CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-HHW2-PQHF-VMX2
Vulnerability from github – Published: 2021-08-25 20:49 – Updated: 2025-05-23 18:29An issue was discovered in the actix-utils crate before 2.0.0 for Rust. The Cell implementation allows obtaining more than one mutable reference to the same data.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "actix-utils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35898"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T20:53:53Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "An issue was discovered in the actix-utils crate before 2.0.0 for Rust. The Cell implementation allows obtaining more than one mutable reference to the same data.",
"id": "GHSA-hhw2-pqhf-vmx2",
"modified": "2025-05-23T18:29:56Z",
"published": "2021-08-25T20:49:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35898"
},
{
"type": "WEB",
"url": "https://github.com/actix/actix-net/issues/160"
},
{
"type": "WEB",
"url": "https://github.com/actix/actix-net/commit/0dca1a705ad1ff4885b3491ecb809a808e1de66c"
},
{
"type": "PACKAGE",
"url": "https://github.com/actix/actix-net"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use after free in actix-utils"
}
GHSA-HHXJ-VXV9-CX4F
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-49761"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T18:15:31Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-hhxj-vxv9-cx4f",
"modified": "2025-08-12T18:31:30Z",
"published": "2025-08-12T18:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49761"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49761"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJ2R-678G-RXMG
Vulnerability from github – Published: 2025-05-06 09:31 – Updated: 2025-05-06 09:31Memory corruption while handling multiple IOCTL calls from userspace to operate DMA operations.
{
"affected": [],
"aliases": [
"CVE-2024-45583"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-06T09:15:20Z",
"severity": "MODERATE"
},
"details": "Memory corruption while handling multiple IOCTL calls from userspace to operate DMA operations.",
"id": "GHSA-hj2r-678g-rxmg",
"modified": "2025-05-06T09:31:33Z",
"published": "2025-05-06T09:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45583"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HJ7C-HMHF-F2JQ
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2024-04-04 02:41In the Linux kernel 5.0.21, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call.
{
"affected": [],
"aliases": [
"CVE-2019-19319"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-27T23:15:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel 5.0.21, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call.",
"id": "GHSA-hj7c-hmhf-f2jq",
"modified": "2024-04-04T02:41:18Z",
"published": "2022-05-24T17:02:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19319"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1158021"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=345c0dbf3a30"
},
{
"type": "WEB",
"url": "https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19319"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200103-0001"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4391-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4698"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJ7W-JJQ4-XH7Q
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38User after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-21115"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-08T19:15:00Z",
"severity": "CRITICAL"
},
"details": "User after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.",
"id": "GHSA-hj7w-jjq4-xh7q",
"modified": "2022-05-24T17:38:26Z",
"published": "2022-05-24T17:38:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21115"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1157814"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-05"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4832"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HJ8W-CHVP-5F9P
Vulnerability from github – Published: 2022-05-14 01:00 – Updated: 2022-05-14 01:00The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1.15 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted vcf file.
{
"affected": [],
"aliases": [
"CVE-2018-11129"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-17T19:29:00Z",
"severity": "HIGH"
},
"details": "The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1.15 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted vcf file.",
"id": "GHSA-hj8w-chvp-5f9p",
"modified": "2022-05-14T01:00:18Z",
"published": "2022-05-14T01:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11129"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00039.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3974-1"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/May/43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJCM-XJ34-6Q2Q
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
net: inet: do not leave a dangling sk pointer in inet_create()
sock_init_data() attaches the allocated sk object to the provided sock object. If inet_create() fails later, the sk object is freed, but the sock object retains the dangling pointer, which may create use-after-free later.
Clear the sk pointer in the sock object on error.
{
"affected": [],
"aliases": [
"CVE-2024-56601"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T15:15:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: inet: do not leave a dangling sk pointer in inet_create()\n\nsock_init_data() attaches the allocated sk object to the provided sock\nobject. If inet_create() fails later, the sk object is freed, but the\nsock object retains the dangling pointer, which may create use-after-free\nlater.\n\nClear the sk pointer in the sock object on error.",
"id": "GHSA-hjcm-xj34-6q2q",
"modified": "2025-11-03T21:31:54Z",
"published": "2024-12-27T15:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56601"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25447c6aaa7235f155292b0c58a067347e8ae891"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2bc34d8c8898ae9fddf4612501aabb22d76c2b2c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3e8258070b0f2aba66b3ef18883de229674fb288"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/691d6d816f93b2a1008c14178399061466e674ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b4513cfd3a10c03c660d5d3d26c2e322efbfdd9b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8a3f255f7509a209292871715cda03779640c8d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJFQ-C3JW-R92P
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-20 19:00A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.
{
"affected": [],
"aliases": [
"CVE-2022-3564"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.",
"id": "GHSA-hjfq-c3jw-r92p",
"modified": "2022-10-20T19:00:36Z",
"published": "2022-10-18T12:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3564"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=89f9f3cb86b1c63badaf392a83dd661d56cc50b1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221223-0001"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.211087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJG7-9VCF-526J
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-21180"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-09T18:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-hjg7-9vcf-526j",
"modified": "2022-05-24T17:43:58Z",
"published": "2022-05-24T17:43:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21180"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1175507"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202104-08"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4886"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HJHR-HVPQ-97F6
Vulnerability from github – Published: 2025-08-22 18:31 – Updated: 2025-11-26 18:30In the Linux kernel, the following vulnerability has been resolved:
zloop: fix KASAN use-after-free of tag set
When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The BUG happens because zloop_ctl_remove() calls put_disk(), which invokes zloop_free_disk(). The zloop_free_disk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloop_ctl_remove() calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. Hence the KASAN use-after-free.
zloop_ctl_remove() put_disk(zlo->disk) put_device() kobject_put() ... zloop_free_disk() kvfree(zlo) blk_mq_free_tag_set(&zlo->tag_set)
To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) from zloop_ctl_remove() into zloop_free_disk(). This ensures that the tag_set is freed before the call to kvfree(zlo).
{
"affected": [],
"aliases": [
"CVE-2025-38620"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-22T16:15:35Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nzloop: fix KASAN use-after-free of tag set\n\nWhen a zoned loop device, or zloop device, is removed, KASAN enabled\nkernel reports \"BUG KASAN use-after-free\" in blk_mq_free_tag_set(). The\nBUG happens because zloop_ctl_remove() calls put_disk(), which invokes\nzloop_free_disk(). The zloop_free_disk() frees the memory allocated for\nthe zlo pointer. However, after the memory is freed, zloop_ctl_remove()\ncalls blk_mq_free_tag_set(\u0026zlo-\u003etag_set), which accesses the freed zlo.\nHence the KASAN use-after-free.\n\n zloop_ctl_remove()\n put_disk(zlo-\u003edisk)\n put_device()\n kobject_put()\n ...\n zloop_free_disk()\n kvfree(zlo)\n blk_mq_free_tag_set(\u0026zlo-\u003etag_set)\n\nTo avoid the BUG, move the call to blk_mq_free_tag_set(\u0026zlo-\u003etag_set)\nfrom zloop_ctl_remove() into zloop_free_disk(). This ensures that\nthe tag_set is freed before the call to kvfree(zlo).",
"id": "GHSA-hjhr-hvpq-97f6",
"modified": "2025-11-26T18:30:59Z",
"published": "2025-08-22T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38620"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/765761851d89c772f482494d452e266795460278"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c7c87046b41a9ef28ee7ac476c369da5b5228bc5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.