CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-C49H-4WFG-MH2V
Vulnerability from github – Published: 2025-10-17 15:31 – Updated: 2025-10-17 15:31radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init.
{
"affected": [],
"aliases": [
"CVE-2025-60360"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-17T14:15:47Z",
"severity": "LOW"
},
"details": "radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init.",
"id": "GHSA-c49h-4wfg-mh2v",
"modified": "2025-10-17T15:31:02Z",
"published": "2025-10-17T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60360"
},
{
"type": "WEB",
"url": "https://github.com/radareorg/radare2/pull/24245"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C54W-7PH9-843G
Vulnerability from github – Published: 2023-11-20 15:30 – Updated: 2023-11-30 21:30GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gf_mpd_parse_string media_tools/mpd.c:75.
{
"affected": [],
"aliases": [
"CVE-2023-48039"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-20T15:15:09Z",
"severity": "MODERATE"
},
"details": "GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gf_mpd_parse_string media_tools/mpd.c:75.",
"id": "GHSA-c54w-7ph9-843g",
"modified": "2023-11-30T21:30:26Z",
"published": "2023-11-20T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48039"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/2679"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C56J-2H63-6488
Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-01-07 00:01A vulnerability was found in Privoxy which was fixed in get_url_spec_param() by freeing memory of compiled pattern spec before bailing.
{
"affected": [],
"aliases": [
"CVE-2021-44540"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-23T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Privoxy which was fixed in get_url_spec_param() by freeing memory of compiled pattern spec before bailing.",
"id": "GHSA-c56j-2h63-6488",
"modified": "2022-01-07T00:01:28Z",
"published": "2021-12-24T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44540"
},
{
"type": "WEB",
"url": "https://www.privoxy.org/3.0.33/user-manual/whatsnew.html,"
},
{
"type": "WEB",
"url": "https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=652b4b7cb0"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C5C9-F2V8-RFMG
Vulnerability from github – Published: 2022-06-11 00:00 – Updated: 2022-06-18 00:00There is a memory dump vulnerability on Netwave IP camera devices at //proc/kcore that allows an unauthenticated attacker to exfiltrate sensitive information from the network configuration (e.g., username and password).
{
"affected": [],
"aliases": [
"CVE-2018-17240"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-10T18:15:00Z",
"severity": "HIGH"
},
"details": "There is a memory dump vulnerability on Netwave IP camera devices at //proc/kcore that allows an unauthenticated attacker to exfiltrate sensitive information from the network configuration (e.g., username and password).",
"id": "GHSA-c5c9-f2v8-rfmg",
"modified": "2022-06-18T00:00:22Z",
"published": "2022-06-11T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17240"
},
{
"type": "WEB",
"url": "https://github.com/BBge/CVE-2018-17240"
},
{
"type": "WEB",
"url": "https://github.com/BBge/CVE-2018-17240/blob/main/exploit.py"
},
{
"type": "WEB",
"url": "https://www.bbge.org/file/exploit.py"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C5J5-PFFR-9WGM
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2024-07-03 18:42In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
The rehash delayed work migrates filters from one region to another. This is done by iterating over all chunks (all the filters with the same priority) in the region and in each chunk iterating over all the filters.
If the migration fails, the code tries to migrate the filters back to the old region. However, the rollback itself can also fail in which case another migration will be erroneously performed. Besides the fact that this ping pong is not a very good idea, it also creates a problem.
Each virtual chunk references two chunks: The currently used one ('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the first holds the chunk we want to migrate filters to and the second holds the chunk we are migrating filters from.
The code currently assumes - but does not verify - that the backup chunk does not exist (NULL) if the currently used chunk does not reference the target region. This assumption breaks when we are trying to rollback a rollback, resulting in the backup chunk being overwritten and leaked [1].
Fix by not rolling back a failed rollback and add a warning to avoid future cases.
[1] WARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20 Modules linked in: CPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work RIP: 0010:parman_destroy+0x17/0x20 [...] Call Trace: mlxsw_sp_acl_atcam_region_fini+0x19/0x60 mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470 process_one_work+0x151/0x370 worker_thread+0x2cb/0x3e0 kthread+0xd0/0x100 ret_from_fork+0x34/0x50 ret_from_fork_asm+0x1a/0x30
{
"affected": [],
"aliases": [
"CVE-2024-35853"
],
"database_specific": {
"cwe_ids": [
"CWE-401",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T15:15:22Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n(\u0027vchunk-\u003echunk\u0027) and a backup (\u0027vchunk-\u003echunk2\u0027). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \u003cTASK\u003e\n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e",
"id": "GHSA-c5j5-pffr-9wgm",
"modified": "2024-07-03T18:42:26Z",
"published": "2024-05-17T15:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35853"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5RQ-J6HH-2MXR
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-02-03 18:30In the Linux kernel, the following vulnerability has been resolved:
vdpa: ifcvf: Do proper cleanup if IFCVF init fails
ifcvf_mgmt_dev leaks memory if it is not freed before returning. Call is made to correct return statement so memory does not leak. ifcvf_init_hw does not take care of this so it is needed to do it here.
{
"affected": [],
"aliases": [
"CVE-2022-48706"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: ifcvf: Do proper cleanup if IFCVF init fails\n\nifcvf_mgmt_dev leaks memory if it is not freed before\nreturning. Call is made to correct return statement\nso memory does not leak. ifcvf_init_hw does not take\ncare of this so it is needed to do it here.",
"id": "GHSA-c5rq-j6hh-2mxr",
"modified": "2025-02-03T18:30:37Z",
"published": "2024-05-21T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48706"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d2cc32c1c10bd889125d2adc16a6bc3338dcd3e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b04456e248761cf68f562f2fd7c04e591fcac94"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5XH-C73J-MCX2
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix memleak of newsk in unix_stream_connect().
When prepare_peercred() fails in unix_stream_connect(), unix_release_sock() is not called for newsk, and the memory is leaked.
Let's move prepare_peercred() before unix_create1().
{
"affected": [],
"aliases": [
"CVE-2026-45887"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:02Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix memleak of newsk in unix_stream_connect().\n\nWhen prepare_peercred() fails in unix_stream_connect(),\nunix_release_sock() is not called for newsk, and the memory\nis leaked.\n\nLet\u0027s move prepare_peercred() before unix_create1().",
"id": "GHSA-c5xh-c73j-mcx2",
"modified": "2026-06-25T21:31:20Z",
"published": "2026-05-27T15:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45887"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/365996a2b14d07caa9e33d367b67ea26c09d89b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6884028cd7f275f8bcb854a347265cb1fb0e4bea"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a5d95d7caba0160fb7b2b8d2bd96d5a1be861d9f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C62G-6HM9-X69Q
Vulnerability from github – Published: 2024-12-29 09:30 – Updated: 2025-01-06 18:31In the Linux kernel, the following vulnerability has been resolved:
ceph: fix memory leak in ceph_direct_read_write()
The bvecs array which is allocated in iter_get_bvecs_alloc() is leaked and pages remain pinned if ceph_alloc_sparse_ext_map() fails.
There is no need to delay the allocation of sparse_ext map until after the bvecs array is set up, so fix this by moving sparse_ext allocation a bit earlier. Also, make a similar adjustment in __ceph_sync_read() for consistency (a leak of the same kind in __ceph_sync_read() has been addressed differently).
{
"affected": [],
"aliases": [
"CVE-2024-56710"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-29T09:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leak in ceph_direct_read_write()\n\nThe bvecs array which is allocated in iter_get_bvecs_alloc() is leaked\nand pages remain pinned if ceph_alloc_sparse_ext_map() fails.\n\nThere is no need to delay the allocation of sparse_ext map until after\nthe bvecs array is set up, so fix this by moving sparse_ext allocation\na bit earlier. Also, make a similar adjustment in __ceph_sync_read()\nfor consistency (a leak of the same kind in __ceph_sync_read() has been\naddressed differently).",
"id": "GHSA-c62g-6hm9-x69q",
"modified": "2025-01-06T18:31:01Z",
"published": "2024-12-29T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56710"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/44e518abbb498075ae85c7d1d1a503a6bb05ea2d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/66e0c4f91461d17d48071695271c824620bed4ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb9041837123f31d5897e99bb761f46cb4ce5859"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C655-QWVW-WFQM
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-04-29 21:31In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix page reclaim for dead peer hairpin
When adding a hairpin flow, a firmware-side send queue is created for the peer net device, which claims some host memory pages for its internal ring buffer. If the peer net device is removed/unbound before the hairpin flow is deleted, then the send queue is not destroyed which leads to a stack trace on pci device remove:
[ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource [ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110 [ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0 [ 748.002171] ------------[ cut here ]------------ [ 748.001177] FW pages counter is 4 after reclaiming all pages [ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core] [ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1 [ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9 [ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286 [ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000 [ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51 [ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8 [ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30 [ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000 [ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000 [ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0 [ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 748.001654] Call Trace: [ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core] [ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core] [ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core] [ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core] [ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core] [ 748.001200] remove_one+0x5f/0xc0 [mlx5_core] [ 748.001075] pci_device_remove+0x9f/0x1d0 [ 748.000833] device_release_driver_internal+0x1e0/0x490 [ 748.001207] unbind_store+0x19f/0x200 [ 748.000942] ? sysfs_file_ops+0x170/0x170 [ 748.001000] kernfs_fop_write_iter+0x2bc/0x450 [ 748.000970] new_sync_write+0x373/0x610 [ 748.001124] ? new_sync_read+0x600/0x600 [ 748.001057] ? lock_acquire+0x4d6/0x700 [ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 748.001126] ? fd_install+0x1c9/0x4d0 [ 748.000951] vfs_write+0x4d0/0x800 [ 748.000804] ksys_write+0xf9/0x1d0 [ 748.000868] ? __x64_sys_read+0xb0/0xb0 [ 748.000811] ? filp_open+0x50/0x50 [ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50 [ 748.001223] do_syscall_64+0x3f/0x80 [ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 748.00 ---truncated---
{
"affected": [],
"aliases": [
"CVE-2021-47246"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix page reclaim for dead peer hairpin\n\nWhen adding a hairpin flow, a firmware-side send queue is created for\nthe peer net device, which claims some host memory pages for its\ninternal ring buffer. If the peer net device is removed/unbound before\nthe hairpin flow is deleted, then the send queue is not destroyed which\nleads to a stack trace on pci device remove:\n\n[ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource\n[ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110\n[ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0\n[ 748.002171] ------------[ cut here ]------------\n[ 748.001177] FW pages counter is 4 after reclaiming all pages\n[ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core]\n[ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1\n[ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core]\n[ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 \u003c0f\u003e 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9\n[ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286\n[ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000\n[ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51\n[ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8\n[ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30\n[ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000\n[ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000\n[ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0\n[ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 748.001654] Call Trace:\n[ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core]\n[ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core]\n[ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core]\n[ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core]\n[ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core]\n[ 748.001200] remove_one+0x5f/0xc0 [mlx5_core]\n[ 748.001075] pci_device_remove+0x9f/0x1d0\n[ 748.000833] device_release_driver_internal+0x1e0/0x490\n[ 748.001207] unbind_store+0x19f/0x200\n[ 748.000942] ? sysfs_file_ops+0x170/0x170\n[ 748.001000] kernfs_fop_write_iter+0x2bc/0x450\n[ 748.000970] new_sync_write+0x373/0x610\n[ 748.001124] ? new_sync_read+0x600/0x600\n[ 748.001057] ? lock_acquire+0x4d6/0x700\n[ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400\n[ 748.001126] ? fd_install+0x1c9/0x4d0\n[ 748.000951] vfs_write+0x4d0/0x800\n[ 748.000804] ksys_write+0xf9/0x1d0\n[ 748.000868] ? __x64_sys_read+0xb0/0xb0\n[ 748.000811] ? filp_open+0x50/0x50\n[ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50\n[ 748.001223] do_syscall_64+0x3f/0x80\n[ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 748.00\n---truncated---",
"id": "GHSA-c655-qwvw-wfqm",
"modified": "2025-04-29T21:31:35Z",
"published": "2024-05-21T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47246"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b16118665e94c90a3e84a5190486fd0e4eedd74"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a3e5fd9314dfc4314a9567cde96e1aef83a7458a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b374c1304f6d3d4752ad1412427b7bf02bb1fd61"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/be7f3f401d224e1efe8112b2fa8b837eeb8c5e52"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C6G6-J52P-PG8H
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
ax25: properly unshare skbs in ax25_kiss_rcv()
Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains").
skb->dev becomes NULL and we crash in __netif_receive_skb_core().
Before above commit, different kind of bugs or corruptions could happen without a major crash.
But the root cause is that ax25_kiss_rcv() can queue/mangle input skb without checking if this skb is shared or not.
Many thanks to Bernard Pidoux for his help, diagnosis and tests.
We had a similar issue years ago fixed with commit 7aaed57c5c28 ("phonet: properly unshare skbs in phonet_rcv()").
{
"affected": [],
"aliases": [
"CVE-2025-39848"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T16:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: properly unshare skbs in ax25_kiss_rcv()\n\nBernard Pidoux reported a regression apparently caused by commit\nc353e8983e0d (\"net: introduce per netns packet chains\").\n\nskb-\u003edev becomes NULL and we crash in __netif_receive_skb_core().\n\nBefore above commit, different kind of bugs or corruptions could happen\nwithout a major crash.\n\nBut the root cause is that ax25_kiss_rcv() can queue/mangle input skb\nwithout checking if this skb is shared or not.\n\nMany thanks to Bernard Pidoux for his help, diagnosis and tests.\n\nWe had a similar issue years ago fixed with commit 7aaed57c5c28\n(\"phonet: properly unshare skbs in phonet_rcv()\").",
"id": "GHSA-c6g6-j52p-pg8h",
"modified": "2026-05-12T15:31:10Z",
"published": "2025-09-22T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39848"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01a2984cb803f2d487b7074f9718db2bf3531f69"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2bd0f67212908243ce88e35bf69fa77155b47b14"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/42b46684e2c78ee052d8c2ee8d9c2089233c9094"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5b079be1b9da49ad88fc304c874d4be7085f7883"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d449b7a6c8ee434d10a483feed7c5c50108cf56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8156210d36a43e76372312c87eb5ea3dbb405a85"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89064cf534bea4bb28c83fe6bbb26657b19dd5fe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b1c71d674a308d2fbc83efcf88bfc4217a86aa17"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.