Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-727R-5FR6-WJFP

Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2022-08-29 20:06
VLAI
Details

A flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server’s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-24T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server\u2019s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service.",
  "id": "GHSA-727r-5fr6-wjfp",
  "modified": "2022-08-29T20:06:54Z",
  "published": "2022-08-25T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dogtagpki/jss/commit/3aabe0e9d59b0a42e68ac8cd0468f9c5179967d2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dogtagpki/jss/commit/5922560a78d0dee61af8a33cc9cfbf4cfa291448"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2021-4213"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2042900"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2021-4213"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-727R-P73P-M83H

Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-04 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

media: i2c: hi846: Fix memory leak in hi846_parse_dt()

If any of the checks related to the supported link frequencies fail, then the V4L2 fwnode resources don't get released before returning, which leads to a memleak. Fix this by properly freeing the V4L2 fwnode data in a designated label.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T16:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: hi846: Fix memory leak in hi846_parse_dt()\n\nIf any of the checks related to the supported link frequencies fail, then\nthe V4L2 fwnode resources don\u0027t get released before returning, which leads\nto a memleak. Fix this by properly freeing the V4L2 fwnode data in a\ndesignated label.",
  "id": "GHSA-727r-p73p-m83h",
  "modified": "2026-02-04T21:30:24Z",
  "published": "2025-10-07T18:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50548"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4368730678412a8fa71960dbda81e122dafa70f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80113026d415e27483669db7a88b548d1ec3d3d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a05a9ae9ef3fffc9bc7ec2bc432a249a01155f6e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-729Q-4W2J-59V3

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-28 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

kunit: executor: Fix a memory leak on failure in kunit_filter_tests

It's possible that memory allocation for 'filtered' will fail, but for the copy of the suite to succeed. In this case, the copy could be leaked.

Properly free 'copy' in the error case for the allocation of 'filtered' failing.

Note that there may also have been a similar issue in kunit_filter_subsuites, before it was removed in "kunit: flatten kunit_suite* to kunit_suite in .kunit_test_suites".

This was reported by clang-analyzer via the kernel test robot, here: https://lore.kernel.org/all/c8073b8e-7b9e-0830-4177-87c12f16349c@intel.com/

And by smatch via Dan Carpenter and the kernel test robot: https://lore.kernel.org/all/202207101328.ASjx88yj-lkp@intel.com/

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:47Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkunit: executor: Fix a memory leak on failure in kunit_filter_tests\n\nIt\u0027s possible that memory allocation for \u0027filtered\u0027 will fail, but for the\ncopy of the suite to succeed. In this case, the copy could be leaked.\n\nProperly free \u0027copy\u0027 in the error case for the allocation of \u0027filtered\u0027\nfailing.\n\nNote that there may also have been a similar issue in\nkunit_filter_subsuites, before it was removed in \"kunit: flatten\nkunit_suite*** to kunit_suite** in .kunit_test_suites\".\n\nThis was reported by clang-analyzer via the kernel test robot, here:\nhttps://lore.kernel.org/all/c8073b8e-7b9e-0830-4177-87c12f16349c@intel.com/\n\nAnd by smatch via Dan Carpenter and the kernel test robot:\nhttps://lore.kernel.org/all/202207101328.ASjx88yj-lkp@intel.com/",
  "id": "GHSA-729q-4w2j-59v3",
  "modified": "2025-11-28T15:30:27Z",
  "published": "2025-06-18T12:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50170"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d69764fa3442c7615a75c6b5c02eaa1f274bccf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94681e289bf5d10c9db9db143d1a22d8717205c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8a7e3ced362b88b659ab54239990196ff975982"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72F8-JFG6-JWC2

Vulnerability from github – Published: 2026-03-24 09:30 – Updated: 2026-03-24 09:30
VLAI
Details

Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T07:16:07Z",
    "severity": "HIGH"
  },
  "details": "Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.",
  "id": "GHSA-72f8-jfg6-jwc2",
  "modified": "2026-03-24T09:30:30Z",
  "published": "2026-03-24T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33852"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MolotovCherry/Android-ImageMagick7/pull/191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72JM-3MP2-PJW5

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

A flaw was found in Privoxy in versions before 3.0.29. Memory leaks in the client-tags CGI handler when client tags are configured and memory allocations fail can lead to a system crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-25T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Privoxy in versions before 3.0.29. Memory leaks in the client-tags CGI handler when client tags are configured and memory allocations fail can lead to a system crash.",
  "id": "GHSA-72jm-3mp2-pjw5",
  "modified": "2022-05-24T17:45:22Z",
  "published": "2022-05-24T17:45:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20214"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928742"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-16"
    },
    {
      "type": "WEB",
      "url": "https://www.privoxy.org/3.0.29/user-manual/whatsnew.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-72MW-QPH4-CR4C

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path

This avoids leaking memory if brcmf_chip_get_raminfo fails. Note that the CLM blob is released in the device remove path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:03Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path\n\nThis avoids leaking memory if brcmf_chip_get_raminfo fails. Note that\nthe CLM blob is released in the device remove path.",
  "id": "GHSA-72mw-qph4-cr4c",
  "modified": "2025-09-22T21:30:16Z",
  "published": "2025-09-22T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49263"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0347bdfdb1529994ac3a4cb425087c477a74eb2c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e0b507597e1a86e9b4c056ab274c427223cf8ea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e90f0f3ead014867dade7a22f93958119f5efab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a88337a06966f2d733ad9a97714b874469133f14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d0ab87f8dcdfe72dc1d763be3392c1fc51a1ace2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f3820ddaf4f3ac80c7401ccc6a42e663c9317f31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72QV-726V-82FQ

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

In certain configurations on version 13.1.3.4, when a BIG-IP AFM HTTP security profile is applied to a virtual server and the BIG-IP system receives a request with specific characteristics, the connection is reset and the Traffic Management Microkernel (TMM) leaks memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "In certain configurations on version 13.1.3.4, when a BIG-IP AFM HTTP security profile is applied to a virtual server and the BIG-IP system receives a request with specific characteristics, the connection is reset and the Traffic Management Microkernel (TMM) leaks memory.",
  "id": "GHSA-72qv-726v-82fq",
  "modified": "2022-05-24T17:36:04Z",
  "published": "2022-05-24T17:36:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27713"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K37960100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-72QW-2VP3-GVG9

Vulnerability from github – Published: 2024-10-11 18:32 – Updated: 2024-11-15 18:30
VLAI
Details

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T16:15:14Z",
    "severity": "HIGH"
  },
  "details": "In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of \"CONNECT\", \"DISCONNECT\", \"SUBSCRIBE\", \"UNSUBSCRIBE\" and \"PUBLISH\" packets.",
  "id": "GHSA-72qw-2vp3-gvg9",
  "modified": "2024-11-15T18:30:47Z",
  "published": "2024-10-11T18:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/mosquitto/releases/tag/v2.0.19"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/26"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227"
    },
    {
      "type": "WEB",
      "url": "https://mosquitto.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-72VP-MGCV-889W

Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-16 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

MIPS: vpe-mt: fix possible memory leak while module exiting

Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically, it need be freed when module exiting, call put_device() to give up reference, so that it can be freed in kobject_cleanup() when the refcount hit to 0. The vpe_device is static, so remove kfree() from vpe_device_release().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50462"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: vpe-mt: fix possible memory leak while module exiting\n\nAfer commit 1fa5ae857bb1 (\"driver core: get rid of struct device\u0027s\nbus_id string array\"), the name of device is allocated dynamically,\nit need be freed when module exiting, call put_device() to give up\nreference, so that it can be freed in kobject_cleanup() when the\nrefcount hit to 0. The vpe_device is static, so remove kfree() from\nvpe_device_release().",
  "id": "GHSA-72vp-mgcv-889w",
  "modified": "2026-01-16T21:30:29Z",
  "published": "2025-10-01T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50462"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/170e9913c2ed5cfc37c0adf0fdbd368d2d8d8168"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48d42f4464d713fbdd79f334fdcd6e5be534cc67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5822e8cc84ee37338ab0bdc3124f6eec04dc232d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/851ae5640875f06494e40002cd503b11a634c6fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9d180e0bb21c57bd6cca2adeb672d3b522e910b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab3d47c1fd0202821abd473ca87580faafd47847"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b191dde84e40624d5577f64db0ec922c5c0ec57c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3325a443525e3b89151879b834519b21c5e3011"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e820a8192ff68570100347855b567512aec43819"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-733M-QP96-W42H

Vulnerability from github – Published: 2025-10-01 09:30 – Updated: 2025-12-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

spi: spi-qpic-snand: unregister ECC engine on probe error and device remove

The on-host hardware ECC engine remains registered both when the spi_register_controller() function returns with an error and also on device removal.

Change the qcom_spi_probe() function to unregister the engine on the error path, and add the missing unregistering call to qcom_spi_remove() to avoid possible use-after-free issues.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T08:15:31Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-qpic-snand: unregister ECC engine on probe error and device remove\n\nThe on-host hardware ECC engine remains registered both when\nthe spi_register_controller() function returns with an error\nand also on device removal.\n\nChange the qcom_spi_probe() function to unregister the engine\non the error path, and add the missing unregistering call to\nqcom_spi_remove() to avoid possible use-after-free issues.",
  "id": "GHSA-733m-qp96-w42h",
  "modified": "2025-12-12T21:31:32Z",
  "published": "2025-10-01T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39893"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1991a458528588ff34e98b6365362560d208710f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e4de48e66af17547727bb2e4b1867952817edff7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.