CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-2F5F-6JGG-M49Q
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-45653"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:32Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-2f5f-6jgg-m49q",
"modified": "2026-06-09T18:30:53Z",
"published": "2026-06-09T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45653"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2F6P-9573-FP98
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
When l2cap_recv_frame() is invoked to receive data, and the cid is L2CAP_CID_A2MP, if the channel does not exist, it will create a channel. However, after a channel is created, the hold operation of the channel is not performed. In this case, the value of channel reference counting is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del() invokes the close hook function of A2MP to release the channel. Then l2cap_chan_unlock(chan) will trigger UAF issue.
The process is as follows: Receive data: l2cap_data_channel() a2mp_channel_create() --->channel ref is 2 l2cap_chan_put() --->channel ref is 1
Triger event: hci_error_reset() hci_dev_do_close() ... l2cap_disconn_cfm() l2cap_conn_del() l2cap_chan_hold() --->channel ref is 2 l2cap_chan_del() --->channel ref is 1 a2mp_chan_close_cb() --->channel ref is 0, release channel l2cap_chan_unlock() --->UAF of channel
The detailed Call Trace is as follows: BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0 Read of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593 Workqueue: hci0 hci_error_reset Call Trace: dump_stack_lvl+0xcd/0x134 print_report.cold+0x2ba/0x719 kasan_report+0xb1/0x1e0 kasan_check_range+0x140/0x190 __mutex_unlock_slowpath+0xa6/0x5e0 l2cap_conn_del+0x404/0x7b0 l2cap_disconn_cfm+0x8c/0xc0 hci_conn_hash_flush+0x11f/0x260 hci_dev_close_sync+0x5f5/0x11f0 hci_dev_do_close+0x2d/0x70 hci_error_reset+0x9e/0x140 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30
Allocated by task 7593: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0xa9/0xd0 l2cap_chan_create+0x40/0x930 amp_mgr_create+0x96/0x990 a2mp_channel_create+0x7d/0x150 l2cap_recv_frame+0x51b8/0x9a70 l2cap_recv_acldata+0xaa3/0xc00 hci_rx_work+0x702/0x1220 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30
Freed by task 7593: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 ____kasan_slab_free+0x167/0x1c0 slab_free_freelist_hook+0x89/0x1c0 kfree+0xe2/0x580 l2cap_chan_put+0x22a/0x2d0 l2cap_conn_del+0x3fc/0x7b0 l2cap_disconn_cfm+0x8c/0xc0 hci_conn_hash_flush+0x11f/0x260 hci_dev_close_sync+0x5f5/0x11f0 hci_dev_do_close+0x2d/0x70 hci_error_reset+0x9e/0x140 process_one_work+0x98a/0x1620 worker_thread+0x665/0x1080 kthread+0x2e4/0x3a0 ret_from_fork+0x1f/0x30
Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0xbe/0xd0 call_rcu+0x99/0x740 netlink_release+0xe6a/0x1cf0 __sock_release+0xcd/0x280 sock_close+0x18/0x20 __fput+0x27c/0xa90 task_work_run+0xdd/0x1a0 exit_to_user_mode_prepare+0x23c/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0xbe/0xd0 call_rcu+0x99/0x740 netlink_release+0xe6a/0x1cf0 __sock_release+0xcd/0x280 sock_close+0x18/0x20 __fput+0x27c/0xa90 task_work_run+0xdd/0x1a0 exit_to_user_mode_prepare+0x23c/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd
{
"affected": [],
"aliases": [
"CVE-2022-49909"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:16Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: fix use-after-free in l2cap_conn_del()\n\nWhen l2cap_recv_frame() is invoked to receive data, and the cid is\nL2CAP_CID_A2MP, if the channel does not exist, it will create a channel.\nHowever, after a channel is created, the hold operation of the channel\nis not performed. In this case, the value of channel reference counting\nis 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del()\ninvokes the close hook function of A2MP to release the channel. Then\n l2cap_chan_unlock(chan) will trigger UAF issue.\n\nThe process is as follows:\nReceive data:\nl2cap_data_channel()\n a2mp_channel_create() ---\u003echannel ref is 2\n l2cap_chan_put() ---\u003echannel ref is 1\n\nTriger event:\n hci_error_reset()\n hci_dev_do_close()\n ...\n l2cap_disconn_cfm()\n l2cap_conn_del()\n l2cap_chan_hold() ---\u003echannel ref is 2\n l2cap_chan_del() ---\u003echannel ref is 1\n a2mp_chan_close_cb() ---\u003echannel ref is 0, release channel\n l2cap_chan_unlock() ---\u003eUAF of channel\n\nThe detailed Call Trace is as follows:\nBUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0\nRead of size 8 at addr ffff8880160664b8 by task kworker/u11:1/7593\nWorkqueue: hci0 hci_error_reset\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xcd/0x134\n print_report.cold+0x2ba/0x719\n kasan_report+0xb1/0x1e0\n kasan_check_range+0x140/0x190\n __mutex_unlock_slowpath+0xa6/0x5e0\n l2cap_conn_del+0x404/0x7b0\n l2cap_disconn_cfm+0x8c/0xc0\n hci_conn_hash_flush+0x11f/0x260\n hci_dev_close_sync+0x5f5/0x11f0\n hci_dev_do_close+0x2d/0x70\n hci_error_reset+0x9e/0x140\n process_one_work+0x98a/0x1620\n worker_thread+0x665/0x1080\n kthread+0x2e4/0x3a0\n ret_from_fork+0x1f/0x30\n \u003c/TASK\u003e\n\nAllocated by task 7593:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0xa9/0xd0\n l2cap_chan_create+0x40/0x930\n amp_mgr_create+0x96/0x990\n a2mp_channel_create+0x7d/0x150\n l2cap_recv_frame+0x51b8/0x9a70\n l2cap_recv_acldata+0xaa3/0xc00\n hci_rx_work+0x702/0x1220\n process_one_work+0x98a/0x1620\n worker_thread+0x665/0x1080\n kthread+0x2e4/0x3a0\n ret_from_fork+0x1f/0x30\n\nFreed by task 7593:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_set_free_info+0x20/0x30\n ____kasan_slab_free+0x167/0x1c0\n slab_free_freelist_hook+0x89/0x1c0\n kfree+0xe2/0x580\n l2cap_chan_put+0x22a/0x2d0\n l2cap_conn_del+0x3fc/0x7b0\n l2cap_disconn_cfm+0x8c/0xc0\n hci_conn_hash_flush+0x11f/0x260\n hci_dev_close_sync+0x5f5/0x11f0\n hci_dev_do_close+0x2d/0x70\n hci_error_reset+0x9e/0x140\n process_one_work+0x98a/0x1620\n worker_thread+0x665/0x1080\n kthread+0x2e4/0x3a0\n ret_from_fork+0x1f/0x30\n\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0xbe/0xd0\n call_rcu+0x99/0x740\n netlink_release+0xe6a/0x1cf0\n __sock_release+0xcd/0x280\n sock_close+0x18/0x20\n __fput+0x27c/0xa90\n task_work_run+0xdd/0x1a0\n exit_to_user_mode_prepare+0x23c/0x250\n syscall_exit_to_user_mode+0x19/0x50\n do_syscall_64+0x42/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nSecond to last potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0xbe/0xd0\n call_rcu+0x99/0x740\n netlink_release+0xe6a/0x1cf0\n __sock_release+0xcd/0x280\n sock_close+0x18/0x20\n __fput+0x27c/0xa90\n task_work_run+0xdd/0x1a0\n exit_to_user_mode_prepare+0x23c/0x250\n syscall_exit_to_user_mode+0x19/0x50\n do_syscall_64+0x42/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd",
"id": "GHSA-2f6p-9573-fp98",
"modified": "2025-05-07T15:31:26Z",
"published": "2025-05-01T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49909"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d0e2d032811280b927650ff3c15fe5020e82533"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/17c6164854f8bb80bf76f32b2c2f199c16b53703"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f7bfdd9a9af3b12c33d9da9a012e7f4d5c91f4b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8f7e4cf0694149a5d999d676ebd9ecf1b4cb2cc9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a3a7b2ac64de232edb67279e804932cb42f0b52a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db4a0783ed78beb2ebaa32f5f785bfd79c580689"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2F72-2CHX-Q8P6
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Take state lock for af_unix iter
When a BPF iterator program updates a sockmap, there is a race condition in
unix_stream_bpf_update_proto() where the peer pointer can become stale[1]
during a state transition TCP_ESTABLISHED -> TCP_CLOSE.
CPU0 bpf CPU1 close
-------- ----------
// unix_stream_bpf_update_proto() sk_pair = unix_peer(sk) if (unlikely(!sk_pair)) return -EINVAL; // unix_release_sock() skpair = unix_peer(sk); unix_peer(sk) = NULL; sock_put(skpair) sock_hold(sk_pair) // UaF
More practically, this fix guarantees that the iterator program is consistently provided with a unix socket that remains stable during iterator execution.
[1]: BUG: KASAN: slab-use-after-free in unix_stream_bpf_update_proto+0x155/0x490 Write of size 4 at addr ffff8881178c9a00 by task test_progs/2231 Call Trace: dump_stack_lvl+0x5d/0x80 print_report+0x170/0x4f3 kasan_report+0xe4/0x1c0 kasan_check_range+0x125/0x200 unix_stream_bpf_update_proto+0x155/0x490 sock_map_link+0x71c/0xec0 sock_map_update_common+0xbc/0x600 sock_map_update_elem+0x19a/0x1f0 bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217 bpf_iter_run_prog+0x21e/0xae0 bpf_iter_unix_seq_show+0x1e0/0x2a0 bpf_seq_read+0x42c/0x10d0 vfs_read+0x171/0xb20 ksys_read+0xff/0x200 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 2236: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x63/0x80 kmem_cache_alloc_noprof+0x1d5/0x680 sk_prot_alloc+0x59/0x210 sk_alloc+0x34/0x470 unix_create1+0x86/0x8a0 unix_stream_connect+0x318/0x15b0 __sys_connect+0xfd/0x130 __x64_sys_connect+0x72/0xd0 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 2236: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x47/0x70 kmem_cache_free+0x11c/0x590 __sk_destruct+0x432/0x6e0 unix_release_sock+0x9b3/0xf60 unix_release+0x8a/0xf0 __sock_release+0xb0/0x270 sock_close+0x18/0x20 __fput+0x36e/0xac0 fput_close_sync+0xe5/0x1a0 __x64_sys_close+0x7d/0xd0 do_syscall_64+0xf7/0x5e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
{
"affected": [],
"aliases": [
"CVE-2026-53033"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:14Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Take state lock for af_unix iter\n\nWhen a BPF iterator program updates a sockmap, there is a race condition in\nunix_stream_bpf_update_proto() where the `peer` pointer can become stale[1]\nduring a state transition TCP_ESTABLISHED -\u003e TCP_CLOSE.\n\n CPU0 bpf CPU1 close\n -------- ----------\n// unix_stream_bpf_update_proto()\nsk_pair = unix_peer(sk)\nif (unlikely(!sk_pair))\n return -EINVAL;\n // unix_release_sock()\n skpair = unix_peer(sk);\n unix_peer(sk) = NULL;\n sock_put(skpair)\nsock_hold(sk_pair) // UaF\n\nMore practically, this fix guarantees that the iterator program is\nconsistently provided with a unix socket that remains stable during\niterator execution.\n\n[1]:\nBUG: KASAN: slab-use-after-free in unix_stream_bpf_update_proto+0x155/0x490\nWrite of size 4 at addr ffff8881178c9a00 by task test_progs/2231\nCall Trace:\n dump_stack_lvl+0x5d/0x80\n print_report+0x170/0x4f3\n kasan_report+0xe4/0x1c0\n kasan_check_range+0x125/0x200\n unix_stream_bpf_update_proto+0x155/0x490\n sock_map_link+0x71c/0xec0\n sock_map_update_common+0xbc/0x600\n sock_map_update_elem+0x19a/0x1f0\n bpf_prog_bbbf56096cdd4f01_selective_dump_unix+0x20c/0x217\n bpf_iter_run_prog+0x21e/0xae0\n bpf_iter_unix_seq_show+0x1e0/0x2a0\n bpf_seq_read+0x42c/0x10d0\n vfs_read+0x171/0xb20\n ksys_read+0xff/0x200\n do_syscall_64+0xf7/0x5e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nAllocated by task 2236:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x63/0x80\n kmem_cache_alloc_noprof+0x1d5/0x680\n sk_prot_alloc+0x59/0x210\n sk_alloc+0x34/0x470\n unix_create1+0x86/0x8a0\n unix_stream_connect+0x318/0x15b0\n __sys_connect+0xfd/0x130\n __x64_sys_connect+0x72/0xd0\n do_syscall_64+0xf7/0x5e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 2236:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x47/0x70\n kmem_cache_free+0x11c/0x590\n __sk_destruct+0x432/0x6e0\n unix_release_sock+0x9b3/0xf60\n unix_release+0x8a/0xf0\n __sock_release+0xb0/0x270\n sock_close+0x18/0x20\n __fput+0x36e/0xac0\n fput_close_sync+0xe5/0x1a0\n __x64_sys_close+0x7d/0xd0\n do_syscall_64+0xf7/0x5e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e",
"id": "GHSA-2f72-2chx-q8p6",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-24T18:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53033"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53033"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492281"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a59cc6b65fd3ad9915aae5970d859109d4ce9fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64c2f93fc3254d3bf5de4445fb732ee5c451edb6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/921920c34cb591947dd30c692500795a69f1e3fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98f744d204e5d6fca589cd2c44c3190a0c71697f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6f4015eac2e3cbc3cb7a17539e10bbb5c2049c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d0d124dbcef9318e326956137b31671407094bd4"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53033.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2F7Q-2MVJ-9CQ2
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08An issue has been found in function Gfx::doShowText in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an Use After Free .
{
"affected": [],
"aliases": [
"CVE-2020-19474"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been found in function Gfx::doShowText in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to an Use After Free .",
"id": "GHSA-2f7q-2mvj-9cq2",
"modified": "2022-05-24T19:08:33Z",
"published": "2022-05-24T19:08:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19474"
},
{
"type": "WEB",
"url": "https://github.com/flexpaper/pdf2json/issues/35"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2F85-6R7V-QRG9
Vulnerability from github – Published: 2023-01-20 21:30 – Updated: 2023-01-28 06:30An issue was discovered with assimp 5.1.4, a use after free occurred in function ColladaParser::ExtractDataObjectFromChannel in file /code/AssetLib/Collada/ColladaParser.cpp.
{
"affected": [],
"aliases": [
"CVE-2022-45748"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered with assimp 5.1.4, a use after free occurred in function ColladaParser::ExtractDataObjectFromChannel in file /code/AssetLib/Collada/ColladaParser.cpp.",
"id": "GHSA-2f85-6r7v-qrg9",
"modified": "2023-01-28T06:30:29Z",
"published": "2023-01-20T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45748"
},
{
"type": "WEB",
"url": "https://github.com/assimp/assimp/issues/4286"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2F8G-7HCR-FJ76
Vulnerability from github – Published: 2025-07-11 15:31 – Updated: 2025-07-11 15:31A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition.
On all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled.
This issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue.
This issue affects:
Junos OS:
- All versions before 21.2R3-S9,
- all versions of 21.4,
- from 22.2 before 22.2R3-S6,
- from 22.4 before 22.4R3-S5,
- from 23.2 before 23.2R2-S3,
- from 23.4 before 23.4R2-S4,
- from 24.2 before 24.2R2;
Junos OS Evolved:
- All versions before 22.4R3-S5-EVO,
- from 23.2-EVO before 23.2R2-S3-EVO,
- from 23.4-EVO before 23.4R2-S4-EVO,
- from 24.2-EVO before 24.2R2-EVO.
This is a more complete fix for previously published CVE-2024-39549 (JSA83011).
{
"affected": [],
"aliases": [
"CVE-2025-52946"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T15:15:24Z",
"severity": "HIGH"
},
"details": "A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition.\n\nOn all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled.\n\nThis issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue.\n\n\n\nThis issue affects:\n\n\u00a0Junos OS:\n\n\n\n * All versions before 21.2R3-S9,\u00a0\n * all versions of 21.4,\n * from 22.2 before 22.2R3-S6,\u00a0\n * from 22.4 before 22.4R3-S5,\u00a0\n * from 23.2 before 23.2R2-S3,\u00a0\n * from 23.4 before 23.4R2-S4,\u00a0\n * from 24.2 before 24.2R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n * All versions before 22.4R3-S5-EVO,\u00a0\n * from 23.2-EVO before 23.2R2-S3-EVO,\u00a0\n * from 23.4-EVO before 23.4R2-S4-EVO,\u00a0\n * from 24.2-EVO before 24.2R2-EVO.\n\n\n\n\n\n\n\nThis is a more complete fix for previously published CVE-2024-39549 (JSA83011).",
"id": "GHSA-2f8g-7hcr-fj76",
"modified": "2025-07-11T15:31:37Z",
"published": "2025-07-11T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52946"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA100050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2FGG-M8V8-C9HJ
Vulnerability from github – Published: 2025-08-12 21:31 – Updated: 2025-08-12 21:31Animate versions 23.0.12, 24.0.9 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-49562"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T21:15:30Z",
"severity": "MODERATE"
},
"details": "Animate versions 23.0.12, 24.0.9 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-2fgg-m8v8-c9hj",
"modified": "2025-08-12T21:31:21Z",
"published": "2025-08-12T21:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49562"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/animate/apsb25-73.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2FH5-2Q69-8G9V
Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2022-04-30 00:02Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac had a use after free bug in GuestView, which allowed a remote attacker to perform an out of bounds memory read via a crafted Chrome extension.
{
"affected": [],
"aliases": [
"CVE-2017-5043"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-24T23:59:00Z",
"severity": "HIGH"
},
"details": "Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac had a use after free bug in GuestView, which allowed a remote attacker to perform an out of bounds memory read via a crafted Chrome extension.",
"id": "GHSA-2fh5-2q69-8g9v",
"modified": "2022-04-30T00:02:20Z",
"published": "2022-04-30T00:02:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5043"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/683523"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201704-02"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3810"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96767"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2FWP-8972-4PV4
Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-14 00:01Adobe Framemaker versions 2029u8 (and earlier) and 2020u4 (and earlier) are affected by a Use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-28823"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-13T15:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Framemaker versions 2029u8 (and earlier) and 2020u4 (and earlier) are affected by a Use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-2fwp-8972-4pv4",
"modified": "2022-05-14T00:01:44Z",
"published": "2022-05-14T00:01:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28823"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/framemaker/apsb22-27.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2FXV-W3PW-Q9QX
Vulnerability from github – Published: 2022-05-14 03:43 – Updated: 2022-05-14 03:43A use after free in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an ImageCapture NULL pointer dereference.
{
"affected": [],
"aliases": [
"CVE-2017-15395"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-07T23:29:00Z",
"severity": "MODERATE"
},
"details": "A use after free in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an ImageCapture NULL pointer dereference.",
"id": "GHSA-2fxv-w3pw-q9qx",
"modified": "2022-05-14T03:43:13Z",
"published": "2022-05-14T03:43:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15395"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2997"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/759457"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201710-24"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4020"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101482"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.