CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-25G3-Q597-79M8
Vulnerability from github – Published: 2024-02-20 21:30 – Updated: 2024-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
binder: fix use-after-free in shinker's callback
The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated.
I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF:
================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478
CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c
Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144
Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24
Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c
Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway.
{
"affected": [],
"aliases": [
"CVE-2023-52438"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T21:15:08Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix use-after-free in shinker\u0027s callback\n\nThe mmap read lock is used during the shrinker\u0027s callback, which means\nthat using alloc-\u003evma pointer isn\u0027t safe as it can race with munmap().\nAs of commit dd2283f2605e (\"mm: mmap: zap pages with read mmap_sem in\nmunmap\") the mmap lock is downgraded after the vma has been isolated.\n\nI was able to reproduce this issue by manually adding some delays and\ntriggering page reclaiming through the shrinker\u0027s debug sysfs. The\nfollowing KASAN report confirms the UAF:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8\n Read of size 8 at addr ffff356ed50e50f0 by task bash/478\n\n CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n zap_page_range_single+0x470/0x4b8\n binder_alloc_free_page+0x608/0xadc\n __list_lru_walk_one+0x130/0x3b0\n list_lru_walk_node+0xc4/0x22c\n binder_shrink_scan+0x108/0x1dc\n shrinker_debugfs_scan_write+0x2b4/0x500\n full_proxy_write+0xd4/0x140\n vfs_write+0x1ac/0x758\n ksys_write+0xf0/0x1dc\n __arm64_sys_write+0x6c/0x9c\n\n Allocated by task 492:\n kmem_cache_alloc+0x130/0x368\n vm_area_alloc+0x2c/0x190\n mmap_region+0x258/0x18bc\n do_mmap+0x694/0xa60\n vm_mmap_pgoff+0x170/0x29c\n ksys_mmap_pgoff+0x290/0x3a0\n __arm64_sys_mmap+0xcc/0x144\n\n Freed by task 491:\n kmem_cache_free+0x17c/0x3c8\n vm_area_free_rcu_cb+0x74/0x98\n rcu_core+0xa38/0x26d4\n rcu_core_si+0x10/0x1c\n __do_softirq+0x2fc/0xd24\n\n Last potentially related work creation:\n __call_rcu_common.constprop.0+0x6c/0xba0\n call_rcu+0x10/0x1c\n vm_area_free+0x18/0x24\n remove_vma+0xe4/0x118\n do_vmi_align_munmap.isra.0+0x718/0xb5c\n do_vmi_munmap+0xdc/0x1fc\n __vm_munmap+0x10c/0x278\n __arm64_sys_munmap+0x58/0x7c\n\nFix this issue by performing instead a vma_lookup() which will fail to\nfind the vma that was isolated before the mmap lock downgrade. Note that\nthis option has better performance than upgrading to a mmap write lock\nwhich would increase contention. Plus, mmap_write_trylock() has been\nrecently removed anyway.",
"id": "GHSA-25g3-q597-79m8",
"modified": "2024-06-25T21:31:10Z",
"published": "2024-02-20T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52438"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51332d906"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25GQ-3QMX-682C
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:04libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images.
{
"affected": [],
"aliases": [
"CVE-2019-11471"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-23T14:29:00Z",
"severity": "HIGH"
},
"details": "libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_alpha_channel in heif_context.h because heif_context.cc mishandles references to non-existing alpha images.",
"id": "GHSA-25gq-3qmx-682c",
"modified": "2024-04-04T00:04:16Z",
"published": "2022-05-24T16:44:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11471"
},
{
"type": "WEB",
"url": "https://github.com/strukturag/libheif/issues/123"
},
{
"type": "WEB",
"url": "https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25GR-PH8W-33HC
Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2024-10-21 15:32Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation.
{
"affected": [],
"aliases": [
"CVE-2016-5277"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-22T22:59:00Z",
"severity": "CRITICAL"
},
"details": "Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird \u003c 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation.",
"id": "GHSA-25gr-ph8w-33hc",
"modified": "2024-10-21T15:32:16Z",
"published": "2022-05-14T03:19:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5277"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1291665"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-86"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-88"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1912.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3674"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2016/mfsa2016-85.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93049"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036852"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25HR-298P-F2JG
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 18:33In the Linux kernel, the following vulnerability has been resolved:
net/mana: Null service_wq on setup error to prevent double destroy
In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup.
{
"affected": [],
"aliases": [
"CVE-2026-43440"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:56Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mana: Null service_wq on setup error to prevent double destroy\n\nIn mana_gd_setup() error path, set gc-\u003eservice_wq to NULL after\ndestroy_workqueue() to match the cleanup in mana_gd_cleanup().\nThis prevents a use-after-free if the workqueue pointer is checked\nafter a failed setup.",
"id": "GHSA-25hr-298p-f2jg",
"modified": "2026-05-21T18:33:06Z",
"published": "2026-05-08T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43440"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59489ce60d7412ed82fb1d8002faa3102dcd4916"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c92392602b451e3869f15ab685f8f650e942b13"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87c2302813abc55c46485711a678e3c312b00666"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25J6-496G-X28F
Vulnerability from github – Published: 2023-06-12 15:30 – Updated: 2024-04-04 04:43NanoMQ 0.16.5 is vulnerable to heap-use-after-free in the nano_ctx_send function of nmq_mqtt.c.
{
"affected": [],
"aliases": [
"CVE-2023-34494"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-12T14:15:19Z",
"severity": "HIGH"
},
"details": "NanoMQ 0.16.5 is vulnerable to heap-use-after-free in the nano_ctx_send function of nmq_mqtt.c.",
"id": "GHSA-25j6-496g-x28f",
"modified": "2024-04-04T04:43:24Z",
"published": "2023-06-12T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34494"
},
{
"type": "WEB",
"url": "https://github.com/emqx/nanomq/issues/1180"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25JW-M5XF-QHRJ
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2025-04-20 03:49ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-free in Magick::Image::read in Magick++/lib/Image.cpp.
{
"affected": [],
"aliases": [
"CVE-2017-17499"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-11T02:29:00Z",
"severity": "CRITICAL"
},
"details": "ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-free in Magick::Image::read in Magick++/lib/Image.cpp.",
"id": "GHSA-25jw-m5xf-qhrj",
"modified": "2025-04-20T03:49:44Z",
"published": "2022-05-13T01:14:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17499"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/8c35502217c1879cb8257c617007282eee3fe1cc"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/dd96d671e4d5ae22c6894c302e8996c13f24c45a"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4074"
},
{
"type": "WEB",
"url": "https://www.imagemagick.org/discourse-server/viewtopic.php?f=3\u0026t=33078\u0026sid=5fbb164c3830293138917f9b14264ed1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102155"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25JW-V9RV-H6H9
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XFA resolveNodes method of Button elements. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5528.
{
"affected": [],
"aliases": [
"CVE-2018-9953"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-17T15:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XFA resolveNodes method of Button elements. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5528.",
"id": "GHSA-25jw-v9rv-h6h9",
"modified": "2022-05-13T01:31:39Z",
"published": "2022-05-13T01:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9953"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-18-337"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25W9-JC8C-RX9W
Vulnerability from github – Published: 2022-11-22 15:30 – Updated: 2022-11-23 21:30Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679
{
"affected": [],
"aliases": [
"CVE-2022-3910"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-22T13:15:00Z",
"severity": "HIGH"
},
"details": "Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads to Use-After-Free and Local Privilege Escalation. When io_msg_ring was invoked with a fixed file, it called io_fput_file() which improperly decreased its reference count (leading to Use-After-Free and Local Privilege Escalation). Fixed files are permanently registered to the ring, and should not be put separately. We recommend upgrading past commit https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679 https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679",
"id": "GHSA-25w9-jc8c-rx9w",
"modified": "2022-11-23T21:30:33Z",
"published": "2022-11-22T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3910"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/fc7222c3a9f56271fba02aabbfbae999042f1679"
},
{
"type": "WEB",
"url": "https://kernel.dance/#fc7222c3a9f56271fba02aabbfbae999042f1679"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25X5-G59V-H6M3
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.1.6871. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the app.execMenuItem function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4723.
{
"affected": [],
"aliases": [
"CVE-2017-10948"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-31T19:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.1.6871. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the app.execMenuItem function. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4723.",
"id": "GHSA-25x5-g59v-h6m3",
"modified": "2022-05-13T01:38:20Z",
"published": "2022-05-13T01:38:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10948"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-17-461"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101670"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-25X9-7WCV-MF35
Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);
may be schedule, and then complete before the line
ndev->stats.tx_bytes += skb->len;
[ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dump_backtrace+0x0/0x2b8 [ 46.960719] show_stack+0x24/0x30 [ 46.964052] dump_stack+0x128/0x194 [ 46.967557] print_address_description.isra.0+0x64/0x380 [ 46.972877] __kasan_report+0x1d4/0x240 [ 46.976723] kasan_report+0xc/0x18 [ 46.980138] __asan_report_load4_noabort+0x18/0x20 [ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 [ 46.994894] sch_direct_xmit+0x198/0xd08 [ 46.998827] __qdisc_run+0x37c/0x1dc0 [ 47.002500] __dev_queue_xmit+0x1528/0x21f8 [ 47.006692] dev_queue_xmit+0x24/0x30 [ 47.010366] neigh_resolve_output+0x37c/0x678 [ 47.014734] ip_finish_output2+0x598/0x2458 [ 47.018927] __ip_finish_output+0x300/0x730 [ 47.023118] ip_output+0x2e0/0x430 [ 47.026530] ip_local_out+0x90/0x140 [ 47.030117] igmpv3_sendpack+0x14c/0x228 [ 47.034049] igmpv3_send_cr+0x384/0x6b8 [ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 [ 47.042262] call_timer_fn+0x1cc/0xbe8 [ 47.046021] __run_timers+0x4d8/0xb28 [ 47.049693] run_timer_softirq+0x24/0x40 [ 47.053626] __do_softirq+0x2c0/0x117c [ 47.057387] irq_exit+0x2dc/0x388 [ 47.060715] __handle_domain_irq+0xb4/0x158 [ 47.064908] gic_handle_irq+0x58/0xb0 [ 47.068581] el0_irq_naked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] save_stack+0x24/0xb0 [ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasan_slab_alloc+0x14/0x20 [ 47.088622] kmem_cache_alloc+0x15c/0x468 [ 47.092643] __alloc_skb+0xa4/0x498 [ 47.096142] igmpv3_newpack+0x158/0xd78 [ 47.099987] add_grhead+0x210/0x288 [ 47.103485] add_grec+0x6b0/0xb70 [ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 [ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 [ 47.115027] call_timer_fn+0x1cc/0xbe8 [ 47.118785] __run_timers+0x4d8/0xb28 [ 47.122457] run_timer_softirq+0x24/0x40 [ 47.126389] __do_softirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] save_stack+0x24/0xb0 [ 47.138041] __kasan_slab_free+0x108/0x180 [ 47.142146] kasan_slab_free+0x10/0x18 [ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 [ 47.150444] kmem_cache_free+0x8c/0x528 [ 47.154292] kfree_skbmem+0x94/0x108 [ 47.157880] consume_skb+0x10c/0x5a8 [ 47.161466] __dev_kfree_skb_any+0x88/0xa0 [ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] [ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] [ 47.197859] process_one_work+0x7fc/0x1a80 [ 47.201965] worker_thread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] ret_from_fork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuff_head_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcou ---truncated---
{
"affected": [],
"aliases": [
"CVE-2022-50408"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T16:15:44Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()\n\n\u003e ret = brcmf_proto_tx_queue_data(drvr, ifp-\u003eifidx, skb);\n\nmay be schedule, and then complete before the line\n\n\u003e ndev-\u003estats.tx_bytes += skb-\u003elen;\n\n[ 46.912801] ==================================================================\n[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]\n[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328\n[ 46.935991]\n[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1\n[ 46.947255] Hardware name: [REDACTED]\n[ 46.954568] Call trace:\n[ 46.957037] dump_backtrace+0x0/0x2b8\n[ 46.960719] show_stack+0x24/0x30\n[ 46.964052] dump_stack+0x128/0x194\n[ 46.967557] print_address_description.isra.0+0x64/0x380\n[ 46.972877] __kasan_report+0x1d4/0x240\n[ 46.976723] kasan_report+0xc/0x18\n[ 46.980138] __asan_report_load4_noabort+0x18/0x20\n[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]\n[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0\n[ 46.994894] sch_direct_xmit+0x198/0xd08\n[ 46.998827] __qdisc_run+0x37c/0x1dc0\n[ 47.002500] __dev_queue_xmit+0x1528/0x21f8\n[ 47.006692] dev_queue_xmit+0x24/0x30\n[ 47.010366] neigh_resolve_output+0x37c/0x678\n[ 47.014734] ip_finish_output2+0x598/0x2458\n[ 47.018927] __ip_finish_output+0x300/0x730\n[ 47.023118] ip_output+0x2e0/0x430\n[ 47.026530] ip_local_out+0x90/0x140\n[ 47.030117] igmpv3_sendpack+0x14c/0x228\n[ 47.034049] igmpv3_send_cr+0x384/0x6b8\n[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118\n[ 47.042262] call_timer_fn+0x1cc/0xbe8\n[ 47.046021] __run_timers+0x4d8/0xb28\n[ 47.049693] run_timer_softirq+0x24/0x40\n[ 47.053626] __do_softirq+0x2c0/0x117c\n[ 47.057387] irq_exit+0x2dc/0x388\n[ 47.060715] __handle_domain_irq+0xb4/0x158\n[ 47.064908] gic_handle_irq+0x58/0xb0\n[ 47.068581] el0_irq_naked+0x50/0x5c\n[ 47.072162]\n[ 47.073665] Allocated by task 328:\n[ 47.077083] save_stack+0x24/0xb0\n[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0\n[ 47.084776] kasan_slab_alloc+0x14/0x20\n[ 47.088622] kmem_cache_alloc+0x15c/0x468\n[ 47.092643] __alloc_skb+0xa4/0x498\n[ 47.096142] igmpv3_newpack+0x158/0xd78\n[ 47.099987] add_grhead+0x210/0x288\n[ 47.103485] add_grec+0x6b0/0xb70\n[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8\n[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118\n[ 47.115027] call_timer_fn+0x1cc/0xbe8\n[ 47.118785] __run_timers+0x4d8/0xb28\n[ 47.122457] run_timer_softirq+0x24/0x40\n[ 47.126389] __do_softirq+0x2c0/0x117c\n[ 47.130142]\n[ 47.131643] Freed by task 180:\n[ 47.134712] save_stack+0x24/0xb0\n[ 47.138041] __kasan_slab_free+0x108/0x180\n[ 47.142146] kasan_slab_free+0x10/0x18\n[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0\n[ 47.150444] kmem_cache_free+0x8c/0x528\n[ 47.154292] kfree_skbmem+0x94/0x108\n[ 47.157880] consume_skb+0x10c/0x5a8\n[ 47.161466] __dev_kfree_skb_any+0x88/0xa0\n[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]\n[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac]\n[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]\n[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]\n[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]\n[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]\n[ 47.197859] process_one_work+0x7fc/0x1a80\n[ 47.201965] worker_thread+0x31c/0xc40\n[ 47.205726] kthread+0x2d8/0x370\n[ 47.208967] ret_from_fork+0x10/0x18\n[ 47.212546]\n[ 47.214051] The buggy address belongs to the object at ffffff803f588280\n[ 47.214051] which belongs to the cache skbuff_head_cache of size 208\n[ 47.227086] The buggy address is located 104 bytes inside of\n[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350)\n[ 47.238814] The buggy address belongs to the page:\n[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcou\n---truncated---",
"id": "GHSA-25x9-7wcv-mf35",
"modified": "2025-12-11T15:30:30Z",
"published": "2025-09-18T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50408"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1613a7b24f1a7467cb727ba3ec77c9a808383560"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/232d59eca07f6ea27307022a33d226aff373bd02"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/27574a3f421c3a1694d0207f37c6bbf23d66978e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f42faf6db431e04bf942d2ebe3ae88975723478"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/49c742afd60f552fce7799287080db02bffe1db2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c369836cff98d3877f98c98e15c0151462812d96"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d79f4d903e14dde822c60b5fd3bedc5a289d25df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e01d96494a9de0f48b1167f0494f6d929fa773ed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.