Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-25G3-Q597-79M8

Vulnerability from github – Published: 2024-02-20 21:30 – Updated: 2024-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix use-after-free in shinker's callback

The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated.

I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF:

================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478

CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c

Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144

Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24

Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c

Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-20T21:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker\u0027s callback\n\nThe mmap read lock is used during the shrinker\u0027s callback, which means\nthat using alloc-\u003evma pointer isn\u0027t safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker\u0027s debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n  Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n  CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   zap_page_range_single+0x470/0x4b8\n   binder_alloc_free_page+0x608/0xadc\n   __list_lru_walk_one+0x130/0x3b0\n   list_lru_walk_node+0xc4/0x22c\n   binder_shrink_scan+0x108/0x1dc\n   shrinker_debugfs_scan_write+0x2b4/0x500\n   full_proxy_write+0xd4/0x140\n   vfs_write+0x1ac/0x758\n   ksys_write+0xf0/0x1dc\n   __arm64_sys_write+0x6c/0x9c\n\n  Allocated by task 492:\n   kmem_cache_alloc+0x130/0x368\n   vm_area_alloc+0x2c/0x190\n   mmap_region+0x258/0x18bc\n   do_mmap+0x694/0xa60\n   vm_mmap_pgoff+0x170/0x29c\n   ksys_mmap_pgoff+0x290/0x3a0\n   __arm64_sys_mmap+0xcc/0x144\n\n  Freed by task 491:\n   kmem_cache_free+0x17c/0x3c8\n   vm_area_free_rcu_cb+0x74/0x98\n   rcu_core+0xa38/0x26d4\n   rcu_core_si+0x10/0x1c\n   __do_softirq+0x2fc/0xd24\n\n  Last potentially related work creation:\n   __call_rcu_common.constprop.0+0x6c/0xba0\n   call_rcu+0x10/0x1c\n   vm_area_free+0x18/0x24\n   remove_vma+0xe4/0x118\n   do_vmi_align_munmap.isra.0+0x718/0xb5c\n   do_vmi_munmap+0xdc/0x1fc\n   __vm_munmap+0x10c/0x278\n   __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.",
  "id": "GHSA-25g3-q597-79m8",
  "modified": "2024-06-25T21:31:10Z",
  "published": "2024-02-20T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52438"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51332d906"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25GQ-3QMX-682C

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:04
VLAI
Details

libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images.",
  "id": "GHSA-25gq-3qmx-682c",
  "modified": "2024-04-04T00:04:16Z",
  "published": "2022-05-24T16:44:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11471"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strukturag/libheif/issues/123"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25GR-PH8W-33HC

Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2024-10-21 15:32
VLAI
Details

Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-09-22T22:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird \u003c 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation.",
  "id": "GHSA-25gr-ph8w-33hc",
  "modified": "2024-10-21T15:32:16Z",
  "published": "2022-05-14T03:19:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5277"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1291665"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-15"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2016-86"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2016-88"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-1912.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3674"
    },
    {
      "type": "WEB",
      "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-85.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93049"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036852"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25HR-298P-F2JG

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 18:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mana: Null service_wq on setup error to prevent double destroy

In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:56Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mana: Null service_wq on setup error to prevent double destroy\n\nIn mana_gd_setup() error path, set gc-\u003eservice_wq to NULL after\ndestroy_workqueue() to match the cleanup in mana_gd_cleanup().\nThis prevents a use-after-free if the workqueue pointer is checked\nafter a failed setup.",
  "id": "GHSA-25hr-298p-f2jg",
  "modified": "2026-05-21T18:33:06Z",
  "published": "2026-05-08T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43440"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/59489ce60d7412ed82fb1d8002faa3102dcd4916"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c92392602b451e3869f15ab685f8f650e942b13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87c2302813abc55c46485711a678e3c312b00666"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25J6-496G-X28F

Vulnerability from github – Published: 2023-06-12 15:30 – Updated: 2024-04-04 04:43
VLAI
Details

NanoMQ 0.16.5 is vulnerable to heap-use-after-free in the nano_ctx_send function of nmq_mqtt.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-12T14:15:19Z",
    "severity": "HIGH"
  },
  "details": "NanoMQ 0.16.5 is vulnerable to heap-use-after-free in the nano_ctx_send function of nmq_mqtt.c.",
  "id": "GHSA-25j6-496g-x28f",
  "modified": "2024-04-04T04:43:24Z",
  "published": "2023-06-12T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34494"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emqx/nanomq/issues/1180"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25JW-M5XF-QHRJ

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2025-04-20 03:49
VLAI
Details

ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-free in Magick::Image::read in Magick++/lib/Image.cpp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-11T02:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-free in Magick::Image::read in Magick++/lib/Image.cpp.",
  "id": "GHSA-25jw-m5xf-qhrj",
  "modified": "2025-04-20T03:49:44Z",
  "published": "2022-05-13T01:14:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17499"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/8c35502217c1879cb8257c617007282eee3fe1cc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/dd96d671e4d5ae22c6894c302e8996c13f24c45a"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3681-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-4074"
    },
    {
      "type": "WEB",
      "url": "https://www.imagemagick.org/discourse-server/viewtopic.php?f=3\u0026t=33078\u0026sid=5fbb164c3830293138917f9b14264ed1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102155"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25JW-V9RV-H6H9

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XFA resolveNodes method of Button elements. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5528.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-17T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XFA resolveNodes method of Button elements. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5528.",
  "id": "GHSA-25jw-v9rv-h6h9",
  "modified": "2022-05-13T01:31:39Z",
  "published": "2022-05-13T01:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9953"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-337"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25W9-JC8C-RX9W

Vulnerability from github – Published: 2022-11-22 15:30 – Updated: 2022-11-23 21:30
VLAI
Details

Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-22T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679",
  "id": "GHSA-25w9-jc8c-rx9w",
  "modified": "2022-11-23T21:30:33Z",
  "published": "2022-11-22T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679"
    },
    {
      "type": "WEB",
      "url": "https://kernel.dance/#fc7222c3a9f56271fba02aabbfbae999042f1679"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25X5-G59V-H6M3

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.1.6871. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the app.execMenuItem function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4723.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-31T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.1.6871. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the app.execMenuItem function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4723.",
  "id": "GHSA-25x5-g59v-h6m3",
  "modified": "2022-05-13T01:38:20Z",
  "published": "2022-05-13T01:38:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10948"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-17-461"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101670"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25X9-7WCV-MF35

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()

ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);

may be schedule, and then complete before the line

ndev->stats.tx_bytes += skb->len;

[ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dump_backtrace+0x0/0x2b8 [ 46.960719] show_stack+0x24/0x30 [ 46.964052] dump_stack+0x128/0x194 [ 46.967557] print_address_description.isra.0+0x64/0x380 [ 46.972877] __kasan_report+0x1d4/0x240 [ 46.976723] kasan_report+0xc/0x18 [ 46.980138] __asan_report_load4_noabort+0x18/0x20 [ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 [ 46.994894] sch_direct_xmit+0x198/0xd08 [ 46.998827] __qdisc_run+0x37c/0x1dc0 [ 47.002500] __dev_queue_xmit+0x1528/0x21f8 [ 47.006692] dev_queue_xmit+0x24/0x30 [ 47.010366] neigh_resolve_output+0x37c/0x678 [ 47.014734] ip_finish_output2+0x598/0x2458 [ 47.018927] __ip_finish_output+0x300/0x730 [ 47.023118] ip_output+0x2e0/0x430 [ 47.026530] ip_local_out+0x90/0x140 [ 47.030117] igmpv3_sendpack+0x14c/0x228 [ 47.034049] igmpv3_send_cr+0x384/0x6b8 [ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 [ 47.042262] call_timer_fn+0x1cc/0xbe8 [ 47.046021] __run_timers+0x4d8/0xb28 [ 47.049693] run_timer_softirq+0x24/0x40 [ 47.053626] __do_softirq+0x2c0/0x117c [ 47.057387] irq_exit+0x2dc/0x388 [ 47.060715] __handle_domain_irq+0xb4/0x158 [ 47.064908] gic_handle_irq+0x58/0xb0 [ 47.068581] el0_irq_naked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] save_stack+0x24/0xb0 [ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasan_slab_alloc+0x14/0x20 [ 47.088622] kmem_cache_alloc+0x15c/0x468 [ 47.092643] __alloc_skb+0xa4/0x498 [ 47.096142] igmpv3_newpack+0x158/0xd78 [ 47.099987] add_grhead+0x210/0x288 [ 47.103485] add_grec+0x6b0/0xb70 [ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 [ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 [ 47.115027] call_timer_fn+0x1cc/0xbe8 [ 47.118785] __run_timers+0x4d8/0xb28 [ 47.122457] run_timer_softirq+0x24/0x40 [ 47.126389] __do_softirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] save_stack+0x24/0xb0 [ 47.138041] __kasan_slab_free+0x108/0x180 [ 47.142146] kasan_slab_free+0x10/0x18 [ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 [ 47.150444] kmem_cache_free+0x8c/0x528 [ 47.154292] kfree_skbmem+0x94/0x108 [ 47.157880] consume_skb+0x10c/0x5a8 [ 47.161466] __dev_kfree_skb_any+0x88/0xa0 [ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] [ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] [ 47.197859] process_one_work+0x7fc/0x1a80 [ 47.201965] worker_thread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] ret_from_fork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuff_head_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcou ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:44Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()\n\n\u003e ret = brcmf_proto_tx_queue_data(drvr, ifp-\u003eifidx, skb);\n\nmay be schedule, and then complete before the line\n\n\u003e ndev-\u003estats.tx_bytes += skb-\u003elen;\n\n[   46.912801] ==================================================================\n[   46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]\n[   46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328\n[   46.935991]\n[   46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G           O      5.4.199-[REDACTED] #1\n[   46.947255] Hardware name: [REDACTED]\n[   46.954568] Call trace:\n[   46.957037]  dump_backtrace+0x0/0x2b8\n[   46.960719]  show_stack+0x24/0x30\n[   46.964052]  dump_stack+0x128/0x194\n[   46.967557]  print_address_description.isra.0+0x64/0x380\n[   46.972877]  __kasan_report+0x1d4/0x240\n[   46.976723]  kasan_report+0xc/0x18\n[   46.980138]  __asan_report_load4_noabort+0x18/0x20\n[   46.985027]  brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]\n[   46.990613]  dev_hard_start_xmit+0x1bc/0xda0\n[   46.994894]  sch_direct_xmit+0x198/0xd08\n[   46.998827]  __qdisc_run+0x37c/0x1dc0\n[   47.002500]  __dev_queue_xmit+0x1528/0x21f8\n[   47.006692]  dev_queue_xmit+0x24/0x30\n[   47.010366]  neigh_resolve_output+0x37c/0x678\n[   47.014734]  ip_finish_output2+0x598/0x2458\n[   47.018927]  __ip_finish_output+0x300/0x730\n[   47.023118]  ip_output+0x2e0/0x430\n[   47.026530]  ip_local_out+0x90/0x140\n[   47.030117]  igmpv3_sendpack+0x14c/0x228\n[   47.034049]  igmpv3_send_cr+0x384/0x6b8\n[   47.037895]  igmp_ifc_timer_expire+0x4c/0x118\n[   47.042262]  call_timer_fn+0x1cc/0xbe8\n[   47.046021]  __run_timers+0x4d8/0xb28\n[   47.049693]  run_timer_softirq+0x24/0x40\n[   47.053626]  __do_softirq+0x2c0/0x117c\n[   47.057387]  irq_exit+0x2dc/0x388\n[   47.060715]  __handle_domain_irq+0xb4/0x158\n[   47.064908]  gic_handle_irq+0x58/0xb0\n[   47.068581]  el0_irq_naked+0x50/0x5c\n[   47.072162]\n[   47.073665] Allocated by task 328:\n[   47.077083]  save_stack+0x24/0xb0\n[   47.080410]  __kasan_kmalloc.isra.0+0xc0/0xe0\n[   47.084776]  kasan_slab_alloc+0x14/0x20\n[   47.088622]  kmem_cache_alloc+0x15c/0x468\n[   47.092643]  __alloc_skb+0xa4/0x498\n[   47.096142]  igmpv3_newpack+0x158/0xd78\n[   47.099987]  add_grhead+0x210/0x288\n[   47.103485]  add_grec+0x6b0/0xb70\n[   47.106811]  igmpv3_send_cr+0x2e0/0x6b8\n[   47.110657]  igmp_ifc_timer_expire+0x4c/0x118\n[   47.115027]  call_timer_fn+0x1cc/0xbe8\n[   47.118785]  __run_timers+0x4d8/0xb28\n[   47.122457]  run_timer_softirq+0x24/0x40\n[   47.126389]  __do_softirq+0x2c0/0x117c\n[   47.130142]\n[   47.131643] Freed by task 180:\n[   47.134712]  save_stack+0x24/0xb0\n[   47.138041]  __kasan_slab_free+0x108/0x180\n[   47.142146]  kasan_slab_free+0x10/0x18\n[   47.145904]  slab_free_freelist_hook+0xa4/0x1b0\n[   47.150444]  kmem_cache_free+0x8c/0x528\n[   47.154292]  kfree_skbmem+0x94/0x108\n[   47.157880]  consume_skb+0x10c/0x5a8\n[   47.161466]  __dev_kfree_skb_any+0x88/0xa0\n[   47.165598]  brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]\n[   47.171023]  brcmf_txfinalize+0xec/0x190 [brcmfmac]\n[   47.176016]  brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]\n[   47.182056]  brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]\n[   47.187568]  brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]\n[   47.192529]  brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]\n[   47.197859]  process_one_work+0x7fc/0x1a80\n[   47.201965]  worker_thread+0x31c/0xc40\n[   47.205726]  kthread+0x2d8/0x370\n[   47.208967]  ret_from_fork+0x10/0x18\n[   47.212546]\n[   47.214051] The buggy address belongs to the object at ffffff803f588280\n[   47.214051]  which belongs to the cache skbuff_head_cache of size 208\n[   47.227086] The buggy address is located 104 bytes inside of\n[   47.227086]  208-byte region [ffffff803f588280, ffffff803f588350)\n[   47.238814] The buggy address belongs to the page:\n[   47.243618] page:ffffffff00dd6200 refcount:1 mapcou\n---truncated---",
  "id": "GHSA-25x9-7wcv-mf35",
  "modified": "2025-12-11T15:30:30Z",
  "published": "2025-09-18T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50408"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1613a7b24f1a7467cb727ba3ec77c9a808383560"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/232d59eca07f6ea27307022a33d226aff373bd02"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/27574a3f421c3a1694d0207f37c6bbf23d66978e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f42faf6db431e04bf942d2ebe3ae88975723478"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/49c742afd60f552fce7799287080db02bffe1db2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c369836cff98d3877f98c98e15c0151462812d96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d79f4d903e14dde822c60b5fd3bedc5a289d25df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e01d96494a9de0f48b1167f0494f6d929fa773ed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.