CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-2789-CV5Q-PWGX
Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2022-06-16 00:00A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2022-1998"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-09T15:15:00Z",
"severity": "HIGH"
},
"details": "A use after free in the Linux kernel File System notify functionality was found in the way user triggers copy_info_records_to_user() call to fail in copy_event_to_user(). A local user could use this flaw to crash the system or potentially escalate their privileges on the system.",
"id": "GHSA-2789-cv5q-pwgx",
"modified": "2022-06-16T00:00:22Z",
"published": "2022-06-10T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1998"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/notify/fanotify/fanotify_user.c?h=v5.17\u0026id=ee12595147ac1fbfb5bcb23837e26dd58d94b15d"
},
{
"type": "WEB",
"url": "https://seclists.org/oss-sec/2022/q1/99"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220707-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-278Q-X23R-MW73
Vulnerability from github – Published: 2022-05-14 02:10 – Updated: 2022-05-14 02:10Use-after-free vulnerability in Google Chrome before 23.0.1271.97 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to visibility events.
{
"affected": [],
"aliases": [
"CVE-2012-5139"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-12-12T11:38:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in Google Chrome before 23.0.1271.97 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to visibility events.",
"id": "GHSA-278q-x23r-mw73",
"modified": "2022-05-14T02:10:57Z",
"published": "2022-05-14T02:10:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5139"
},
{
"type": "WEB",
"url": "https://code.google.com/p/chromium/issues/detail?id=158204"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16064"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2012/12/stable-channel-update.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00073.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-27CC-FVV7-2RH9
Vulnerability from github – Published: 2025-01-08 18:30 – Updated: 2025-01-10 21:31In the Linux kernel, the following vulnerability has been resolved:
bpf: put bpf_link's program when link is safe to be deallocated
In general, BPF link's underlying BPF program should be considered to be reachable through attach hook -> link -> prog chain, and, pessimistically, we have to assume that as long as link's memory is not safe to free, attach hook's code might hold a pointer to BPF program and use it.
As such, it's not (generally) correct to put link's program early before waiting for RCU GPs to go through. More eager bpf_prog_put() that we currently do is mostly correct due to BPF program's release code doing similar RCU GP waiting, but as will be shown in the following patches, BPF program can be non-sleepable (and, thus, reliant on only "classic" RCU GP), while BPF link's attach hook can have sleepable semantics and needs to be protected by RCU Tasks Trace, and for such cases BPF link has to go through RCU Tasks Trace + "classic" RCU GPs before being deallocated. And so, if we put BPF program early, we might free BPF program before we free BPF link, leading to use-after-free situation.
So, this patch defers bpf_prog_put() until we are ready to perform bpf_link's deallocation. At worst, this delays BPF program freeing by one extra RCU GP, but that seems completely acceptable. Alternatively, we'd need more elaborate ways to determine BPF hook, BPF link, and BPF program lifetimes, and how they relate to each other, which seems like an unnecessary complication.
Note, for most BPF links we still will perform eager bpf_prog_put() and link dealloc, so for those BPF links there are no observable changes whatsoever. Only BPF links that use deferred dealloc might notice slightly delayed freeing of BPF programs.
Also, to reduce code and logic duplication, extract program put + link dealloc logic into bpf_link_dealloc() helper.
{
"affected": [],
"aliases": [
"CVE-2024-56786"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T18:15:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: put bpf_link\u0027s program when link is safe to be deallocated\n\nIn general, BPF link\u0027s underlying BPF program should be considered to be\nreachable through attach hook -\u003e link -\u003e prog chain, and, pessimistically,\nwe have to assume that as long as link\u0027s memory is not safe to free,\nattach hook\u0027s code might hold a pointer to BPF program and use it.\n\nAs such, it\u0027s not (generally) correct to put link\u0027s program early before\nwaiting for RCU GPs to go through. More eager bpf_prog_put() that we\ncurrently do is mostly correct due to BPF program\u0027s release code doing\nsimilar RCU GP waiting, but as will be shown in the following patches,\nBPF program can be non-sleepable (and, thus, reliant on only \"classic\"\nRCU GP), while BPF link\u0027s attach hook can have sleepable semantics and\nneeds to be protected by RCU Tasks Trace, and for such cases BPF link\nhas to go through RCU Tasks Trace + \"classic\" RCU GPs before being\ndeallocated. And so, if we put BPF program early, we might free BPF\nprogram before we free BPF link, leading to use-after-free situation.\n\nSo, this patch defers bpf_prog_put() until we are ready to perform\nbpf_link\u0027s deallocation. At worst, this delays BPF program freeing by\none extra RCU GP, but that seems completely acceptable. Alternatively,\nwe\u0027d need more elaborate ways to determine BPF hook, BPF link, and BPF\nprogram lifetimes, and how they relate to each other, which seems like\nan unnecessary complication.\n\nNote, for most BPF links we still will perform eager bpf_prog_put() and\nlink dealloc, so for those BPF links there are no observable changes\nwhatsoever. Only BPF links that use deferred dealloc might notice\nslightly delayed freeing of BPF programs.\n\nAlso, to reduce code and logic duplication, extract program put + link\ndealloc logic into bpf_link_dealloc() helper.",
"id": "GHSA-27cc-fvv7-2rh9",
"modified": "2025-01-10T21:31:27Z",
"published": "2025-01-08T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56786"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2fcb921c2799c49ac5e365cf4110f94a64ae4885"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5fe23c57abadfd46a7a66e81f3536e4757252a0b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f44ec8733a8469143fde1984b5e6931b2e2f6f3f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27H4-GXF8-4GG7
Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2023-01-24 15:30Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability in the ActionScript2 TextField object related to the variable property. Successful exploitation could lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2017-3002"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-14T16:59:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable use after free vulnerability in the ActionScript2 TextField object related to the variable property. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-27h4-gxf8-4gg7",
"modified": "2023-01-24T15:30:22Z",
"published": "2022-05-14T03:54:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3002"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb17-07.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201703-02"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0526.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96861"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037994"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27H4-QJQ2-62V3
Vulnerability from github – Published: 2022-05-14 03:08 – Updated: 2025-11-25 18:32A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 52.6 and Firefox < 58.
{
"affected": [],
"aliases": [
"CVE-2018-5091"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability can occur during WebRTC connections when interacting with the DTMF timers. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR \u003c 52.6 and Firefox \u003c 58.",
"id": "GHSA-27h4-qjq2-62v3",
"modified": "2025-11-25T18:32:11Z",
"published": "2022-05-14T03:08:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5091"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0122"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1423086"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00030.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3544-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4096"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4102"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-02"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-03"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102783"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27J8-6Q5H-M6JX
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-21 18:33In the Linux kernel, the following vulnerability has been resolved:
serial: caif: hold tty->link reference in ldisc_open and ser_release
A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port.
Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path.
With this change applied, the reproducer no longer triggers the UAF in my testing.
{
"affected": [],
"aliases": [
"CVE-2026-43458"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:58Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: caif: hold tty-\u003elink reference in ldisc_open and ser_release\n\nA reproducer triggers a KASAN slab-use-after-free in pty_write_room()\nwhen caif_serial\u0027s TX path calls tty_write_room(). The faulting access\nis on tty-\u003elink-\u003eport.\n\nHold an extra kref on tty-\u003elink for the lifetime of the caif_serial line\ndiscipline: get it in ldisc_open() and drop it in ser_release(), and\nalso drop it on the ldisc_open() error path.\n\nWith this change applied, the reproducer no longer triggers the UAF in\nmy testing.",
"id": "GHSA-27j8-6q5h-m6jx",
"modified": "2026-05-21T18:33:06Z",
"published": "2026-05-08T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43458"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-27P7-3J3G-V9WC
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18Use-after-free vulnerability in the nsHTMLSelectElement::SubmitNamesValues function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2012-1976"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-08-29T10:56:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in the nsHTMLSelectElement::SubmitNamesValues function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.",
"id": "GHSA-27p7-3j3g-v9wc",
"modified": "2022-05-13T01:18:02Z",
"published": "2022-05-13T01:18:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1976"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=776213"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16818"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00028.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00011.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00014.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1210.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1211.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2553"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2554"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2556"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2012/mfsa2012-58.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/55319"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1548-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1548-2"
},
{
"type": "WEB",
"url": "http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-27RJ-CHMQ-RH6R
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used.
qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF.
This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs:
iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done
With KASAN enabled, this leads to reports like:
BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ...
Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ...
Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ...
Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue().
Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.
{
"affected": [],
"aliases": [
"CVE-2026-23340"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:31Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs\n\nWhen shrinking the number of real tx queues,\nnetif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush\nqdiscs for queues which will no longer be used.\n\nqdisc_reset_all_tx_gt() currently serializes qdisc_reset() with\nqdisc_lock(). However, for lockless qdiscs, the dequeue path is\nserialized by qdisc_run_begin/end() using qdisc-\u003eseqlock instead, so\nqdisc_reset() can run concurrently with __qdisc_run() and free skbs\nwhile they are still being dequeued, leading to UAF.\n\nThis can easily be reproduced on e.g. virtio-net by imposing heavy\ntraffic while frequently changing the number of queue pairs:\n\n iperf3 -ub0 -c $peer -t 0 \u0026\n while :; do\n ethtool -L eth0 combined 1\n ethtool -L eth0 combined 2\n done\n\nWith KASAN enabled, this leads to reports like:\n\n BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760\n ...\n Call Trace:\n \u003cTASK\u003e\n ...\n __qdisc_run+0x133f/0x1760\n __dev_queue_xmit+0x248f/0x3550\n ip_finish_output2+0xa42/0x2110\n ip_output+0x1a7/0x410\n ip_send_skb+0x2e6/0x480\n udp_send_skb+0xb0a/0x1590\n udp_sendmsg+0x13c9/0x1fc0\n ...\n \u003c/TASK\u003e\n\n Allocated by task 1270 on cpu 5 at 44.558414s:\n ...\n alloc_skb_with_frags+0x84/0x7c0\n sock_alloc_send_pskb+0x69a/0x830\n __ip_append_data+0x1b86/0x48c0\n ip_make_skb+0x1e8/0x2b0\n udp_sendmsg+0x13a6/0x1fc0\n ...\n\n Freed by task 1306 on cpu 3 at 44.558445s:\n ...\n kmem_cache_free+0x117/0x5e0\n pfifo_fast_reset+0x14d/0x580\n qdisc_reset+0x9e/0x5f0\n netif_set_real_num_tx_queues+0x303/0x840\n virtnet_set_channels+0x1bf/0x260 [virtio_net]\n ethnl_set_channels+0x684/0xae0\n ethnl_default_set_doit+0x31a/0x890\n ...\n\nSerialize qdisc_reset_all_tx_gt() against the lockless dequeue path by\ntaking qdisc-\u003eseqlock for TCQ_F_NOLOCK qdiscs, matching the\nserialization model already used by dev_reset_queue().\n\nAdditionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state\nreflects an empty queue, avoiding needless re-scheduling.",
"id": "GHSA-27rj-chmq-rh6r",
"modified": "2026-07-14T15:31:41Z",
"published": "2026-03-25T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23340"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5bb27ad54d12de67e457d7d251198e361bef835e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5bc4e69306ed7ae02232eb4c0b23ed621a26d504"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7594467c49bfc2f4644dee0415ac2290db11fa0d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f083faf59d14c04e01ec05a7507f036c965acf8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8314944cc3bdeaa5a73e6f8a8cf0d94822e625cb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c69df4e0524f8de8e176ba389acd83e85f5f49d0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dbd58b0730aa06ab6ad26079cf9a5b6b58e7e750"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-282G-W5FH-9Q49
Vulnerability from github – Published: 2026-06-09 00:33 – Updated: 2026-06-09 03:31Use after free in WebCodecs in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-11683"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T00:16:51Z",
"severity": "HIGH"
},
"details": "Use after free in WebCodecs in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-282g-w5fh-9q49",
"modified": "2026-06-09T03:31:39Z",
"published": "2026-06-09T00:33:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11683"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/517129549"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-282H-VFC3-82H7
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 18:31Use after free in QUIC in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-13799"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:16:54Z",
"severity": "HIGH"
},
"details": "Use after free in QUIC in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)",
"id": "GHSA-282h-vfc3-82h7",
"modified": "2026-07-01T18:31:27Z",
"published": "2026-07-01T00:34:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13799"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/499252371"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.