CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-2CMM-M4C8-C4WP
Vulnerability from github – Published: 2024-02-05 18:31 – Updated: 2024-02-08 00:32Lotos WebServer v0.1.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the response_append_status_line function at /lotos/src/response.c.
{
"affected": [],
"aliases": [
"CVE-2024-24263"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-05T18:15:52Z",
"severity": "HIGH"
},
"details": "Lotos WebServer v0.1.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the response_append_status_line function at /lotos/src/response.c.",
"id": "GHSA-2cmm-m4c8-c4wp",
"modified": "2024-02-08T00:32:19Z",
"published": "2024-02-05T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24263"
},
{
"type": "WEB",
"url": "https://github.com/LuMingYinDetect/lotos_detects/blob/main/lotos_detect_1.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2CR6-RMV6-PCFM
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a use-after-free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-28635"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-20T19:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a use-after-free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-2cr6-rmv6-pcfm",
"modified": "2022-05-24T19:11:46Z",
"published": "2022-05-24T19:11:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28635"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-51.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2CVQ-G96P-GGFW
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-07 01:05Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-7898"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T19:16:38Z",
"severity": "HIGH"
},
"details": "Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)",
"id": "GHSA-2cvq-g96p-ggfw",
"modified": "2026-05-07T01:05:49Z",
"published": "2026-05-06T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7898"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/504587882"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2CW7-HWW6-H37W
Vulnerability from github – Published: 2025-08-13 03:30 – Updated: 2025-08-13 21:30Use after free in Aura in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2025-8882"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T03:15:39Z",
"severity": "HIGH"
},
"details": "Use after free in Aura in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-2cw7-hww6-h37w",
"modified": "2025-08-13T21:30:26Z",
"published": "2025-08-13T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8882"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/435623339"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2CW7-V8FF-P88R
Vulnerability from github – Published: 2026-06-19 19:34 – Updated: 2026-06-19 19:34Summary
Disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free.
Version
- Software: oj gem
- Affected: all versions with
ext/oj/usual.c - Latest tested: 3.17.1 (confirmed present)
Details
ext/oj/usual.c, opt_symbol_keys_set:
// usual.c:1043–1051
if (symbol_keys) {
d->key_cache = cache_create(...); // allocate
} else {
cache_free(d->key_cache); // free — but d->key_cache pointer not NULLed
}
On the next parse call, cache_key → cache_intern reads from d->key_cache which now points to freed memory.
ASAN report:
==145265==ERROR: AddressSanitizer: heap-use-after-free on address 0x50b00001a318
READ of size 8 at 0x50b00001a318 thread T0
#0 cache_intern /ext/oj/cache.c:328
#1 cache_key /ext/oj/usual.c:161
#2 close_object /ext/oj/usual.c:285
#3 parse /ext/oj/parser.c:693
#4 parser_parse /ext/oj/parser.c:1408
freed by thread T0 here:
#0 free
#1 cache_free /ext/oj/cache.c:277
#2 opt_symbol_keys_set /ext/oj/usual.c:1051
#3 option /ext/oj/usual.c:1111
#4 parser_missing /ext/oj/parser.c:1362
0x50b00001a318 is 40 bytes inside freed 112-byte region [fd]fd fd fd fd fd fd fd
Reproduce
require 'oj'
p = Oj::Parser.new(:usual, symbol_keys: true)
p.symbol_keys = false # frees cache without nulling pointer
p.parse('{"attacker":1}') # UAF: reads freed cache
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.17.2"
},
"package": {
"ecosystem": "RubyGems",
"name": "oj"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.17.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54899"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T19:34:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nDisabling `symbol_keys` on a reused `Oj::Parser` instance triggers a heap use-after-free. When `symbol_keys` is toggled from `true` to `false`, `opt_symbol_keys_set` frees the internal key cache (`cache_free`) but does not clear the pointer. The next `parse` call reads from the freed cache via `cache_intern`, producing a use-after-free.\n\n### Version\n\n- **Software**: oj gem\n- **Affected**: all versions with `ext/oj/usual.c`\n- **Latest tested**: 3.17.1 (confirmed present)\n\n### Details\n\n`ext/oj/usual.c`, `opt_symbol_keys_set`:\n\n```c\n// usual.c:1043\u20131051\nif (symbol_keys) {\n d-\u003ekey_cache = cache_create(...); // allocate\n} else {\n cache_free(d-\u003ekey_cache); // free \u2014 but d-\u003ekey_cache pointer not NULLed\n}\n```\n\nOn the next parse call, `cache_key` \u2192 `cache_intern` reads from `d-\u003ekey_cache` which now points to freed memory.\n\nASAN report:\n```\n==145265==ERROR: AddressSanitizer: heap-use-after-free on address 0x50b00001a318\nREAD of size 8 at 0x50b00001a318 thread T0\n #0 cache_intern /ext/oj/cache.c:328\n #1 cache_key /ext/oj/usual.c:161\n #2 close_object /ext/oj/usual.c:285\n #3 parse /ext/oj/parser.c:693\n #4 parser_parse /ext/oj/parser.c:1408\nfreed by thread T0 here:\n #0 free\n #1 cache_free /ext/oj/cache.c:277\n #2 opt_symbol_keys_set /ext/oj/usual.c:1051\n #3 option /ext/oj/usual.c:1111\n #4 parser_missing /ext/oj/parser.c:1362\n0x50b00001a318 is 40 bytes inside freed 112-byte region [fd]fd fd fd fd fd fd fd\n```\n\n### Reproduce\n\n```ruby\nrequire \u0027oj\u0027\np = Oj::Parser.new(:usual, symbol_keys: true)\np.symbol_keys = false # frees cache without nulling pointer\np.parse(\u0027{\"attacker\":1}\u0027) # UAF: reads freed cache\n```",
"id": "GHSA-2cw7-v8ff-p88r",
"modified": "2026-06-19T19:34:30Z",
"published": "2026-06-19T19:34:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r"
},
{
"type": "PACKAGE",
"url": "https://github.com/ohler55/oj"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle"
}
GHSA-2CWM-Q27V-2MV8
Vulnerability from github – Published: 2022-05-14 03:55 – Updated: 2022-05-14 03:55The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.
{
"affected": [],
"aliases": [
"CVE-2016-6828"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-10-16T21:59:00Z",
"severity": "MODERATE"
},
"details": "The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.",
"id": "GHSA-2cwm-q27v-2mv8",
"modified": "2022-05-14T03:55:56Z",
"published": "2022-05-14T03:55:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6828"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/bb1fceca22492109be12640d49f5ea5a544c6bb4"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0036"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0086"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0091"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0113"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2016-6828"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1367091"
},
{
"type": "WEB",
"url": "https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.html"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2016-11-01.html"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bb1fceca22492109be12640d49f5ea5a544c6bb4"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0036.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0086.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0091.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0113.html"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/08/15/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92452"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2F37-6R53-RGXP
Vulnerability from github – Published: 2026-03-24 03:31 – Updated: 2026-03-24 03:31Use after free in WebGPU in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-4678"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T01:17:03Z",
"severity": "HIGH"
},
"details": "Use after free in WebGPU in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-2f37-6r53-rgxp",
"modified": "2026-03-24T03:31:19Z",
"published": "2026-03-24T03:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4678"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_23.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/491164019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2F42-MJ3M-XHVX
Vulnerability from github – Published: 2024-10-03 18:30 – Updated: 2024-10-03 18:30NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability in the nvdisam command line tool, where a user can cause nvdisasm to read freed memory by running it on a malformed ELF file. A successful exploit of this vulnerability might lead to a limited denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-0124"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-03T17:15:14Z",
"severity": "LOW"
},
"details": "NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability in the nvdisam command line tool, where a user can cause nvdisasm to read freed memory by running it on a malformed ELF file. A successful exploit of this vulnerability might lead to a limited denial of service.",
"id": "GHSA-2f42-mj3m-xhvx",
"modified": "2024-10-03T18:30:36Z",
"published": "2024-10-03T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0124"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5577"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2F46-P5X2-58VV
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Use after free in WebAuthentication in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-10906"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:16:52Z",
"severity": "HIGH"
},
"details": "Use after free in WebAuthentication in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-2f46-p5x2-58vv",
"modified": "2026-06-05T03:31:30Z",
"published": "2026-06-05T00:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10906"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/503420438"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2F4Q-FP76-VH93
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the vAlign property of a TimeField. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6482.
{
"affected": [],
"aliases": [
"CVE-2018-17645"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-24T04:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the vAlign property of a TimeField. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6482.",
"id": "GHSA-2f4q-fp76-vh93",
"modified": "2022-05-13T01:33:58Z",
"published": "2022-05-13T01:33:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17645"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1152"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.