CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
967 vulnerabilities reference this CWE, most recent first.
GHSA-P8X5-C6C9-8CWX
Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-06 18:30The curl logic that works with SASL authentication could end up cleaning up
the GSASL context twice without clearing the pointer in between, making it
free() the same pointer twice.
{
"affected": [],
"aliases": [
"CVE-2026-8925"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T07:16:24Z",
"severity": "CRITICAL"
},
"details": "The curl logic that works with SASL authentication could end up cleaning up\nthe GSASL context *twice* without clearing the pointer in between, making it\n`free()` the same pointer twice.",
"id": "GHSA-p8x5-c6c9-8cwx",
"modified": "2026-07-06T18:30:47Z",
"published": "2026-07-03T09:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8925"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3735193"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-8925.html"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2026-8925.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9FM-3QQ2-RMM2
Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-11-04 00:32In the Linux kernel, the following vulnerability has been resolved:
net: vertexcom: mse102x: Fix possible double free of TX skb
The scope of the TX skb is wider than just mse102x_tx_frame_spi(), so in case the TX skb room needs to be expanded, we should free the the temporary skb instead of the original skb. Otherwise the original TX skb pointer would be freed again in mse102x_tx_work(), which leads to crashes:
Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23 Hardware name: chargebyte Charge SOM DC-ONE (DT) Workqueue: events mse102x_tx_work [mse102x] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_release_data+0xb8/0x1d8 lr : skb_release_data+0x1ac/0x1d8 sp : ffff8000819a3cc0 x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0 x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50 x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000 x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8 x8 : fffffc00001bc008 x7 : 0000000000000000 x6 : 0000000000000008 x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009 x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000 Call trace: skb_release_data+0xb8/0x1d8 kfree_skb_reason+0x48/0xb0 mse102x_tx_work+0x164/0x35c [mse102x] process_one_work+0x138/0x260 worker_thread+0x32c/0x438 kthread+0x118/0x11c ret_from_fork+0x10/0x20 Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)
{
"affected": [],
"aliases": [
"CVE-2024-50276"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T02:16:29Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vertexcom: mse102x: Fix possible double free of TX skb\n\nThe scope of the TX skb is wider than just mse102x_tx_frame_spi(),\nso in case the TX skb room needs to be expanded, we should free the\nthe temporary skb instead of the original skb. Otherwise the original\nTX skb pointer would be freed again in mse102x_tx_work(), which leads\nto crashes:\n\n Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP\n CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23\n Hardware name: chargebyte Charge SOM DC-ONE (DT)\n Workqueue: events mse102x_tx_work [mse102x]\n pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_release_data+0xb8/0x1d8\n lr : skb_release_data+0x1ac/0x1d8\n sp : ffff8000819a3cc0\n x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0\n x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff\n x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50\n x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc\n x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000\n x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000\n x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8\n x8 : fffffc00001bc008\n x7 : 0000000000000000 x6 : 0000000000000008\n x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009\n x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n skb_release_data+0xb8/0x1d8\n kfree_skb_reason+0x48/0xb0\n mse102x_tx_work+0x164/0x35c [mse102x]\n process_one_work+0x138/0x260\n worker_thread+0x32c/0x438\n kthread+0x118/0x11c\n ret_from_fork+0x10/0x20\n Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)",
"id": "GHSA-p9fm-3qq2-rmm2",
"modified": "2025-11-04T00:32:03Z",
"published": "2024-11-19T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50276"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1325e838089da25217f4b403318a270fcdf88f34"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f26339b2ed63d1e8e18a18674fb73a392f3660e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2cf0e77f5a0aa1ff336aa71743eda55c73902187"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/91c9daa21f3ff8668f9e1d6c860024ce7ad64137"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9GF-GMFV-398M
Vulnerability from github – Published: 2021-08-25 20:54 – Updated: 2023-03-30 23:01An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "slice-deque"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29938"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T17:14:58Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function.",
"id": "GHSA-p9gf-gmfv-398m",
"modified": "2023-03-30T23:01:08Z",
"published": "2021-08-25T20:54:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29938"
},
{
"type": "WEB",
"url": "https://github.com/gnzlbg/slice_deque/issues/90"
},
{
"type": "PACKAGE",
"url": "https://github.com/gnzlbg/slice_deque"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0047.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Double free in slice-deque"
}
GHSA-PCWC-3RJ4-GJ54
Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2025-03-07 18:30A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.
{
"affected": [],
"aliases": [
"CVE-2022-3707"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-460"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-06T23:15:00Z",
"severity": "MODERATE"
},
"details": "A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.",
"id": "GHSA-pcwc-3rj4-gj54",
"modified": "2025-03-07T18:30:58Z",
"published": "2023-03-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3707"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137979"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz%40163.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz@163.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFH4-6F3V-4MWM
Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2025-01-14 15:30In the Linux kernel, the following vulnerability has been resolved:
tun: avoid double free in tun_free_netdev
Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if there's an error in register_netdevice() the destructor will handle the frees.
BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 _kasanslab_free mm/kasan/common.c:346 [inline] kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
{
"affected": [],
"aliases": [
"CVE-2021-47082"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T18:15:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: avoid double free in tun_free_netdev\n\nAvoid double free in tun_free_netdev() by moving the\ndev-\u003etstats and tun-\u003esecurity allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there\u0027s an error in register_netdevice() the destructor\nwill handle the frees.\n\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\n\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae",
"id": "GHSA-pfh4-6f3v-4mwm",
"modified": "2025-01-14T15:30:47Z",
"published": "2024-03-04T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47082"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFJW-R4VX-PMFW
Vulnerability from github – Published: 2026-07-02 21:32 – Updated: 2026-07-02 21:32A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2026-58381"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T20:17:06Z",
"severity": "MODERATE"
},
"details": "A flaw was found in GIMP\u0027s PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.",
"id": "GHSA-pfjw-r4vx-pmfw",
"modified": "2026-07-02T21:32:12Z",
"published": "2026-07-02T21:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58381"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-58381"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496166"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/b22e147b"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/16207"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQF-MV4P-9J4R
Vulnerability from github – Published: 2025-07-04 09:31 – Updated: 2026-05-19 15:31A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.
{
"affected": [],
"aliases": [
"CVE-2025-5351"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T09:15:37Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.",
"id": "GHSA-pfqf-mv4p-9j4r",
"modified": "2026-05-19T15:31:18Z",
"published": "2025-07-04T09:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5351"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18683"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-5351"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PG9C-CVP2-XX3J
Vulnerability from github – Published: 2026-01-14 03:30 – Updated: 2026-01-14 03:30Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function.
{
"affected": [],
"aliases": [
"CVE-2025-68968"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-14T03:15:51Z",
"severity": "HIGH"
},
"details": "Double free vulnerability in the multi-mode input module.\nImpact: Successful exploitation of this vulnerability may affect the input function.",
"id": "GHSA-pg9c-cvp2-xx3j",
"modified": "2026-01-14T03:30:26Z",
"published": "2026-01-14T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68968"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/1"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PG9F-39PC-QF8G
Vulnerability from github – Published: 2025-04-10 14:30 – Updated: 2025-09-25 21:13The internal Channel type's Drop method has a race
which could, in some circumstances, lead to a double-free.
This could result in memory corruption.
Quoting from the upstream description in merge request #1187:
The problem lies in the fact that
dicard_all_messagescontained two paths that could lead tohead.blockbeing read but only one of them would swap the value. This meant thatdicard_all_messagescould end up observing a non-null block pointer (and therefore attempting to free it) without settinghead.blockto null. This would then lead toChannel::dropmaking a second attempt at dropping the same pointer.
The bug was introduced while fixing a memory leak, in upstream MR #1084, first published in 0.5.12.
The fix is in upstream MR #1187 and has been published in 0.5.15
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "crossbeam-channel"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.12"
},
{
"fixed": "0.5.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4574"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T14:30:39Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The internal `Channel` type\u0027s `Drop` method has a race\nwhich could, in some circumstances, lead to a double-free.\nThis could result in memory corruption.\n\nQuoting from the\n[upstream description in merge request \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):\n\n\u003e The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.\n\nThe bug was introduced while fixing a memory leak, in\nupstream [MR \\#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),\nfirst published in 0.5.12.\n\nThe fix is in\nupstream [MR \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)\nand has been published in 0.5.15",
"id": "GHSA-pg9f-39pc-qf8g",
"modified": "2025-09-25T21:13:01Z",
"published": "2025-04-10T14:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4574"
},
{
"type": "WEB",
"url": "https://github.com/crossbeam-rs/crossbeam/pull/1187"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-4574"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358890"
},
{
"type": "PACKAGE",
"url": "https://github.com/crossbeam-rs/crossbeam"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "crossbeam-channel Vulnerable to Double Free on Drop"
}
GHSA-PGH3-M69X-G87P
Vulnerability from github – Published: 2023-06-06 09:30 – Updated: 2024-04-04 04:33Memory corruption in Linux android due to double free while calling unregister provider after register call.
{
"affected": [],
"aliases": [
"CVE-2022-33227"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T08:15:10Z",
"severity": "HIGH"
},
"details": "Memory corruption in Linux android due to double free while calling unregister provider after register call.",
"id": "GHSA-pgh3-m69x-g87p",
"modified": "2024-04-04T04:33:37Z",
"published": "2023-06-06T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33227"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.