Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-88W2-C8V7-H7P6

Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-09 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mt76: mt7915: fix memleak when mt7915_unregister_device()

mt7915_tx_token_put() should get call before mt76_free_pending_txwi().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-28T09:15:39Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7915: fix memleak when mt7915_unregister_device()\n\nmt7915_tx_token_put() should get call before mt76_free_pending_txwi().",
  "id": "GHSA-88w2-c8v7-h7p6",
  "modified": "2024-12-09T18:31:18Z",
  "published": "2024-02-28T09:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47021"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81483309ce861a9fa7835322787f68a443fea364"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d754c80ae82a662e692a82faad71b8c218cb7f52"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9d32af478cfc3744a45245c0b126738af4b3ac4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8954-929F-W427

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()

svc_create_memory_pool() is only called from stratix10_svc_drv_probe(). Most of resources in the probe are managed, but not this memremap() call.

There is also no memunmap() call in the file.

So switch to devm_memremap() to avoid a resource leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:52Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()\n\nsvc_create_memory_pool() is only called from stratix10_svc_drv_probe().\nMost of resources in the probe are managed, but not this memremap() call.\n\nThere is also no memunmap() call in the file.\n\nSo switch to devm_memremap() to avoid a resource leak.",
  "id": "GHSA-8954-929f-w427",
  "modified": "2025-12-03T18:30:20Z",
  "published": "2025-09-15T15:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53255"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1995f15590ca222f91193ed11461862b450abfd6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7363de081c793e47866cb54ce7cb8a480cffc259"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/974ac045a05ad12a0b4578fb303f00dcc22f3aba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c04ed61ebf01968d7699b121663982493ed577fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb8a31a56df8492fb0d900959238e1a3ff8b8981"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3373e6b6c79aff698442b00d20c9f285d296e46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-895J-4GXF-Q954

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2023-01-18 00:30
VLAI
Details

A memory leak in the crypto_reportstat() function in drivers/virt/vboxguest/vboxguest_utils.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering copy_form_user() failures, aka CID-e0b0cb938864.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-18T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "A memory leak in the crypto_reportstat() function in drivers/virt/vboxguest/vboxguest_utils.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering copy_form_user() failures, aka CID-e0b0cb938864.",
  "id": "GHSA-895j-4gxf-q954",
  "modified": "2023-01-18T00:30:24Z",
  "published": "2022-05-24T17:01:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19048"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/e0b0cb9388642c104838fac100a4af32745621e2"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191205-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4208-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4226-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-897V-899R-J3HG

Vulnerability from github – Published: 2023-09-01 18:30 – Updated: 2025-06-26 18:31
VLAI
Details

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-01T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.",
  "id": "GHSA-897v-899r-j3hg",
  "modified": "2025-06-26T18:31:18Z",
  "published": "2023-09-01T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28366"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X"
    },
    {
      "type": "WEB",
      "url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-09"
    },
    {
      "type": "WEB",
      "url": "https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-89GV-4M9M-97P2

Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-06-30 00:31
VLAI
Details

CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away.

The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T20:17:32Z",
    "severity": "MODERATE"
  },
  "details": "CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away.\n\nThe minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.",
  "id": "GHSA-89gv-4m9m-97p2",
  "modified": "2026-06-30T00:31:28Z",
  "published": "2026-06-29T21:32:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13593"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/GTERMARS/CSS-Minifier-XS-0.14/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/29/18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-89M8-V85Q-HC6R

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-12 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init()

If of_iomap() failed, 'aic' should be freed before return. Otherwise there is a memory leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:44Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init()\n\nIf of_iomap() failed, \u0027aic\u0027 should be freed before return. Otherwise\nthere is a memory leak.",
  "id": "GHSA-89m8-v85q-hc6r",
  "modified": "2025-12-12T18:30:28Z",
  "published": "2025-09-18T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50416"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4208d4faf36573a507b5e5de17abe342e9276759"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/740efb64ca5e8f2b30ac843bc4ab07950479fed4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/773c9d7f127f7a599d42ceed831de69f5aa22f03"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcbcb396e1a8bd4dcaabfb0d5b98abae70880470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CQ9-G9FR-FJQR

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-07T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.",
  "id": "GHSA-8cq9-g9fr-fjqr",
  "modified": "2022-05-13T01:10:29Z",
  "published": "2022-05-13T01:10:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/1450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/1e6a3ace073c9ec9c71e439c111d23c6e66cb6ae"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4034-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4712"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00006.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8F37-8C54-XQ42

Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-09-11 18:30
VLAI
Details

A memory leak issue discovered in /pdf/pdf-font-add.c in Artifex Software MuPDF 1.17.0 allows attackers to obtain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26683"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-22T19:16:19Z",
    "severity": "MODERATE"
  },
  "details": "A memory leak issue discovered in /pdf/pdf-font-add.c in Artifex Software MuPDF 1.17.0 allows attackers to obtain sensitive information.",
  "id": "GHSA-8f37-8c54-xq42",
  "modified": "2024-09-11T18:30:59Z",
  "published": "2023-08-22T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26683"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=702566"
    },
    {
      "type": "WEB",
      "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=05720b4ee3dbae57e65546dc2eecc3021c08eeea"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8F5C-3XJX-X46G

Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:08
VLAI
Details

An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-22T19:16:30Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.",
  "id": "GHSA-8f5c-3xjx-x46g",
  "modified": "2024-04-04T07:08:05Z",
  "published": "2023-08-22T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47011"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=29261"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8F6H-Q8XV-PCP8

Vulnerability from github – Published: 2026-03-24 06:31 – Updated: 2026-03-24 06:31
VLAI
Details

Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T06:16:22Z",
    "severity": "HIGH"
  },
  "details": "Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.",
  "id": "GHSA-8f6h-q8xv-pcp8",
  "modified": "2026-03-24T06:31:14Z",
  "published": "2026-03-24T06:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33856"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MolotovCherry/Android-ImageMagick7/pull/191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.