CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-7QQ5-WFV8-HVVH
Vulnerability from github – Published: 2026-02-02 15:30 – Updated: 2026-04-22 12:30A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.
{
"affected": [],
"aliases": [
"CVE-2026-1757"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T13:15:58Z",
"severity": "MODERATE"
},
"details": "A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.",
"id": "GHSA-7qq5-wfv8-hvvh",
"modified": "2026-04-22T12:30:29Z",
"published": "2026-02-02T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1757"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7519"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-1757"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435940"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7QX4-MVFM-598F
Vulnerability from github – Published: 2022-01-26 00:01 – Updated: 2022-01-28 00:02Jsish v3.5.0 was discovered to contain a memory leak via linenoise at src/linenoise.c.
{
"affected": [],
"aliases": [
"CVE-2021-46481"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-25T01:15:00Z",
"severity": "MODERATE"
},
"details": "Jsish v3.5.0 was discovered to contain a memory leak via linenoise at src/linenoise.c.",
"id": "GHSA-7qx4-mvfm-598f",
"modified": "2022-01-28T00:02:23Z",
"published": "2022-01-26T00:01:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46481"
},
{
"type": "WEB",
"url": "https://github.com/pcmacdon/jsish/issues/55"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7R25-M49H-VW58
Vulnerability from github – Published: 2024-02-27 21:31 – Updated: 2024-12-06 18:30In the Linux kernel, the following vulnerability has been resolved:
virtiofs: fix memory leak in virtio_fs_probe()
When accidentally passing twice the same tag to qemu, kmemleak ended up reporting a memory leak in virtiofs. Also, looking at the log I saw the following error (that's when I realised the duplicated tag):
virtiofs: probe of virtio5 failed with error -17
Here's the kmemleak log for reference:
unreferenced object 0xffff888103d47800 (size 1024): comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................ backtrace: [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs] [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210 [<000000004d6baf3c>] really_probe+0xea/0x430 [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0 [<00000000196f47a7>] __driver_attach+0x98/0x140 [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0 [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0 [<0000000032b09ba7>] driver_register+0x8f/0xe0 [<00000000cdd55998>] 0xffffffffa002c013 [<000000000ea196a2>] do_one_initcall+0x64/0x2e0 [<0000000008f727ce>] do_init_module+0x5c/0x260 [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120 [<00000000ad2f48c6>] do_syscall_64+0x33/0x40 [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae
{
"affected": [],
"aliases": [
"CVE-2021-46956"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-27T19:04:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: fix memory leak in virtio_fs_probe()\n\nWhen accidentally passing twice the same tag to qemu, kmemleak ended up\nreporting a memory leak in virtiofs. Also, looking at the log I saw the\nfollowing error (that\u0027s when I realised the duplicated tag):\n\n virtiofs: probe of virtio5 failed with error -17\n\nHere\u0027s the kmemleak log for reference:\n\nunreferenced object 0xffff888103d47800 (size 1024):\n comm \"systemd-udevd\", pid 118, jiffies 4294893780 (age 18.340s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................\n backtrace:\n [\u003c000000000ebb87c1\u003e] virtio_fs_probe+0x171/0x7ae [virtiofs]\n [\u003c00000000f8aca419\u003e] virtio_dev_probe+0x15f/0x210\n [\u003c000000004d6baf3c\u003e] really_probe+0xea/0x430\n [\u003c00000000a6ceeac8\u003e] device_driver_attach+0xa8/0xb0\n [\u003c00000000196f47a7\u003e] __driver_attach+0x98/0x140\n [\u003c000000000b20601d\u003e] bus_for_each_dev+0x7b/0xc0\n [\u003c00000000399c7b7f\u003e] bus_add_driver+0x11b/0x1f0\n [\u003c0000000032b09ba7\u003e] driver_register+0x8f/0xe0\n [\u003c00000000cdd55998\u003e] 0xffffffffa002c013\n [\u003c000000000ea196a2\u003e] do_one_initcall+0x64/0x2e0\n [\u003c0000000008f727ce\u003e] do_init_module+0x5c/0x260\n [\u003c000000003cdedab6\u003e] __do_sys_finit_module+0xb5/0x120\n [\u003c00000000ad2f48c6\u003e] do_syscall_64+0x33/0x40\n [\u003c00000000809526b5\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae",
"id": "GHSA-7r25-m49h-vw58",
"modified": "2024-12-06T18:30:44Z",
"published": "2024-02-27T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46956"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/310efc95c72c13faf855c692d19cd4d054d827c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5116e79fc6e6725b8acdad8b7e928a83ab7b47e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b9d60c0eb8ada99cce2a9ab5c15dffc523b01ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c79c5e0178922a9e092ec8fed026750f39dcaef4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d19555ff225d0896a33246a49279e6d578095f15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7R2W-9MRV-HFQG
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-30 21:30In the Linux kernel, the following vulnerability has been resolved:
net: hamradio: fix memory leak in mkiss_close
My local syzbot instance hit memory leak in mkiss_open()[1]. The problem was in missing free_netdev() in mkiss_close().
In mkiss_open() netdevice is allocated and then registered, but in mkiss_close() netdevice was only unregistered, but not freed.
Fail log:
BUG: memory leak unreferenced object 0xffff8880281ba000 (size 4096): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............ backtrace: [] kvmalloc_node+0x61/0xf0 [] alloc_netdev_mqs+0x98/0xe80 [] mkiss_open+0xb2/0x6f0 [1] [] tty_ldisc_open+0x9b/0x110 [] tty_set_ldisc+0x2e8/0x670 [] tty_ioctl+0xda3/0x1440 [] __x64_sys_ioctl+0x193/0x200 [] do_syscall_64+0x3a/0xb0 [] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak unreferenced object 0xffff8880141a9a00 (size 96): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@.......... backtrace: [] __hw_addr_create_ex+0x5b/0x310 [] __hw_addr_add_ex+0x1f8/0x2b0 [] dev_addr_init+0x10b/0x1f0 [] alloc_netdev_mqs+0x13b/0xe80 [] mkiss_open+0xb2/0x6f0 [1] [] tty_ldisc_open+0x9b/0x110 [] tty_set_ldisc+0x2e8/0x670 [] tty_ioctl+0xda3/0x1440 [] __x64_sys_ioctl+0x193/0x200 [] do_syscall_64+0x3a/0xb0 [] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak unreferenced object 0xffff8880219bfc00 (size 512): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............ 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [] kvmalloc_node+0x61/0xf0 [] alloc_netdev_mqs+0x777/0xe80 [] mkiss_open+0xb2/0x6f0 [1] [] tty_ldisc_open+0x9b/0x110 [] tty_set_ldisc+0x2e8/0x670 [] tty_ioctl+0xda3/0x1440 [] __x64_sys_ioctl+0x193/0x200 [] do_syscall_64+0x3a/0xb0 [] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak unreferenced object 0xffff888029b2b200 (size 256): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kvmalloc_node+0x61/0xf0 [] alloc_netdev_mqs+0x912/0xe80 [] mkiss_open+0xb2/0x6f0 [1] [] tty_ldisc_open+0x9b/0x110 [] tty_set_ldisc+0x2e8/0x670 [] tty_ioctl+0xda3/0x1440 [] __x64_sys_ioctl+0x193/0x200 [] do_syscall_64+0x3a/0xb0 [] entry_SYSCALL_64_after_hwframe+0x44/0xae
{
"affected": [],
"aliases": [
"CVE-2021-47237"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hamradio: fix memory leak in mkiss_close\n\nMy local syzbot instance hit memory leak in\nmkiss_open()[1]. The problem was in missing\nfree_netdev() in mkiss_close().\n\nIn mkiss_open() netdevice is allocated and then\nregistered, but in mkiss_close() netdevice was\nonly unregistered, but not freed.\n\nFail log:\n\nBUG: memory leak\nunreferenced object 0xffff8880281ba000 (size 4096):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0.............\n 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .\u0027.*............\n backtrace:\n [\u003cffffffff81a27201\u003e] kvmalloc_node+0x61/0xf0\n [\u003cffffffff8706e7e8\u003e] alloc_netdev_mqs+0x98/0xe80\n [\u003cffffffff84e64192\u003e] mkiss_open+0xb2/0x6f0 [1]\n [\u003cffffffff842355db\u003e] tty_ldisc_open+0x9b/0x110\n [\u003cffffffff84236488\u003e] tty_set_ldisc+0x2e8/0x670\n [\u003cffffffff8421f7f3\u003e] tty_ioctl+0xda3/0x1440\n [\u003cffffffff81c9f273\u003e] __x64_sys_ioctl+0x193/0x200\n [\u003cffffffff8911263a\u003e] do_syscall_64+0x3a/0xb0\n [\u003cffffffff89200068\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff8880141a9a00 (size 96):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(....\n 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@..........\n backtrace:\n [\u003cffffffff8709f68b\u003e] __hw_addr_create_ex+0x5b/0x310\n [\u003cffffffff8709fb38\u003e] __hw_addr_add_ex+0x1f8/0x2b0\n [\u003cffffffff870a0c7b\u003e] dev_addr_init+0x10b/0x1f0\n [\u003cffffffff8706e88b\u003e] alloc_netdev_mqs+0x13b/0xe80\n [\u003cffffffff84e64192\u003e] mkiss_open+0xb2/0x6f0 [1]\n [\u003cffffffff842355db\u003e] tty_ldisc_open+0x9b/0x110\n [\u003cffffffff84236488\u003e] tty_set_ldisc+0x2e8/0x670\n [\u003cffffffff8421f7f3\u003e] tty_ioctl+0xda3/0x1440\n [\u003cffffffff81c9f273\u003e] __x64_sys_ioctl+0x193/0x200\n [\u003cffffffff8911263a\u003e] do_syscall_64+0x3a/0xb0\n [\u003cffffffff89200068\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff8880219bfc00 (size 512):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............\n 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff81a27201\u003e] kvmalloc_node+0x61/0xf0\n [\u003cffffffff8706eec7\u003e] alloc_netdev_mqs+0x777/0xe80\n [\u003cffffffff84e64192\u003e] mkiss_open+0xb2/0x6f0 [1]\n [\u003cffffffff842355db\u003e] tty_ldisc_open+0x9b/0x110\n [\u003cffffffff84236488\u003e] tty_set_ldisc+0x2e8/0x670\n [\u003cffffffff8421f7f3\u003e] tty_ioctl+0xda3/0x1440\n [\u003cffffffff81c9f273\u003e] __x64_sys_ioctl+0x193/0x200\n [\u003cffffffff8911263a\u003e] do_syscall_64+0x3a/0xb0\n [\u003cffffffff89200068\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff888029b2b200 (size 256):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff81a27201\u003e] kvmalloc_node+0x61/0xf0\n [\u003cffffffff8706f062\u003e] alloc_netdev_mqs+0x912/0xe80\n [\u003cffffffff84e64192\u003e] mkiss_open+0xb2/0x6f0 [1]\n [\u003cffffffff842355db\u003e] tty_ldisc_open+0x9b/0x110\n [\u003cffffffff84236488\u003e] tty_set_ldisc+0x2e8/0x670\n [\u003cffffffff8421f7f3\u003e] tty_ioctl+0xda3/0x1440\n [\u003cffffffff81c9f273\u003e] __x64_sys_ioctl+0x193/0x200\n [\u003cffffffff8911263a\u003e] do_syscall_64+0x3a/0xb0\n [\u003cffffffff89200068\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae",
"id": "GHSA-7r2w-9mrv-hfqg",
"modified": "2024-12-30T21:30:46Z",
"published": "2024-05-21T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47237"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/290b0b6432e2599021db0b8d6046f756d931c29f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3942d0f9ace1a95a74930b5b4fc0e5005c62b37b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/765a8a04f828db7222b36a42b1031f576bfe95c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7edcc682301492380fbdd604b4516af5ae667a13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a49cbb762ef20655f5c91abdc13658b0af5e159d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c16c4716a1b5ba4f83c7e00da457cba06761f119"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c634ba0b4159838ff45a60d3a0ace3b4118077a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f4de2b43d13b7cf3ced9310e371b90c836dbd7cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7R62-FW3J-XJQF
Vulnerability from github – Published: 2025-10-04 18:31 – Updated: 2026-02-05 18:30In the Linux kernel, the following vulnerability has been resolved:
ipmi_si: fix a memleak in try_smi_init()
Kmemleak reported the following leak info in try_smi_init():
unreferenced object 0xffff00018ecf9400 (size 1024): comm "modprobe", pid 2707763, jiffies 4300851415 (age 773.308s) backtrace: [<000000004ca5b312>] __kmalloc+0x4b8/0x7b0 [<00000000953b1072>] try_smi_init+0x148/0x5dc [ipmi_si] [<000000006460d325>] 0xffff800081b10148 [<0000000039206ea5>] do_one_initcall+0x64/0x2a4 [<00000000601399ce>] do_init_module+0x50/0x300 [<000000003c12ba3c>] load_module+0x7a8/0x9e0 [<00000000c246fffe>] __se_sys_init_module+0x104/0x180 [<00000000eea99093>] __arm64_sys_init_module+0x24/0x30 [<0000000021b1ef87>] el0_svc_common.constprop.0+0x94/0x250 [<0000000070f4f8b7>] do_el0_svc+0x48/0xe0 [<000000005a05337f>] el0_svc+0x24/0x3c [<000000005eb248d6>] el0_sync_handler+0x160/0x164 [<0000000030a59039>] el0_sync+0x160/0x180
The problem was that when an error occurred before handlers registration
and after allocating new_smi->si_sm, the variable wouldn't be freed in
the error handling afterwards since shutdown_smi() hadn't been
registered yet. Fix it by adding a kfree() in the error handling path
in try_smi_init().
{
"affected": [],
"aliases": [
"CVE-2023-53611"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-04T16:15:57Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi_si: fix a memleak in try_smi_init()\n\nKmemleak reported the following leak info in try_smi_init():\n\nunreferenced object 0xffff00018ecf9400 (size 1024):\n comm \"modprobe\", pid 2707763, jiffies 4300851415 (age 773.308s)\n backtrace:\n [\u003c000000004ca5b312\u003e] __kmalloc+0x4b8/0x7b0\n [\u003c00000000953b1072\u003e] try_smi_init+0x148/0x5dc [ipmi_si]\n [\u003c000000006460d325\u003e] 0xffff800081b10148\n [\u003c0000000039206ea5\u003e] do_one_initcall+0x64/0x2a4\n [\u003c00000000601399ce\u003e] do_init_module+0x50/0x300\n [\u003c000000003c12ba3c\u003e] load_module+0x7a8/0x9e0\n [\u003c00000000c246fffe\u003e] __se_sys_init_module+0x104/0x180\n [\u003c00000000eea99093\u003e] __arm64_sys_init_module+0x24/0x30\n [\u003c0000000021b1ef87\u003e] el0_svc_common.constprop.0+0x94/0x250\n [\u003c0000000070f4f8b7\u003e] do_el0_svc+0x48/0xe0\n [\u003c000000005a05337f\u003e] el0_svc+0x24/0x3c\n [\u003c000000005eb248d6\u003e] el0_sync_handler+0x160/0x164\n [\u003c0000000030a59039\u003e] el0_sync+0x160/0x180\n\nThe problem was that when an error occurred before handlers registration\nand after allocating `new_smi-\u003esi_sm`, the variable wouldn\u0027t be freed in\nthe error handling afterwards since `shutdown_smi()` hadn\u0027t been\nregistered yet. Fix it by adding a `kfree()` in the error handling path\nin `try_smi_init()`.",
"id": "GHSA-7r62-fw3j-xjqf",
"modified": "2026-02-05T18:30:29Z",
"published": "2025-10-04T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53611"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/09cb2a71b2e982015fe0464f28da1ab42b8e6375"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1bfcfea0fae0d0a6c6ff5543e6d704b3807b83ce"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c5f02e16b919c8cb6024dc3778c8d8f1fb1f26b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7291af9a738d936c2d6869d030711dceb68404d0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9bc8fbb2d416ce87f0342478dc9fcfd79f2c65f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cbb7d8a4b4beb3061b3a1847a742983a01dca381"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f53ab5a2bf20fed59a2f7542d3453228b8056358"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RCJ-VMJP-FWMV
Vulnerability from github – Published: 2025-03-12 00:31 – Updated: 2025-03-12 00:31In the Linux kernel, the following vulnerability has been resolved:
tracing/histograms: Fix memory leak problem
This reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac.
As commit 46bbe5c671e0 ("tracing: fix double free") said, the "double free" problem reported by clang static analyzer is:
In parse_var_defs() if there is a problem allocating var_defs.expr, the earlier var_defs.name is freed. This free is duplicated by free_var_defs() which frees the rest of the list.
However, if there is a problem allocating N-th var_defs.expr: + in parse_var_defs(), the freed 'earlier var_defs.name' is actually the N-th var_defs.name; + then in free_var_defs(), the names from 0th to (N-1)-th are freed;
IF ALLOCATING PROBLEM HAPPENED HERE!!! -+
\
|
0th 1th (N-1)-th N-th V
+-------------+-------------+-----+-------------+-----------
var_defs: | name | expr | name | expr | ... | name | expr | name | /// +-------------+-------------+-----+-------------+-----------
These two frees don't act on same name, so there was no "double free" problem before. Conversely, after that commit, we get a "memory leak" problem because the above "N-th var_defs.name" is not freed.
If enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th var_defs.expr allocated, then execute on shell like: $ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \ /sys/kernel/debug/tracing/events/kmem/kmalloc/trigger
Then kmemleak reports: unreferenced object 0xffff8fb100ef3518 (size 8): comm "bash", pid 196, jiffies 4295681690 (age 28.538s) hex dump (first 8 bytes): 76 31 00 00 b1 8f ff ff v1...... backtrace: [<0000000038fe4895>] kstrdup+0x2d/0x60 [<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0 [<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110 [<0000000066737a4c>] event_trigger_write+0x75/0xd0 [<000000007341e40c>] vfs_write+0xbb/0x2a0 [<0000000087fde4c2>] ksys_write+0x59/0xd0 [<00000000581e9cdf>] do_syscall_64+0x3a/0x80 [<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
{
"affected": [],
"aliases": [
"CVE-2022-49648"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:39Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/histograms: Fix memory leak problem\n\nThis reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac.\n\nAs commit 46bbe5c671e0 (\"tracing: fix double free\") said, the\n\"double free\" problem reported by clang static analyzer is:\n \u003e In parse_var_defs() if there is a problem allocating\n \u003e var_defs.expr, the earlier var_defs.name is freed.\n \u003e This free is duplicated by free_var_defs() which frees\n \u003e the rest of the list.\n\nHowever, if there is a problem allocating N-th var_defs.expr:\n + in parse_var_defs(), the freed \u0027earlier var_defs.name\u0027 is\n actually the N-th var_defs.name;\n + then in free_var_defs(), the names from 0th to (N-1)-th are freed;\n\n IF ALLOCATING PROBLEM HAPPENED HERE!!! -+\n \\\n |\n 0th 1th (N-1)-th N-th V\n +-------------+-------------+-----+-------------+-----------\nvar_defs: | name | expr | name | expr | ... | name | expr | name | ///\n +-------------+-------------+-----+-------------+-----------\n\nThese two frees don\u0027t act on same name, so there was no \"double free\"\nproblem before. Conversely, after that commit, we get a \"memory leak\"\nproblem because the above \"N-th var_defs.name\" is not freed.\n\nIf enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th\nvar_defs.expr allocated, then execute on shell like:\n $ echo \u0027hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc\u0027 \u003e \\\n/sys/kernel/debug/tracing/events/kmem/kmalloc/trigger\n\nThen kmemleak reports:\n unreferenced object 0xffff8fb100ef3518 (size 8):\n comm \"bash\", pid 196, jiffies 4295681690 (age 28.538s)\n hex dump (first 8 bytes):\n 76 31 00 00 b1 8f ff ff v1......\n backtrace:\n [\u003c0000000038fe4895\u003e] kstrdup+0x2d/0x60\n [\u003c00000000c99c049a\u003e] event_hist_trigger_parse+0x206f/0x20e0\n [\u003c00000000ae70d2cc\u003e] trigger_process_regex+0xc0/0x110\n [\u003c0000000066737a4c\u003e] event_trigger_write+0x75/0xd0\n [\u003c000000007341e40c\u003e] vfs_write+0xbb/0x2a0\n [\u003c0000000087fde4c2\u003e] ksys_write+0x59/0xd0\n [\u003c00000000581e9cdf\u003e] do_syscall_64+0x3a/0x80\n [\u003c00000000cf3b065c\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0",
"id": "GHSA-7rcj-vmjp-fwmv",
"modified": "2025-03-12T00:31:48Z",
"published": "2025-03-12T00:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49648"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22eeff55679d9e7c0f768c79bfbd83e2f8142d89"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d453eb5e1eec89971aa5b3262857ee26cfdffd3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78a1400c42ee11197eb1f0f85ba51df9a4fdfff0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7edc3945bdce9c39198a10d6129377a5c53559c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb622d5580b9e2ff694f62da6410618bd73853cb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ecc6dec12c33aa92c086cd702af9f544ddaf3c75"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RJR-QXC3-7HH3
Vulnerability from github – Published: 2024-08-21 09:31 – Updated: 2024-09-11 18:31In the Linux kernel, the following vulnerability has been resolved:
io_uring/poll: don't reissue in case of poll race on multishot request
A previous commit fixed a poll race that can occur, but it's only applicable for multishot requests. For a multishot request, we can safely ignore a spurious wakeup, as we never leave the waitqueue to begin with.
A blunt reissue of a multishot armed request can cause us to leak a buffer, if they are ring provided. While this seems like a bug in itself, it's not really defined behavior to reissue a multishot request directly. It's less efficient to do so as well, and not required to rearm anything like it is for singleshot poll requests.
{
"affected": [],
"aliases": [
"CVE-2023-52895"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T07:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: don\u0027t reissue in case of poll race on multishot request\n\nA previous commit fixed a poll race that can occur, but it\u0027s only\napplicable for multishot requests. For a multishot request, we can safely\nignore a spurious wakeup, as we never leave the waitqueue to begin with.\n\nA blunt reissue of a multishot armed request can cause us to leak a\nbuffer, if they are ring provided. While this seems like a bug in itself,\nit\u0027s not really defined behavior to reissue a multishot request directly.\nIt\u0027s less efficient to do so as well, and not required to rearm anything\nlike it is for singleshot poll requests.",
"id": "GHSA-7rjr-qxc3-7hh3",
"modified": "2024-09-11T18:31:02Z",
"published": "2024-08-21T09:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52895"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RP6-P829-5X6W
Vulnerability from github – Published: 2022-03-12 00:00 – Updated: 2024-10-11 18:32drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed).
{
"affected": [],
"aliases": [
"CVE-2022-26878"
],
"database_specific": {
"cwe_ids": [
"CWE-401",
"CWE-772"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-11T07:15:00Z",
"severity": "MODERATE"
},
"details": "drivers/bluetooth/virtio_bt.c in the Linux kernel before 5.16.3 has a memory leak (socket buffers have memory allocated but not freed).",
"id": "GHSA-7rp6-p829-5x6w",
"modified": "2024-10-11T18:32:47Z",
"published": "2022-03-12T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26878"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.17"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1d0688421449718c6c5f46e458a378c9b530ba18"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/linux-bluetooth/1A203F5E-FB5E-430C-BEA3-86B191D69D58%40holtmann.org"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/linux-bluetooth/1A203F5E-FB5E-430C-BEA3-86B191D69D58@holtmann.org"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/03/11/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7RV8-M2WM-JGP4
Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Fix throttle_groups memory leak
Add a missing kfree().
{
"affected": [],
"aliases": [
"CVE-2023-53128"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T16:15:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix throttle_groups memory leak\n\nAdd a missing kfree().",
"id": "GHSA-7rv8-m2wm-jgp4",
"modified": "2025-11-10T18:30:30Z",
"published": "2025-05-02T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53128"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/574cc10edaa7dba833764efed8c57ee0e6bf7574"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85349a227eb4a56520adc190c666075f80d4ae70"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f305a7b6ca21a665e8d0cf70b5936991a298c93c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7V36-PGG4-9J5V
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-02-26 21:31In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conncount: fix leaked ct in error paths
There are some situations where ct might be leaked as error paths are skipping the refcounted check and return immediately. In order to solve it make sure that the check is always called.
{
"affected": [],
"aliases": [
"CVE-2025-71146"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T15:16:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: fix leaked ct in error paths\n\nThere are some situations where ct might be leaked as error paths are\nskipping the refcounted check and return immediately. In order to solve\nit make sure that the check is always called.",
"id": "GHSA-7v36-pgg4-9j5v",
"modified": "2026-02-26T21:31:26Z",
"published": "2026-01-23T15:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71146"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.