x210 [netdevsim]\n [\u003c0000000093d78e77\u003e] full_proxy_write+0xf3/0x180\n [\u003c000000005a662c16\u003e] vfs_write+0x1c5/0xaf0\n [\u003c000000007aabf84a\u003e] ksys_write+0xed/0x1c0\n [\u003c000000005f1d2e47\u003e] do_syscall_64+0x3b/0x90\n [\u003c000000006001c6ec\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe issue occurs in the following scenarios:\n\nnsim_dev_trap_fa_cookie_write()\n kmalloc() fa_cookie\n nsim_dev-\u003efa_cookie = fa_cookie\n..\nnsim_drv_remove()\n\nThe fa_cookie allocked in nsim_dev_trap_fa_cookie_write() is not freed. To\nfix, add kfree(nsim_dev-\u003efa_cookie) to nsim_drv_remove().",
"id": "GHSA-whrx-8qvw-6p89",
"modified": "2026-07-04T12:30:27Z",
"published": "2025-05-01T15:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49803"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/064bc7312bd09a48798418663090be0c776183db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/207edad5717e0a5709ce8467f0eff41c607835c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d463ddd0107d4188229d996dcdd45c99bad8af7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d79725a7073d86b9185f87718e22f3d65115801"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJ4M-72R4-QCMM
Vulnerability from github – Published: 2023-05-09 15:30 – Updated: 2024-04-04 03:55yasm v1.3.0 was discovered to contain a use after free via the function expand_mmac_params at /nasm/nasm-pp.c.
{
"affected": [],
"aliases": [
"CVE-2023-31973"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-09T14:15:13Z",
"severity": "MODERATE"
},
"details": "yasm v1.3.0 was discovered to contain a use after free via the function expand_mmac_params at /nasm/nasm-pp.c.",
"id": "GHSA-wj4m-72r4-qcmm",
"modified": "2024-04-04T03:55:35Z",
"published": "2023-05-09T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31973"
},
{
"type": "WEB",
"url": "https://github.com/yasm/yasm/issues/207"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.