CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-J27F-XG68-8FVV
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 18:31Use after free in Extensions in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-9891"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:47Z",
"severity": "CRITICAL"
},
"details": "Use after free in Extensions in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical)",
"id": "GHSA-j27f-xg68-8fvv",
"modified": "2026-05-29T18:31:23Z",
"published": "2026-05-29T00:38:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9891"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513508128"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J298-5J4F-CW2M
Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2022-05-17 00:19There is a use-after-free in the function compileBrailleIndicator() in compileTranslationTable.c in Liblouis 3.2.0 that will lead to a remote denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2017-13741"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-29T06:29:00Z",
"severity": "MODERATE"
},
"details": "There is a use-after-free in the function compileBrailleIndicator() in compileTranslationTable.c in Liblouis 3.2.0 that will lead to a remote denial of service attack.",
"id": "GHSA-j298-5j4f-cw2m",
"modified": "2022-05-17T00:19:04Z",
"published": "2022-05-17T00:19:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13741"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3111"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484332"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100607"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2CV-6C69-CCM5
Vulnerability from github – Published: 2024-08-21 09:31 – Updated: 2024-09-06 15:32In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Don't remove map on creater_process and device_release
Do not remove the map from the list on error path in fastrpc_init_create_process, instead call fastrpc_map_put, to avoid use-after-free. Do not remove it on fastrpc_device_release either, call fastrpc_map_put instead.
The fastrpc_free_map is the only proper place to remove the map. This is called only after the reference count is 0.
{
"affected": [],
"aliases": [
"CVE-2022-48873"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T07:15:04Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Don\u0027t remove map on creater_process and device_release\n\nDo not remove the map from the list on error path in\nfastrpc_init_create_process, instead call fastrpc_map_put, to avoid\nuse-after-free. Do not remove it on fastrpc_device_release either,\ncall fastrpc_map_put instead.\n\nThe fastrpc_free_map is the only proper place to remove the map.\nThis is called only after the reference count is 0.",
"id": "GHSA-j2cv-6c69-ccm5",
"modified": "2024-09-06T15:32:56Z",
"published": "2024-08-21T09:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48873"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2CW-JH9J-QMPX
Vulnerability from github – Published: 2024-08-22 03:31 – Updated: 2024-08-27 18:31In the Linux kernel, the following vulnerability has been resolved:
blktrace: fix use after free for struct blk_trace
When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg':
================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188
CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4 Call Trace: dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100 ? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20 ? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0 ? fpregs_assert_state_consistent+0x55/0x60 ? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8
Allocated by task 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 blk_trace_ioctl+0xe9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9/0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0) The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================
{
"affected": [],
"aliases": [
"CVE-2022-48913"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T02:15:05Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix use after free for struct blk_trace\n\nWhen tracing the whole disk, \u0027dropped\u0027 and \u0027msg\u0027 will be created\nunder \u0027q-\u003edebugfs_dir\u0027 and \u0027bt-\u003edir\u0027 is NULL, thus blk_trace_free()\nwon\u0027t remove those files. What\u0027s worse, the following UAF can be\ntriggered because of accessing stale \u0027dropped\u0027 and \u0027msg\u0027:\n\n==================================================================\nBUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100\nRead of size 4 at addr ffff88816912f3d8 by task blktrace/1188\n\nCPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_address_description.constprop.0.cold+0xab/0x381\n ? blk_dropped_read+0x89/0x100\n ? blk_dropped_read+0x89/0x100\n kasan_report.cold+0x83/0xdf\n ? blk_dropped_read+0x89/0x100\n kasan_check_range+0x140/0x1b0\n blk_dropped_read+0x89/0x100\n ? blk_create_buf_file_callback+0x20/0x20\n ? kmem_cache_free+0xa1/0x500\n ? do_sys_openat2+0x258/0x460\n full_proxy_read+0x8f/0xc0\n vfs_read+0xc6/0x260\n ksys_read+0xb9/0x150\n ? vfs_write+0x3d0/0x3d0\n ? fpregs_assert_state_consistent+0x55/0x60\n ? exit_to_user_mode_prepare+0x39/0x1e0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fbc080d92fd\nCode: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1\nRSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd\nRDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045\nRBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd\nR10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0\nR13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8\n \u003c/TASK\u003e\n\nAllocated by task 1050:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n do_blk_trace_setup+0xcb/0x410\n __blk_trace_setup+0xac/0x130\n blk_trace_ioctl+0xe9/0x1c0\n blkdev_ioctl+0xf1/0x390\n __x64_sys_ioctl+0xa5/0xe0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFreed by task 1050:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0x103/0x180\n kfree+0x9a/0x4c0\n __blk_trace_remove+0x53/0x70\n blk_trace_ioctl+0x199/0x1c0\n blkdev_common_ioctl+0x5e9/0xb30\n blkdev_ioctl+0x1a5/0x390\n __x64_sys_ioctl+0xa5/0xe0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe buggy address belongs to the object at ffff88816912f380\n which belongs to the cache kmalloc-96 of size 96\nThe buggy address is located 88 bytes inside of\n 96-byte region [ffff88816912f380, ffff88816912f3e0)\nThe buggy address belongs to the page:\npage:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f\nflags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)\nraw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780\nraw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\u003effff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ^\n ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n==================================================================",
"id": "GHSA-j2cw-jh9j-qmpx",
"modified": "2024-08-27T18:31:35Z",
"published": "2024-08-22T03:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48913"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30939293262eb433c960c4532a0d59c4073b2b84"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6418634238ade86f2b08192928787f39d8afb58c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78acc7dbd84a8c173a08584750845c31611160f2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2G5-7JVX-6R3G
Vulnerability from github – Published: 2025-01-28 06:30 – Updated: 2025-01-28 06:30NVIDIA GPU display driver for Windows and Linux contains a vulnerability where referencing memory after it has been freed can lead to denial of service or data tampering.
{
"affected": [],
"aliases": [
"CVE-2024-0147"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-28T04:15:09Z",
"severity": "MODERATE"
},
"details": "NVIDIA GPU display driver for Windows and Linux contains a vulnerability where referencing memory after it has been freed can lead to denial of service or data tampering.",
"id": "GHSA-j2g5-7jvx-6r3g",
"modified": "2025-01-28T06:30:40Z",
"published": "2025-01-28T06:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0147"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5614"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2G5-G9WR-MRFF
Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential UAF in cifs_dump_full_key()
Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.
{
"affected": [],
"aliases": [
"CVE-2024-35866"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-19T09:15:08Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.",
"id": "GHSA-j2g5-g9wr-mrff",
"modified": "2025-11-03T21:31:05Z",
"published": "2024-05-19T09:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35866"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d798fd98e3563027c5162259ead517057d6fa794"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f4a60d360d9114b5085701a3702a0102b0d6d846"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2GC-738W-Q744
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
nilfs2: protect access to buffers with no active references
nilfs_lookup_dirty_data_buffers(), which iterates through the buffers attached to dirty data folios/pages, accesses the attached buffers without locking the folios/pages.
For data cache, nilfs_clear_folio_dirty() may be called asynchronously when the file system degenerates to read only, so nilfs_lookup_dirty_data_buffers() still has the potential to cause use after free issues when buffers lose the protection of their dirty state midway due to this asynchronous clearing and are unintentionally freed by try_to_free_buffers().
Eliminate this race issue by adjusting the lock section in this function.
{
"affected": [],
"aliases": [
"CVE-2025-21811"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T20:16:03Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: protect access to buffers with no active references\n\nnilfs_lookup_dirty_data_buffers(), which iterates through the buffers\nattached to dirty data folios/pages, accesses the attached buffers without\nlocking the folios/pages.\n\nFor data cache, nilfs_clear_folio_dirty() may be called asynchronously\nwhen the file system degenerates to read only, so\nnilfs_lookup_dirty_data_buffers() still has the potential to cause use\nafter free issues when buffers lose the protection of their dirty state\nmidway due to this asynchronous clearing and are unintentionally freed by\ntry_to_free_buffers().\n\nEliminate this race issue by adjusting the lock section in this function.",
"id": "GHSA-j2gc-738w-q744",
"modified": "2025-11-03T21:33:02Z",
"published": "2025-02-27T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21811"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/367a9bffabe08c04f6d725032cce3d891b2b9e1a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b08d23d7d1917bef4fbee8ad81372f49b006656"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58c27fa7a610b6e8d44e6220e7dbddfbaccaf439"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72cf688d0ce7e642b12ddc9b2a42524737ec1b4a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e1b9201c9a24638cf09c6e1c9f224157328010b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c437dfac9f7a5a46ac2a5e6d6acd3059e9f68188"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d8ff250e085a4c4cdda4ad1cdd234ed110393143"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1fc4a90a90ea8514246c45435662531975937d9"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2GV-GCHP-36V6
Vulnerability from github – Published: 2022-05-17 02:34 – Updated: 2022-05-17 02:34In all Android releases from CAF using the Linux kernel, a race condition exists in a video driver potentially leading to a use-after-free condition.
{
"affected": [],
"aliases": [
"CVE-2017-7370"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-13T20:29:00Z",
"severity": "HIGH"
},
"details": "In all Android releases from CAF using the Linux kernel, a race condition exists in a video driver potentially leading to a use-after-free condition.",
"id": "GHSA-j2gv-gchp-36v6",
"modified": "2022-05-17T02:34:12Z",
"published": "2022-05-17T02:34:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7370"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-06-01"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038623"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2GW-W7XW-RJ29
Vulnerability from github – Published: 2026-05-20 21:31 – Updated: 2026-05-20 21:31Use after free in GPU in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-9112"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T20:16:42Z",
"severity": "HIGH"
},
"details": "Use after free in GPU in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-j2gw-w7xw-rj29",
"modified": "2026-05-20T21:31:32Z",
"published": "2026-05-20T21:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9112"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/489791425"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2J9-Q468-5Q3F
Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.
{
"affected": [],
"aliases": [
"CVE-2025-27723"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T17:16:11Z",
"severity": "MODERATE"
},
"details": "Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.",
"id": "GHSA-j2j9-q468-5q3f",
"modified": "2026-05-12T18:30:38Z",
"published": "2026-05-12T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27723"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01426.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.