Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-2GWR-36X9-98CQ

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 12:31
VLAI
Details

Use after free in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T23:16:52Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-2gwr-36x9-98cq",
  "modified": "2026-05-29T12:31:24Z",
  "published": "2026-05-29T00:38:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9945"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/503565293"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GWR-FRHX-J93X

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit

After an insertion in TNC, the tree might split and cause a node to change its znode->parent. A further deletion of other nodes in the tree (which also could free the nodes), the aforementioned node's znode->cparent could still point to a freed node. This znode->cparent may not be updated when getting nodes to commit in ubifs_tnc_start_commit(). This could then trigger a use-after-free when accessing the znode->cparent in write_index() in ubifs_tnc_end_commit().

This can be triggered by running

rm -f /etc/test-file.bin dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync

in a loop, and with CONFIG_UBIFS_FS_AUTHENTICATION. KASAN then reports:

BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950 Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153

Call trace: dump_backtrace+0x0/0x340 show_stack+0x18/0x24 dump_stack_lvl+0x9c/0xbc print_address_description.constprop.0+0x74/0x2b0 kasan_report+0x1d8/0x1f0 kasan_check_range+0xf8/0x1a0 memcpy+0x84/0xf4 ubifs_tnc_end_commit+0xa5c/0x1950 do_commit+0x4e0/0x1340 ubifs_bg_thread+0x234/0x2e0 kthread+0x36c/0x410 ret_from_fork+0x10/0x20

Allocated by task 401: kasan_save_stack+0x38/0x70 __kasan_kmalloc+0x8c/0xd0 __kmalloc+0x34c/0x5bc tnc_insert+0x140/0x16a4 ubifs_tnc_add+0x370/0x52c ubifs_jnl_write_data+0x5d8/0x870 do_writepage+0x36c/0x510 ubifs_writepage+0x190/0x4dc __writepage+0x58/0x154 write_cache_pages+0x394/0x830 do_writepages+0x1f0/0x5b0 filemap_fdatawrite_wbc+0x170/0x25c file_write_and_wait_range+0x140/0x190 ubifs_fsync+0xe8/0x290 vfs_fsync_range+0xc0/0x1e4 do_fsync+0x40/0x90 __arm64_sys_fsync+0x34/0x50 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8

Freed by task 403: kasan_save_stack+0x38/0x70 kasan_set_track+0x28/0x40 kasan_set_free_info+0x28/0x4c __kasan_slab_free+0xd4/0x13c kfree+0xc4/0x3a0 tnc_delete+0x3f4/0xe40 ubifs_tnc_remove_range+0x368/0x73c ubifs_tnc_remove_ino+0x29c/0x2e0 ubifs_jnl_delete_inode+0x150/0x260 ubifs_evict_inode+0x1d4/0x2e4 evict+0x1c8/0x450 iput+0x2a0/0x3c4 do_unlinkat+0x2cc/0x490 __arm64_sys_unlinkat+0x90/0x100 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8

The offending memcpy() in ubifs_copy_hash() has a use-after-free when a node becomes root in TNC but still has a cparent to an already freed node. More specifically, consider the following TNC:

     zroot
     /
    /
  zp1
  /
 /
zn

Inserting a new node zn_new with a key smaller then zn will trigger a split in tnc_insert() if zp1 is full:

     zroot
     /   \
    /     \
  zp1     zp2
  /         \
 /           \

zn_new zn

zn->parent has now been moved to zp2, but zn->cparent still points to zp1.

Now, consider a removal of all the nodes except zn. Just when tnc_delete() is about to delete zroot and zp2:

     zroot
         \
          \
          zp2
            \
             \
             zn

zroot and zp2 get freed and the tree collapses:

       zn

zn now becomes the new zroot.

get_znodes_to_commit() will now only find zn, the new zroot, and write_index() will check its znode->cparent that wrongly points to the already freed zp1. ubifs_copy_hash() thus gets wrongly called with znode->cparent->zbranch[znode->iip].hash that triggers the use-after-free!

Fix this by explicitly setting znode->cparent to NULL in get_znodes_to_commit() for the root node. The search for the dirty nodes ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:24Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit\n\nAfter an insertion in TNC, the tree might split and cause a node to\nchange its `znode-\u003eparent`. A further deletion of other nodes in the\ntree (which also could free the nodes), the aforementioned node\u0027s\n`znode-\u003ecparent` could still point to a freed node. This\n`znode-\u003ecparent` may not be updated when getting nodes to commit in\n`ubifs_tnc_start_commit()`. This could then trigger a use-after-free\nwhen accessing the `znode-\u003ecparent` in `write_index()` in\n`ubifs_tnc_end_commit()`.\n\nThis can be triggered by running\n\n  rm -f /etc/test-file.bin\n  dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync\n\nin a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then\nreports:\n\n  BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950\n  Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153\n\n  Call trace:\n   dump_backtrace+0x0/0x340\n   show_stack+0x18/0x24\n   dump_stack_lvl+0x9c/0xbc\n   print_address_description.constprop.0+0x74/0x2b0\n   kasan_report+0x1d8/0x1f0\n   kasan_check_range+0xf8/0x1a0\n   memcpy+0x84/0xf4\n   ubifs_tnc_end_commit+0xa5c/0x1950\n   do_commit+0x4e0/0x1340\n   ubifs_bg_thread+0x234/0x2e0\n   kthread+0x36c/0x410\n   ret_from_fork+0x10/0x20\n\n  Allocated by task 401:\n   kasan_save_stack+0x38/0x70\n   __kasan_kmalloc+0x8c/0xd0\n   __kmalloc+0x34c/0x5bc\n   tnc_insert+0x140/0x16a4\n   ubifs_tnc_add+0x370/0x52c\n   ubifs_jnl_write_data+0x5d8/0x870\n   do_writepage+0x36c/0x510\n   ubifs_writepage+0x190/0x4dc\n   __writepage+0x58/0x154\n   write_cache_pages+0x394/0x830\n   do_writepages+0x1f0/0x5b0\n   filemap_fdatawrite_wbc+0x170/0x25c\n   file_write_and_wait_range+0x140/0x190\n   ubifs_fsync+0xe8/0x290\n   vfs_fsync_range+0xc0/0x1e4\n   do_fsync+0x40/0x90\n   __arm64_sys_fsync+0x34/0x50\n   invoke_syscall.constprop.0+0xa8/0x260\n   do_el0_svc+0xc8/0x1f0\n   el0_svc+0x34/0x70\n   el0t_64_sync_handler+0x108/0x114\n   el0t_64_sync+0x1a4/0x1a8\n\n  Freed by task 403:\n   kasan_save_stack+0x38/0x70\n   kasan_set_track+0x28/0x40\n   kasan_set_free_info+0x28/0x4c\n   __kasan_slab_free+0xd4/0x13c\n   kfree+0xc4/0x3a0\n   tnc_delete+0x3f4/0xe40\n   ubifs_tnc_remove_range+0x368/0x73c\n   ubifs_tnc_remove_ino+0x29c/0x2e0\n   ubifs_jnl_delete_inode+0x150/0x260\n   ubifs_evict_inode+0x1d4/0x2e4\n   evict+0x1c8/0x450\n   iput+0x2a0/0x3c4\n   do_unlinkat+0x2cc/0x490\n   __arm64_sys_unlinkat+0x90/0x100\n   invoke_syscall.constprop.0+0xa8/0x260\n   do_el0_svc+0xc8/0x1f0\n   el0_svc+0x34/0x70\n   el0t_64_sync_handler+0x108/0x114\n   el0t_64_sync+0x1a4/0x1a8\n\nThe offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free\nwhen a node becomes root in TNC but still has a `cparent` to an already\nfreed node. More specifically, consider the following TNC:\n\n         zroot\n         /\n        /\n      zp1\n      /\n     /\n    zn\n\nInserting a new node `zn_new` with a key smaller then `zn` will trigger\na split in `tnc_insert()` if `zp1` is full:\n\n         zroot\n         /   \\\n        /     \\\n      zp1     zp2\n      /         \\\n     /           \\\n  zn_new          zn\n\n`zn-\u003eparent` has now been moved to `zp2`, *but* `zn-\u003ecparent` still\npoints to `zp1`.\n\nNow, consider a removal of all the nodes _except_ `zn`. Just when\n`tnc_delete()` is about to delete `zroot` and `zp2`:\n\n         zroot\n             \\\n              \\\n              zp2\n                \\\n                 \\\n                 zn\n\n`zroot` and `zp2` get freed and the tree collapses:\n\n           zn\n\n`zn` now becomes the new `zroot`.\n\n`get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and\n`write_index()` will check its `znode-\u003ecparent` that wrongly points to\nthe already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called\nwith `znode-\u003ecparent-\u003ezbranch[znode-\u003eiip].hash` that triggers the\nuse-after-free!\n\nFix this by explicitly setting `znode-\u003ecparent` to `NULL` in\n`get_znodes_to_commit()` for the root node. The search for the dirty\nnodes\n---truncated---",
  "id": "GHSA-2gwr-frhx-j93x",
  "modified": "2025-11-03T21:31:46Z",
  "published": "2024-12-27T15:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53171"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01d3a2293d7e4edfff96618c15727db7e51f11b6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2497479aecebe869d23a0064e0fd1a03e34f0e2a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/398a91599d263e41c5f95a2fd4ebdb6280b5c6c3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4617fb8fc15effe8eda4dd898d4e33eb537a7140"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4d9807048b851d7a58d5bd089c16254af896e4df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/74981f7577d183acad1cd58f74c10d263711a215"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d8b3f5f4cbfbf6cb0ea4a4d5dc296872b4151eb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/daac4aa1825de0dbc1a6eede2fa7f9fc53f14223"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GX9-PFXR-FGH5

Vulnerability from github – Published: 2022-05-14 02:20 – Updated: 2025-04-20 03:40
VLAI
Details

The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-18T00:29:00Z",
    "severity": "HIGH"
  },
  "details": "The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file.",
  "id": "GHSA-2gx9-pfxr-fgh5",
  "modified": "2025-04-20T03:40:59Z",
  "published": "2022-05-14T02:20:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11403"
    },
    {
      "type": "WEB",
      "url": "https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4206-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4321"
    },
    {
      "type": "WEB",
      "url": "http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H37-QQ8X-J923

Vulnerability from github – Published: 2026-06-09 00:33 – Updated: 2026-06-09 03:31
VLAI
Details

Use after free in Gamepad in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T00:16:45Z",
    "severity": "CRITICAL"
  },
  "details": "Use after free in Gamepad in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)",
  "id": "GHSA-2h37-qq8x-j923",
  "modified": "2026-06-09T03:31:39Z",
  "published": "2026-06-09T00:33:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11634"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/516975148"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H3H-P2MP-RW5Q

Vulnerability from github – Published: 2025-09-18 15:30 – Updated: 2025-12-12 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: prevent use-after-free by freeing the cfile later

In smb2_compound_op we have a possible use-after-free which can cause hard to debug problems later on.

This was revealed during stress testing with KASAN enabled kernel. Fixing it by moving the cfile free call to a few lines below, after the usage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T14:15:40Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent use-after-free by freeing the cfile later\n\nIn smb2_compound_op we have a possible use-after-free\nwhich can cause hard to debug problems later on.\n\nThis was revealed during stress testing with KASAN enabled\nkernel. Fixing it by moving the cfile free call to\na few lines below, after the usage.",
  "id": "GHSA-2h3h-p2mp-rw5q",
  "modified": "2025-12-12T18:30:28Z",
  "published": "2025-09-18T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53377"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/33f736187d08f6bc822117629f263b97d3df4165"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4fe07d55a5461e66a55fbefb57f85ff0facea32b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b6353518ef8180816e863aa23b06456f395404d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d017880782cf71f8820ee4a2002843893176501d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H3Q-MH3Q-C4FJ

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed()

Using the devm_ variant for requesting IRQ before the devm_ variant for allocating/registering the power_supply handle, means that the power_supply handle will be deallocated/unregistered before the interrupt handler (since devm_ naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just after the power_supply handle has been freed, but just before the corresponding unregistration of the IRQ handler has run.

This will lead to the IRQ handler calling power_supply_changed() with a freed power_supply handle. Which usually crashes the system or otherwise silently corrupts the memory...

Note that there is a similar situation which can also happen during probe(); the possibility of an interrupt firing before registering the power_supply handle. This would then lead to the nasty situation of using the power_supply handle uninitialized in power_supply_changed().

Fix this racy use-after-free by making sure the IRQ is requested after the registration of the power_supply handle.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:02Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed()\n\nUsing the `devm_` variant for requesting IRQ _before_ the `devm_`\nvariant for allocating/registering the `power_supply` handle, means that\nthe `power_supply` handle will be deallocated/unregistered _before_ the\ninterrupt handler (since `devm_` naturally deallocates in reverse\nallocation order). This means that during removal, there is a race\ncondition where an interrupt can fire just _after_ the `power_supply`\nhandle has been freed, *but* just _before_ the corresponding\nunregistration of the IRQ handler has run.\n\nThis will lead to the IRQ handler calling `power_supply_changed()` with\na freed `power_supply` handle. Which usually crashes the system or\notherwise silently corrupts the memory...\n\nNote that there is a similar situation which can also happen during\n`probe()`; the possibility of an interrupt firing _before_ registering\nthe `power_supply` handle. This would then lead to the nasty situation\nof using the `power_supply` handle *uninitialized* in\n`power_supply_changed()`.\n\nFix this racy use-after-free by making sure the IRQ is requested _after_\nthe registration of the `power_supply` handle.",
  "id": "GHSA-2h3q-mh3q-c4fj",
  "modified": "2026-06-25T21:31:19Z",
  "published": "2026-05-27T15:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45882"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17db6b3abd823c9fba3f3413c4f0f432d99d49dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62914959b35e9a1e29cc0f64cb8cfc5075a5366f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8b7117ae3a791c6a328674d05a06cd45d8241bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b69bb88e20c6f8e998dff3e13a316207f49d3fa2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H4C-CJPH-5CR5

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30
VLAI
Details

Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T18:17:02Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-2h4c-cjph-5cr5",
  "modified": "2026-04-14T18:30:39Z",
  "published": "2026-04-14T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27923"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27923"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H5V-WWHM-X53C

Vulnerability from github – Published: 2022-05-24 17:04 – Updated: 2022-05-24 17:04
VLAI
Details

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-18T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to arbitrary code execution.",
  "id": "GHSA-2h5v-wwhm-x53c",
  "modified": "2022-05-24T17:04:27Z",
  "published": "2022-05-24T17:04:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8681"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210346"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210348"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210351"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210355"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210356"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210357"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2H64-4PG7-RQ8P

Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-13 21:30
VLAI
Details

Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T22:16:30Z",
    "severity": "HIGH"
  },
  "details": "Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)",
  "id": "GHSA-2h64-4pg7-rq8p",
  "modified": "2026-04-13T21:30:39Z",
  "published": "2026-04-09T00:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5904"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/483851888"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H6H-VCRW-57FF

Vulnerability from github – Published: 2024-09-13 06:30 – Updated: 2024-09-13 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix potential UAF in nfsd4_cb_getattr_release

Once we drop the delegation reference, the fields embedded in it are no longer safe to access. Do that last.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-13T06:15:14Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix potential UAF in nfsd4_cb_getattr_release\n\nOnce we drop the delegation reference, the fields embedded in it are no\nlonger safe to access. Do that last.",
  "id": "GHSA-2h6h-vcrw-57ff",
  "modified": "2024-09-13T18:31:46Z",
  "published": "2024-09-13T06:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46696"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1116e0e372eb16dd907ec571ce5d4af325c55c10"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0b66698a5ae41078f7490e8b3527013f5fccd6c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.