CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
966 vulnerabilities reference this CWE, most recent first.
GHSA-QM9F-HJ62-FCM2
Vulnerability from github – Published: 2025-03-18 21:31 – Updated: 2025-03-18 21:31In the Linux kernel, the following vulnerability has been resolved:
ubifs: rename_whiteout: Fix double free for whiteout_ui->data
'whiteout_ui->data' will be freed twice if space budget fail for rename whiteout operation as following process:
rename_whiteout dev = kmalloc whiteout_ui->data = dev kfree(whiteout_ui->data) // Free first time iput(whiteout) ubifs_free_inode kfree(ui->data) // Double free!
KASAN reports:
BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70 Call Trace: kfree+0x117/0x490 ubifs_free_inode+0x4f/0x70 [ubifs] i_callback+0x30/0x60 rcu_do_batch+0x366/0xac0 __do_softirq+0x133/0x57f
Allocated by task 1506: kmem_cache_alloc_trace+0x3c2/0x7a0 do_rename+0x9b7/0x1150 [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80
Freed by task 1506: kfree+0x117/0x490 do_rename.cold+0x53/0x8a [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80
The buggy address belongs to the object at ffff88810238bed8 which belongs to the cache kmalloc-8 of size 8 ==================================================================
Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode() -> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it (because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release', and the nlink of whiteout inode is 0).
{
"affected": [],
"aliases": [
"CVE-2021-47638"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T06:37:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: rename_whiteout: Fix double free for whiteout_ui-\u003edata\n\n\u0027whiteout_ui-\u003edata\u0027 will be freed twice if space budget fail for\nrename whiteout operation as following process:\n\nrename_whiteout\n dev = kmalloc\n whiteout_ui-\u003edata = dev\n kfree(whiteout_ui-\u003edata) // Free first time\n iput(whiteout)\n ubifs_free_inode\n kfree(ui-\u003edata)\t // Double free!\n\nKASAN reports:\n==================================================================\nBUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70\nCall Trace:\n kfree+0x117/0x490\n ubifs_free_inode+0x4f/0x70 [ubifs]\n i_callback+0x30/0x60\n rcu_do_batch+0x366/0xac0\n __do_softirq+0x133/0x57f\n\nAllocated by task 1506:\n kmem_cache_alloc_trace+0x3c2/0x7a0\n do_rename+0x9b7/0x1150 [ubifs]\n ubifs_rename+0x106/0x1f0 [ubifs]\n do_syscall_64+0x35/0x80\n\nFreed by task 1506:\n kfree+0x117/0x490\n do_rename.cold+0x53/0x8a [ubifs]\n ubifs_rename+0x106/0x1f0 [ubifs]\n do_syscall_64+0x35/0x80\n\nThe buggy address belongs to the object at ffff88810238bed8 which\nbelongs to the cache kmalloc-8 of size 8\n==================================================================\n\nLet ubifs_free_inode() free \u0027whiteout_ui-\u003edata\u0027. BTW, delete unused\nassignment \u0027whiteout_ui-\u003edata_len = 0\u0027, process \u0027ubifs_evict_inode()\n-\u003e ubifs_jnl_delete_inode() -\u003e ubifs_jnl_write_inode()\u0027 doesn\u0027t need it\n(because \u0027inc_nlink(whiteout)\u0027 won\u0027t be excuted by \u0027goto out_release\u0027,\n and the nlink of whiteout inode is 0).",
"id": "GHSA-qm9f-hj62-fcm2",
"modified": "2025-03-18T21:31:58Z",
"published": "2025-03-18T21:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47638"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14276d38c89a170363e90b6ac0a53c3cf61b87fc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ad07009c459e56ebdcc089d850d664660fdb742"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2b3236ecf96db7af5836e1366ce39ace8ce832fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/40a8f0d5e7b3999f096570edab71c345da812e3e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d7a158a7363c1f6604aa47ae1a280a5c65123dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b3c7be16f3f4dfd6e15ac651484e59d3fa36274"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a90e2dbe66d2647ff95a0442ad2e86482d977fd8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9a937f096e608b3368c1abc920d4d640ba2c94f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QMFR-QQ4J-JRFC
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-14 21:30In the Linux kernel, the following vulnerability has been resolved:
PCI: hv: Fix double ida_free in hv_pci_probe error path
If hv_pci_probe() fails after storing the domain number in hbus->bridge->domain_nr, there is a call to free this domain_nr via pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge release callback pci_release_host_bridge_dev() also frees the domain_nr causing ida_free to be called on same ID twice and triggering following warning:
ida_free called for id=28971 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 Call Trace: pci_bus_release_emul_domain_nr+0x17/0x20 pci_release_host_bridge_dev+0x4b/0x60 device_release+0x3b/0xa0 kobject_put+0x8e/0x220 devm_pci_alloc_host_bridge_release+0xe/0x20 devres_release_all+0x9a/0xd0 device_unbind_cleanup+0x12/0xa0 really_probe+0x1c5/0x3f0 vmbus_add_channel_work+0x135/0x1a0
Fix this by letting pci core handle the free domain_nr and remove the explicit free called in pci-hyperv driver.
{
"affected": [],
"aliases": [
"CVE-2026-43097"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T10:16:23Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: hv: Fix double ida_free in hv_pci_probe error path\n\nIf hv_pci_probe() fails after storing the domain number in\nhbus-\u003ebridge-\u003edomain_nr, there is a call to free this domain_nr via\npci_bus_release_emul_domain_nr(), however, during cleanup, the bridge\nrelease callback pci_release_host_bridge_dev() also frees the domain_nr\ncausing ida_free to be called on same ID twice and triggering following\nwarning:\n\n ida_free called for id=28971 which is not allocated.\n WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198\n Call Trace:\n pci_bus_release_emul_domain_nr+0x17/0x20\n pci_release_host_bridge_dev+0x4b/0x60\n device_release+0x3b/0xa0\n kobject_put+0x8e/0x220\n devm_pci_alloc_host_bridge_release+0xe/0x20\n devres_release_all+0x9a/0xd0\n device_unbind_cleanup+0x12/0xa0\n really_probe+0x1c5/0x3f0\n vmbus_add_channel_work+0x135/0x1a0\n\nFix this by letting pci core handle the free domain_nr and remove\nthe explicit free called in pci-hyperv driver.",
"id": "GHSA-qmfr-qq4j-jrfc",
"modified": "2026-05-14T21:30:36Z",
"published": "2026-05-06T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43097"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/21bc8e0ba5c2a081b0a2808c976d4c9dbddf1e48"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b6422dff0e518245019233432b6bccfc30b73e2f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQ64-7FH7-7HMW
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_free and obj_free).
{
"affected": [],
"aliases": [
"CVE-2020-36401"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-01T03:15:00Z",
"severity": "HIGH"
},
"details": "mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_free and obj_free).",
"id": "GHSA-qq64-7fh7-7hmw",
"modified": "2022-05-24T19:06:47Z",
"published": "2022-05-24T19:06:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36401"
},
{
"type": "WEB",
"url": "https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23801"
},
{
"type": "WEB",
"url": "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QRWJ-6QFP-4P9H
Vulnerability from github – Published: 2025-10-21 12:31 – Updated: 2025-10-21 12:31In the Linux kernel, the following vulnerability has been resolved:
ath10k: skip ath10k_halt during suspend for driver state RESTARTING
Double free crash is observed when FW recovery(caused by wmi timeout/crash) is followed by immediate suspend event. The FW recovery is triggered by ath10k_core_restart() which calls driver clean up via ath10k_halt(). When the suspend event occurs between the FW recovery, the restart worker thread is put into frozen state until suspend completes. The suspend event triggers ath10k_stop() which again triggers ath10k_halt() The double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be called twice(Note: ath10k_htt_rx_alloc was not called by restart worker thread because of its frozen state), causing the crash.
To fix this, during the suspend flow, skip call to ath10k_halt() in ath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING. Also, for driver state ATH10K_STATE_RESTARTING, call ath10k_wait_for_suspend() in ath10k_stop(). This is because call to ath10k_wait_for_suspend() is skipped later in [ath10k_halt() > ath10k_core_stop()] for the driver state ATH10K_STATE_RESTARTING.
The frozen restart worker thread will be cancelled during resume when the device comes out of suspend.
Below is the crash stack for reference:
[ 428.469167] ------------[ cut here ]------------ [ 428.469180] kernel BUG at mm/slub.c:4150! [ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 428.469219] Workqueue: events_unbound async_run_entry_fn [ 428.469230] RIP: 0010:kfree+0x319/0x31b [ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246 [ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000 [ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000 [ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000 [ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 428.469285] Call Trace: [ 428.469295] ? dma_free_attrs+0x5f/0x7d [ 428.469320] ath10k_core_stop+0x5b/0x6f [ 428.469336] ath10k_halt+0x126/0x177 [ 428.469352] ath10k_stop+0x41/0x7e [ 428.469387] drv_stop+0x88/0x10e [ 428.469410] __ieee80211_suspend+0x297/0x411 [ 428.469441] rdev_suspend+0x6e/0xd0 [ 428.469462] wiphy_suspend+0xb1/0x105 [ 428.469483] ? name_show+0x2d/0x2d [ 428.469490] dpm_run_callback+0x8c/0x126 [ 428.469511] ? name_show+0x2d/0x2d [ 428.469517] __device_suspend+0x2e7/0x41b [ 428.469523] async_suspend+0x1f/0x93 [ 428.469529] async_run_entry_fn+0x3d/0xd1 [ 428.469535] process_one_work+0x1b1/0x329 [ 428.469541] worker_thread+0x213/0x372 [ 428.469547] kthread+0x150/0x15f [ 428.469552] ? pr_cont_work+0x58/0x58 [ 428.469558] ? kthread_blkcg+0x31/0x31
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1
{
"affected": [],
"aliases": [
"CVE-2022-49519"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:27Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nath10k: skip ath10k_halt during suspend for driver state RESTARTING\n\nDouble free crash is observed when FW recovery(caused by wmi\ntimeout/crash) is followed by immediate suspend event. The FW recovery\nis triggered by ath10k_core_restart() which calls driver clean up via\nath10k_halt(). When the suspend event occurs between the FW recovery,\nthe restart worker thread is put into frozen state until suspend completes.\nThe suspend event triggers ath10k_stop() which again triggers ath10k_halt()\nThe double invocation of ath10k_halt() causes ath10k_htt_rx_free() to be\ncalled twice(Note: ath10k_htt_rx_alloc was not called by restart worker\nthread because of its frozen state), causing the crash.\n\nTo fix this, during the suspend flow, skip call to ath10k_halt() in\nath10k_stop() when the current driver state is ATH10K_STATE_RESTARTING.\nAlso, for driver state ATH10K_STATE_RESTARTING, call\nath10k_wait_for_suspend() in ath10k_stop(). This is because call to\nath10k_wait_for_suspend() is skipped later in\n[ath10k_halt() \u003e ath10k_core_stop()] for the driver state\nATH10K_STATE_RESTARTING.\n\nThe frozen restart worker thread will be cancelled during resume when the\ndevice comes out of suspend.\n\nBelow is the crash stack for reference:\n\n[ 428.469167] ------------[ cut here ]------------\n[ 428.469180] kernel BUG at mm/slub.c:4150!\n[ 428.469193] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 428.469219] Workqueue: events_unbound async_run_entry_fn\n[ 428.469230] RIP: 0010:kfree+0x319/0x31b\n[ 428.469241] RSP: 0018:ffffa1fac015fc30 EFLAGS: 00010246\n[ 428.469247] RAX: ffffedb10419d108 RBX: ffff8c05262b0000\n[ 428.469252] RDX: ffff8c04a8c07000 RSI: 0000000000000000\n[ 428.469256] RBP: ffffa1fac015fc78 R08: 0000000000000000\n[ 428.469276] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 428.469285] Call Trace:\n[ 428.469295] ? dma_free_attrs+0x5f/0x7d\n[ 428.469320] ath10k_core_stop+0x5b/0x6f\n[ 428.469336] ath10k_halt+0x126/0x177\n[ 428.469352] ath10k_stop+0x41/0x7e\n[ 428.469387] drv_stop+0x88/0x10e\n[ 428.469410] __ieee80211_suspend+0x297/0x411\n[ 428.469441] rdev_suspend+0x6e/0xd0\n[ 428.469462] wiphy_suspend+0xb1/0x105\n[ 428.469483] ? name_show+0x2d/0x2d\n[ 428.469490] dpm_run_callback+0x8c/0x126\n[ 428.469511] ? name_show+0x2d/0x2d\n[ 428.469517] __device_suspend+0x2e7/0x41b\n[ 428.469523] async_suspend+0x1f/0x93\n[ 428.469529] async_run_entry_fn+0x3d/0xd1\n[ 428.469535] process_one_work+0x1b1/0x329\n[ 428.469541] worker_thread+0x213/0x372\n[ 428.469547] kthread+0x150/0x15f\n[ 428.469552] ? pr_cont_work+0x58/0x58\n[ 428.469558] ? kthread_blkcg+0x31/0x31\n\nTested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1",
"id": "GHSA-qrwj-6qfp-4p9h",
"modified": "2025-10-21T12:31:26Z",
"published": "2025-10-21T12:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49519"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5321e5211b5dc873e2e3d0deb749e69ecf4dbfe5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7eb14cb604f49e58b7cf6faa87961a865a3c8649"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8aa3750986ffcf73e0692db3b40dd3a8e8c0c575"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b72a4aff947ba807177bdabb43debaf2c66bee05"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c2272428090d0d215a3f017cbbbad731c07eee53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QWHP-2GP7-QHFQ
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2025-11-03 21:30A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.
{
"affected": [],
"aliases": [
"CVE-2021-4091"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T18:15:00Z",
"severity": "HIGH"
},
"details": "A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.",
"id": "GHSA-qwhp-2gp7-qhfq",
"modified": "2025-11-03T21:30:38Z",
"published": "2022-02-19T00:01:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4091"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030307"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QWWC-F936-V8H7
Vulnerability from github – Published: 2024-10-02 21:30 – Updated: 2024-10-02 21:30Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device.
These vulnerabilities are due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request to the VPN server of an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention.
{
"affected": [],
"aliases": [
"CVE-2024-20498"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-02T19:15:13Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device.\n\nThese vulnerabilities are due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request to the VPN server of an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN connections and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established.\nNote: When the attack traffic stops, the Cisco AnyConnect VPN server recovers gracefully without requiring manual intervention.",
"id": "GHSA-qwwc-f936-v8h7",
"modified": "2024-10-02T21:30:34Z",
"published": "2024-10-02T21:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20498"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-QTRHzG2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QX56-HJGG-8XGM
Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30Windows SMBv3 Server Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43447"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T18:15:21Z",
"severity": "HIGH"
},
"details": "Windows SMBv3 Server Remote Code Execution Vulnerability",
"id": "GHSA-qx56-hjgg-8xgm",
"modified": "2024-11-12T18:30:58Z",
"published": "2024-11-12T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43447"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43447"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QX6Q-MQG9-4PX7
Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-27 15:30In the Linux kernel, the following vulnerability has been resolved:
smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()
smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list.
{
"affected": [],
"aliases": [
"CVE-2026-31608"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T15:16:40Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()\n\nsmb_direct_flush_send_list() already calls smb_direct_free_sendmsg(),\nso we should not call it again after post_sendmsg()\nmoved it to the batch list.",
"id": "GHSA-qx6q-mqg9-4px7",
"modified": "2026-04-27T15:30:45Z",
"published": "2026-04-24T15:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31608"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2ba03f46132b0d1a7bafb86e1ef61951a2254023"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6968c91fab05b8fc4d6700e0cf34472bb422df25"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/830de6eeb9db4cb7e758201fb99328ef4ca4b032"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84ff995ae826aa6bbcc6c7b9ea569ff67c021d72"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R2H5-JH8M-2Q64
Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-03-03 18:31CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody.
{
"affected": [],
"aliases": [
"CVE-2025-13844"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T19:16:02Z",
"severity": "HIGH"
},
"details": "CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody.",
"id": "GHSA-r2h5-jh8m-2q64",
"modified": "2026-03-03T18:31:26Z",
"published": "2026-01-15T21:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13844"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-013-04.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R2VP-QCG8-M2F6
Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-17 00:00Adobe Bridge version 11.1.1 (and earlier) is affected by a double free vulnerability when parsing a crafted DCM file, which could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.
{
"affected": [],
"aliases": [
"CVE-2021-42533"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-16T15:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Bridge version 11.1.1 (and earlier) is affected by a double free vulnerability when parsing a crafted DCM file, which could result in arbitrary code execution in the context of the current user. This vulnerability requires user interaction to exploit.",
"id": "GHSA-r2vp-qcg8-m2f6",
"modified": "2022-03-17T00:00:28Z",
"published": "2022-03-17T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42533"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/bridge/apsb21-94.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.