Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

967 vulnerabilities reference this CWE, most recent first.

GHSA-P8X5-C6C9-8CWX

Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-06 18:30
VLAI
Details

The curl logic that works with SASL authentication could end up cleaning up the GSASL context twice without clearing the pointer in between, making it free() the same pointer twice.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T07:16:24Z",
    "severity": "CRITICAL"
  },
  "details": "The curl logic that works with SASL authentication could end up cleaning up\nthe GSASL context *twice* without clearing the pointer in between, making it\n`free()` the same pointer twice.",
  "id": "GHSA-p8x5-c6c9-8cwx",
  "modified": "2026-07-06T18:30:47Z",
  "published": "2026-07-03T09:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8925"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3735193"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2026-8925.html"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2026-8925.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9FM-3QQ2-RMM2

Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-11-04 00:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: vertexcom: mse102x: Fix possible double free of TX skb

The scope of the TX skb is wider than just mse102x_tx_frame_spi(), so in case the TX skb room needs to be expanded, we should free the the temporary skb instead of the original skb. Otherwise the original TX skb pointer would be freed again in mse102x_tx_work(), which leads to crashes:

Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23 Hardware name: chargebyte Charge SOM DC-ONE (DT) Workqueue: events mse102x_tx_work [mse102x] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_release_data+0xb8/0x1d8 lr : skb_release_data+0x1ac/0x1d8 sp : ffff8000819a3cc0 x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0 x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50 x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000 x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8 x8 : fffffc00001bc008 x7 : 0000000000000000 x6 : 0000000000000008 x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009 x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000 Call trace: skb_release_data+0xb8/0x1d8 kfree_skb_reason+0x48/0xb0 mse102x_tx_work+0x164/0x35c [mse102x] process_one_work+0x138/0x260 worker_thread+0x32c/0x438 kthread+0x118/0x11c ret_from_fork+0x10/0x20 Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T02:16:29Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vertexcom: mse102x: Fix possible double free of TX skb\n\nThe scope of the TX skb is wider than just mse102x_tx_frame_spi(),\nso in case the TX skb room needs to be expanded, we should free the\nthe temporary skb instead of the original skb. Otherwise the original\nTX skb pointer would be freed again in mse102x_tx_work(), which leads\nto crashes:\n\n  Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP\n  CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G      D            6.6.23\n  Hardware name: chargebyte Charge SOM DC-ONE (DT)\n  Workqueue: events mse102x_tx_work [mse102x]\n  pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : skb_release_data+0xb8/0x1d8\n  lr : skb_release_data+0x1ac/0x1d8\n  sp : ffff8000819a3cc0\n  x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0\n  x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff\n  x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50\n  x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc\n  x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000\n  x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000\n  x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8\n  x8 : fffffc00001bc008\n  x7 : 0000000000000000 x6 : 0000000000000008\n  x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009\n  x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000\n  Call trace:\n   skb_release_data+0xb8/0x1d8\n   kfree_skb_reason+0x48/0xb0\n   mse102x_tx_work+0x164/0x35c [mse102x]\n   process_one_work+0x138/0x260\n   worker_thread+0x32c/0x438\n   kthread+0x118/0x11c\n   ret_from_fork+0x10/0x20\n  Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)",
  "id": "GHSA-p9fm-3qq2-rmm2",
  "modified": "2025-11-04T00:32:03Z",
  "published": "2024-11-19T03:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50276"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1325e838089da25217f4b403318a270fcdf88f34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f26339b2ed63d1e8e18a18674fb73a392f3660e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2cf0e77f5a0aa1ff336aa71743eda55c73902187"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91c9daa21f3ff8668f9e1d6c860024ce7ad64137"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9GF-GMFV-398M

Vulnerability from github – Published: 2021-08-25 20:54 – Updated: 2023-03-30 23:01
VLAI
Summary
Double free in slice-deque
Details

An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "slice-deque"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T17:14:58Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function.",
  "id": "GHSA-p9gf-gmfv-398m",
  "modified": "2023-03-30T23:01:08Z",
  "published": "2021-08-25T20:54:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29938"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gnzlbg/slice_deque/issues/90"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gnzlbg/slice_deque"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0047.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Double free in slice-deque"
}

GHSA-PCWC-3RJ4-GJ54

Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2025-03-07 18:30
VLAI
Details

A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-460"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-06T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.",
  "id": "GHSA-pcwc-3rj4-gj54",
  "modified": "2025-03-07T18:30:58Z",
  "published": "2023-03-07T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3707"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137979"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz%40163.com"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz@163.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFH4-6F3V-4MWM

Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2025-01-14 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tun: avoid double free in tun_free_netdev

Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if there's an error in register_netdevice() the destructor will handle the frees.

BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605

CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 _kasanslab_free mm/kasan/common.c:346 [inline] kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-04T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: avoid double free in tun_free_netdev\n\nAvoid double free in tun_free_netdev() by moving the\ndev-\u003etstats and tun-\u003esecurity allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there\u0027s an error in register_netdevice() the destructor\nwill handle the frees.\n\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\n\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae",
  "id": "GHSA-pfh4-6f3v-4mwm",
  "modified": "2025-01-14T15:30:47Z",
  "published": "2024-03-04T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47082"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFJW-R4VX-PMFW

Vulnerability from github – Published: 2026-07-02 21:32 – Updated: 2026-07-02 21:32
VLAI
Details

A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-02T20:17:06Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in GIMP\u0027s PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.",
  "id": "GHSA-pfjw-r4vx-pmfw",
  "modified": "2026-07-02T21:32:12Z",
  "published": "2026-07-02T21:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58381"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-58381"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496166"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/b22e147b"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/16207"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFQF-MV4P-9J4R

Vulnerability from github – Published: 2025-07-04 09:31 – Updated: 2026-05-19 15:31
VLAI
Details

A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-04T09:15:37Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.",
  "id": "GHSA-pfqf-mv4p-9j4r",
  "modified": "2026-05-19T15:31:18Z",
  "published": "2025-07-04T09:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5351"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18683"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-5351"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PG9C-CVP2-XX3J

Vulnerability from github – Published: 2026-01-14 03:30 – Updated: 2026-01-14 03:30
VLAI
Details

Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-14T03:15:51Z",
    "severity": "HIGH"
  },
  "details": "Double free vulnerability in the multi-mode input module.\nImpact: Successful exploitation of this vulnerability may affect the input function.",
  "id": "GHSA-pg9c-cvp2-xx3j",
  "modified": "2026-01-14T03:30:26Z",
  "published": "2026-01-14T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68968"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2026/1"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PG9F-39PC-QF8G

Vulnerability from github – Published: 2025-04-10 14:30 – Updated: 2025-09-25 21:13
VLAI
Summary
crossbeam-channel Vulnerable to Double Free on Drop
Details

The internal Channel type's Drop method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption.

Quoting from the upstream description in merge request #1187:

The problem lies in the fact that dicard_all_messages contained two paths that could lead to head.block being read but only one of them would swap the value. This meant that dicard_all_messages could end up observing a non-null block pointer (and therefore attempting to free it) without setting head.block to null. This would then lead to Channel::drop making a second attempt at dropping the same pointer.

The bug was introduced while fixing a memory leak, in upstream MR #1084, first published in 0.5.12.

The fix is in upstream MR #1187 and has been published in 0.5.15

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "crossbeam-channel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.12"
            },
            {
              "fixed": "0.5.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-4574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T14:30:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The internal `Channel` type\u0027s `Drop` method has a race\nwhich could, in some circumstances, lead to a double-free.\nThis could result in memory corruption.\n\nQuoting from the\n[upstream description in merge request \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):\n\n\u003e The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.\n\nThe bug was introduced while fixing a memory leak, in\nupstream [MR \\#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),\nfirst published in 0.5.12.\n\nThe fix is in\nupstream [MR \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)\nand has been published in 0.5.15",
  "id": "GHSA-pg9f-39pc-qf8g",
  "modified": "2025-09-25T21:13:01Z",
  "published": "2025-04-10T14:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/crossbeam-rs/crossbeam/pull/1187"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4574"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358890"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/crossbeam-rs/crossbeam"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "crossbeam-channel Vulnerable to Double Free on Drop"
}

GHSA-PGH3-M69X-G87P

Vulnerability from github – Published: 2023-06-06 09:30 – Updated: 2024-04-04 04:33
VLAI
Details

Memory corruption in Linux android due to double free while calling unregister provider after register call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-06T08:15:10Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption in Linux android due to double free while calling unregister provider after register call.",
  "id": "GHSA-pgh3-m69x-g87p",
  "modified": "2024-04-04T04:33:37Z",
  "published": "2023-06-06T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33227"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.