CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-J4CX-P8J9-2C3M
Vulnerability from github – Published: 2022-05-17 02:12 – Updated: 2022-05-17 02:12Adobe Digital Editions 4.5.4 and earlier has an exploitable use after free vulnerability. Successful exploitation could lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2017-11274"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-11T19:29:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Digital Editions 4.5.4 and earlier has an exploitable use after free vulnerability. Successful exploitation could lead to arbitrary code execution.",
"id": "GHSA-j4cx-p8j9-2c3m",
"modified": "2022-05-17T02:12:33Z",
"published": "2022-05-17T02:12:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11274"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/Digital-Editions/apsb17-27.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100194"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039100"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J4GM-4CCW-XJ35
Vulnerability from github – Published: 2022-05-14 03:54 – Updated: 2022-05-14 03:54A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2017-5019"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-17T07:59:00Z",
"severity": "MODERATE"
},
"details": "A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-j4gm-4ccw-xj35",
"modified": "2022-05-14T03:54:28Z",
"published": "2022-05-14T03:54:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5019"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/666714"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-66"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0206.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3776"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95792"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037718"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J4HC-7PPM-RRH4
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-02-27 21:32In the Linux kernel, the following vulnerability has been resolved:
ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi]
Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]
Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ==================================================================
The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent.
ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl.
uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _____|___|_______ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del
And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _____|___|_______ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free
The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num].
ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack.
device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain
{
"affected": [],
"aliases": [
"CVE-2021-47634"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T06:37:05Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl\n\nHulk Robot reported a KASAN report about use-after-free:\n ==================================================================\n BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160\n Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385\n [...]\n Call Trace:\n klist_dec_and_del+0xa7/0x4a0\n klist_put+0xc7/0x1a0\n device_del+0x4d4/0xed0\n cdev_device_del+0x1a/0x80\n ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]\n ctrl_cdev_ioctl+0x286/0x2f0 [ubi]\n\n Allocated by task 1414:\n device_add+0x60a/0x18b0\n cdev_device_add+0x103/0x170\n ubi_create_volume+0x1118/0x1a10 [ubi]\n ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]\n\n Freed by task 1385:\n cdev_device_del+0x1a/0x80\n ubi_remove_volume+0x438/0x6c0 [ubi]\n ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]\n [...]\n ==================================================================\n\nThe lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held\nby ubi_cdev_ioctl is ubi-\u003edevice_mutex. Therefore, the two locks can be\nconcurrent.\n\nctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.\nubi_detach is bug-free because it uses reference counting to prevent\nconcurrency. However, uif_init and uif_close in ubi_attach may race with\nubi_cdev_ioctl.\n\nuif_init will race with ubi_cdev_ioctl as in the following stack.\n cpu1 cpu2 cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n uif_init\n ubi_cdev_ioctl\n ubi_create_volume\n cdev_device_add\n ubi_add_volume\n // sysfs exist\n kill_volumes\n ubi_cdev_ioctl\n ubi_remove_volume\n cdev_device_del\n // first free\n ubi_free_volume\n cdev_del\n // double free\n cdev_device_del\n\nAnd uif_close will race with ubi_cdev_ioctl as in the following stack.\n cpu1 cpu2 cpu3\n_______________________|________________________|______________________\nctrl_cdev_ioctl\n ubi_attach_mtd_dev\n uif_init\n ubi_cdev_ioctl\n ubi_create_volume\n cdev_device_add\n ubi_debugfs_init_dev\n //error goto out_uif;\n uif_close\n kill_volumes\n ubi_cdev_ioctl\n ubi_remove_volume\n cdev_device_del\n // first free\n ubi_free_volume\n // double free\n\nThe cause of this problem is that commit 714fb87e8bc0 make device\n\"available\" before it becomes accessible via sysfs. Therefore, we\nroll back the modification. We will fix the race condition between\nubi device creation and udev by removing ubi_get_device in\nvol_attribute_show and dev_attribute_show.This avoids accessing\nuninitialized ubi_devices[ubi_num].\n\nubi_get_device is used to prevent devices from being deleted during\nsysfs execution. However, now kernfs ensures that devices will not\nbe deleted before all reference counting are released.\nThe key process is shown in the following stack.\n\ndevice_del\n device_remove_attrs\n device_remove_groups\n sysfs_remove_groups\n sysfs_remove_group\n remove_files\n kernfs_remove_by_name\n kernfs_remove_by_name_ns\n __kernfs_remove\n kernfs_drain",
"id": "GHSA-j4hc-7ppm-rrh4",
"modified": "2025-02-27T21:32:09Z",
"published": "2025-02-27T21:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47634"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a3f1cf87054833242fcd0218de0481cf855f888"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cbf0e392f173ba0ce425968c8374a6aa3e90f2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/432b057f8e847ae5a2306515606f8d2defaca178"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a8ecee49259f8f78d91ddb329ab2be7e6fd01974"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c32fe764191b8ae8b128588beb96e3718d9179d8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d727fd32cbd1abf3465f607021bc9c746f17b5a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f149b1bd213820363731aa119e5011ca892a2aac"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J4J8-GWPJ-2HXG
Vulnerability from github – Published: 2025-01-07 09:30 – Updated: 2025-10-16 15:30in OpenHarmony v4.1.2 and prior versions allow a local attacker cause DOS through use after free.
{
"affected": [],
"aliases": [
"CVE-2024-54030"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T08:15:25Z",
"severity": "MODERATE"
},
"details": "in OpenHarmony v4.1.2 and prior versions allow a local attacker cause DOS\u00a0through use after free.",
"id": "GHSA-j4j8-gwpj-2hxg",
"modified": "2025-10-16T15:30:25Z",
"published": "2025-01-07T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54030"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-01.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J4JV-FP59-574F
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inet_frag_queue_flush(). That helper frees all the skbs queued on the fragment queue but does not set INET_FRAG_COMPLETE, and leaves q->fragments_tail and q->last_run_head pointing at the freed skbs. The queue itself stays in the rhashtable.
fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, but it cannot stop a fragment that already obtained the queue through inet_frag_find() earlier and stalled just before taking the queue lock. Once that fragment resumes after the flush and takes the queue lock, it passes the INET_FRAG_COMPLETE check and then dereferences the freed fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of that pointer and, on the append path, writes ->next_frag, causing a slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly share the same flush path and are affected as well.
Reset rb_fragments, fragments_tail and last_run_head in inet_frag_queue_flush() so a flushed queue no longer points at the freed skbs. A fragment that resumes after the flush and takes the queue lock then finds an empty queue and starts a new run instead of dereferencing the freed fragments_tail. ip_frag_reinit() already performed this reset after its own flush, so drop the now duplicate code there.
{
"affected": [],
"aliases": [
"CVE-2026-53175"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:34Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: fix use-after-free caused by the fqdir_pre_exit() flush\n\nOn netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and\nflushes every fragment queue that is not yet complete using\ninet_frag_queue_flush(). That helper frees all the skbs queued on the\nfragment queue but does not set INET_FRAG_COMPLETE, and leaves\nq-\u003efragments_tail and q-\u003elast_run_head pointing at the freed skbs.\nThe queue itself stays in the rhashtable.\n\nfqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups,\nbut it cannot stop a fragment that already obtained the queue through\ninet_frag_find() earlier and stalled just before taking the queue lock.\nOnce that fragment resumes after the flush and takes the queue lock,\nit passes the INET_FRAG_COMPLETE check and then dereferences the freed\nfragments_tail. inet_frag_queue_insert() reads FRAG_CB() and -\u003elen of\nthat pointer and, on the append path, writes -\u003enext_frag, causing a\nslab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly\nshare the same flush path and are affected as well.\n\nReset rb_fragments, fragments_tail and last_run_head in\ninet_frag_queue_flush() so a flushed queue no longer points at the\nfreed skbs. A fragment that resumes after the flush and takes the\nqueue lock then finds an empty queue and starts a new run instead of\ndereferencing the freed fragments_tail. ip_frag_reinit() already\nperformed this reset after its own flush, so drop the now duplicate\ncode there.",
"id": "GHSA-j4jv-fp59-574f",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-25T09:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53175"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53175"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492840"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/010c3313a4d178dc2d3ce958d2e5cb055e2864c1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e823ca0e7391630784ae7dd0981b7ad170a93d9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/32594b09854970d7ba83eb2dc8c69a2edd158c8e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89b909e9704587bfecc1aab1d37e98faee03b9f9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c22599cc90e1cd5f8129c8670bd68a02ff7177b4"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53175.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J4MJ-QQM4-JQF7
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
{
"affected": [],
"aliases": [
"CVE-2021-29985"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-17T20:15:00Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird \u003c 78.13, Thunderbird \u003c 91, Firefox ESR \u003c 78.13, and Firefox \u003c 91.",
"id": "GHSA-j4mj-qqm4-jqf7",
"modified": "2022-05-24T19:11:21Z",
"published": "2022-05-24T19:11:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29985"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1722083"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202202-03"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-14"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-34"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-35"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-36"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J4P7-JWXH-8774
Vulnerability from github – Published: 2022-05-14 01:17 – Updated: 2022-05-14 01:17VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.
{
"affected": [],
"aliases": [
"CVE-2018-11529"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-11T16:29:00Z",
"severity": "HIGH"
},
"details": "VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.",
"id": "GHSA-j4p7-jwxh-8774",
"modified": "2022-05-14T01:17:54Z",
"published": "2022-05-14T01:17:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11529"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4251"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45626"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Jul/28"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041311"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J4QQ-FQ33-G7HW
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30086"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:15:56Z",
"severity": "HIGH"
},
"details": "Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability",
"id": "GHSA-j4qq-fq33-g7hw",
"modified": "2024-06-11T18:30:49Z",
"published": "2024-06-11T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30086"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30086"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J4R5-9QQM-P694
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-02-13 18:31A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.
Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.
We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.
{
"affected": [],
"aliases": [
"CVE-2023-2236"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-01T13:15:44Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.\n\nBoth\u00a0io_install_fixed_file\u00a0and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.\n\nWe recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.",
"id": "GHSA-j4r5-9qqm-p694",
"modified": "2025-02-13T18:31:34Z",
"published": "2023-07-06T19:24:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2236"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9d94c04c0db024922e886c9fd429659f22f48ea4"
},
{
"type": "WEB",
"url": "https://kernel.dance/9d94c04c0db024922e886c9fd429659f22f48ea4"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230601-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J4RF-7357-F4CG
Vulnerability from github – Published: 2023-04-25 19:48 – Updated: 2023-07-07 23:16Impact
There is an ext4 use-after-free flaw described in CVE-2022-1184 that is exploitable through versions of Apptainer < 1.1.0 and installations that include apptainer-suid < 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial of service and potentially for privilege escalation.
Background
Historically there have been many CVEs published for extfs and a smaller number for squashfs, including serious use-after-free and buffer overrun vulnerabilities, that are scored as "Moderate" or "Low" impact only because unprivileged users were assumed to not have write access to the raw data. Because of those ratings, vendors treat such CVEs as low urgency and either delay a patch until their next major release or never patch older but still supported operating systems at all. Many Linux distributions automatically mount user-writable USB-drive volumes, but those are considered low risk because they require physical access to the machine. However, since setuid-root installations of Apptainer by default allow all users to mount any extfs (specifically, ext3, which is implemented by the ext4 driver) and squashfs filesystem using kernel drivers even though the users have write access to the raw data, the setuid-root installations raise the severity of such unpatched CVEs.
CVE-2022-1184 is currently such an unpatched CVE, at least on the above listed operating systems. The descriptions from the operating system vendors about the CVE (referenced below) are incomplete, saying only that it allows a local attacker with user privilege to cause a denial of service. Normally users would not be able to cause it because they cannot modify the filesystem image, and normally vulnerabilities that involve kernel memory corruption by unprivileged users are considered high severity even when there is not yet a known privilege escalation because someone with sufficient kernel knowledge can usually turn such a corruption into a privilege escalation.
Red Hat did not list RHEL7 as vulnerable, but they also did not list it as unaffected, and testing confirmed that a filesystem image could be corrupted to get past the check inserted into the filesystem driver to fix the vulnerability (patches linked below).
All published squashfs CVEs have been patched in currently supported major operating systems.
Patches
Apptainer 1.1.8 includes a patch that by default disables mounting of extfs filesystem types in setuid-root mode, while continuing to allow mounting of extfs filesystems in non-setuid "rootless" mode using fuse2fs.
Workarounds
These workarounds are possible:
1. Either do not install apptainer-suid (for versions 1.1.0 through 1.1.7) or set allow setuid = no in apptainer.conf. This requires having unprivileged user namespaces enabled and except for apptainer 1.1.x versions will disallow mounting of sif files, extfs files, and squashfs files in addition to other, less significant impacts. (Encrypted sif files are also not supported unprivileged in apptainer 1.1.x.)
2. Alternatively, use the limit containers options in apptainer.conf/singularity.conf to limit sif files to trusted users, groups, and/or paths. (The option allow container extfs = no disallows mounting extfs overlay files but does not disallow mounting of extfs overlay partitions inside SIF files, so it does not help work around the problem.)
References
https://nvd.nist.gov/vuln/detail/CVE-2022-1184 https://access.redhat.com/security/cve/cve-2022-1184 https://security-tracker.debian.org/tracker/CVE-2022-1184 https://ubuntu.com/security/CVE-2022-1184 Kernel patches for CVE-2022-1184: https://github.com/torvalds/linux/commit/65f8ea4cd57dbd46ea13b41dc8bac03176b04233 https://github.com/torvalds/linux/commit/61a1d87a324ad5e3ed27c6699dfc93218fcf3201
Addendum 30 May 2023
New information has become available: many ext4 filesytem vulnerabilities similar to the one in CVE-2022-1184 continue to be found, and most of them do not ever have a CVE assigned. The way to locate them is to search for "syzbot" in linux kernel commit messages under fs/ext4. "syzbot" is a public automated system for finding kernel bugs. Especially when syzbot reports are labeled "KASAN" (Kernel Address Sanitizer) and especially if they involve memory corruption including "use after free", "out of bounds", or "user-memory-access", they are vulnerabilities that can potentially be turned into privilege escalation when an unprivileged user has write access to the underlying data.
In particular there are two such commits from this month, May 2023, referenced below. They both have commit messages describing a situation of write access to the underlying data while the kernel has that data mounted as a filesystem. These commits have been backported to currently maintained kernel lines in versions 4.19.293 and 5.4.243, but since they are considered moderate severity, most common OS distributions do not include them immediately. For example since RHEL9.2 was recently announced, they are not likely to be available in RHEL9 until 9.3 is released in about another 6 months. Therefore if system administrators want to be protected against these vulnerabilities while still allowing ext4 filesystem mounts through setuid-root apptainer, they should watch for these types of commits and whenever such commits are released the administrators should update to the latest currently maintained kernel version (bypassing their OS vendor's distribution) and reboot.
https://github.com/torvalds/linux/commit/2220eaf90992c11d888fe771055d4de3303 https://github.com/torvalds/linux/commit/4f04351888a83e595571de672e0a4a8b74f https://lwn.net/Articles/932137/ https://lwn.net/Articles/932136/
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/apptainer/apptainer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-30549"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-25T19:48:35Z",
"nvd_published_at": "2023-04-25T21:15:10Z",
"severity": "HIGH"
},
"details": "### Impact\nThere is an ext4 use-after-free flaw described in CVE-2022-1184 that is exploitable through versions of Apptainer \u003c 1.1.0 and installations that include apptainer-suid \u003c 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial of service and potentially for privilege escalation.\n\n### Background\nHistorically there have been many CVEs published for extfs and a smaller number for squashfs, including serious use-after-free and buffer overrun vulnerabilities, that are scored as \"Moderate\" or \"Low\" impact only because unprivileged users were assumed to not have write access to the raw data. Because of those ratings, vendors treat such CVEs as low urgency and either delay a patch until their next major release or never patch older but still supported operating systems at all. Many Linux distributions automatically mount user-writable USB-drive volumes, but those are considered low risk because they require physical access to the machine. However, since setuid-root installations of Apptainer by default allow all users to mount any extfs (specifically, ext3, which is implemented by the ext4 driver) and squashfs filesystem using kernel drivers even though the users have write access to the raw data, the setuid-root installations raise the severity of such unpatched CVEs. \n\nCVE-2022-1184 is currently such an unpatched CVE, at least on the above listed operating systems. The descriptions from the operating system vendors about the CVE (referenced below) are incomplete, saying only that it allows a local attacker with user privilege to cause a denial of service. Normally users would not be able to cause it because they cannot modify the filesystem image, and normally vulnerabilities that involve kernel memory corruption by unprivileged users are considered high severity even when there is not yet a known privilege escalation because someone with sufficient kernel knowledge can usually turn such a corruption into a privilege escalation. \n\nRed Hat did not list RHEL7 as vulnerable, but they also did not list it as unaffected, and testing confirmed that a filesystem image could be corrupted to get past the check inserted into the filesystem driver to fix the vulnerability (patches linked below).\n\nAll published squashfs CVEs have been patched in currently supported major operating systems.\n\n### Patches\nApptainer 1.1.8 includes a patch that by default disables mounting of extfs filesystem types in setuid-root mode, while continuing to allow mounting of extfs filesystems in non-setuid \"rootless\" mode using fuse2fs.\n\n### Workarounds\nThese workarounds are possible:\n1. Either do not install apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid = no` in apptainer.conf. This requires having unprivileged user namespaces enabled and except for apptainer 1.1.x versions will disallow mounting of sif files, extfs files, and squashfs files in addition to other, less significant impacts. (Encrypted sif files are also not supported unprivileged in apptainer 1.1.x.)\n2. Alternatively, use the `limit containers` options in apptainer.conf/singularity.conf to limit sif files to trusted users, groups, and/or paths. (The option `allow container extfs = no` disallows mounting extfs overlay files but does not disallow mounting of extfs overlay partitions inside SIF files, so it does not help work around the problem.)\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1184\nhttps://access.redhat.com/security/cve/cve-2022-1184\nhttps://security-tracker.debian.org/tracker/CVE-2022-1184\nhttps://ubuntu.com/security/CVE-2022-1184\nKernel patches for CVE-2022-1184:\nhttps://github.com/torvalds/linux/commit/65f8ea4cd57dbd46ea13b41dc8bac03176b04233\nhttps://github.com/torvalds/linux/commit/61a1d87a324ad5e3ed27c6699dfc93218fcf3201\n\n------\n\n## Addendum 30 May 2023\n\nNew information has become available: many ext4 filesytem vulnerabilities similar to the one in CVE-2022-1184 continue to be found, and most of them do not ever have a CVE assigned. The way to locate them is to search for \"syzbot\" in linux kernel commit messages under fs/ext4. \"syzbot\" is a public automated system for finding kernel bugs. Especially when syzbot reports are labeled \"KASAN\" (Kernel Address Sanitizer) and especially if they involve memory corruption including \"use after free\", \"out of bounds\", or \"user-memory-access\", they are vulnerabilities that can potentially be turned into privilege escalation when an unprivileged user has write access to the underlying data.\n\nIn particular there are two such commits from this month, May 2023, referenced below. They both have commit messages describing a situation of write access to the underlying data while the kernel has that data mounted as a filesystem. These commits have been backported to currently maintained kernel lines in versions 4.19.293 and 5.4.243, but since they are considered moderate severity, most common OS distributions do not include them immediately. For example since RHEL9.2 was recently announced, they are not likely to be available in RHEL9 until 9.3 is released in about another 6 months. Therefore if system administrators want to be protected against these vulnerabilities while still allowing ext4 filesystem mounts through setuid-root apptainer, they should watch for these types of commits and whenever such commits are released the administrators should update to the latest currently maintained kernel version (bypassing their OS vendor\u0027s distribution) and reboot.\n\nhttps://github.com/torvalds/linux/commit/2220eaf90992c11d888fe771055d4de3303\nhttps://github.com/torvalds/linux/commit/4f04351888a83e595571de672e0a4a8b74f\nhttps://lwn.net/Articles/932137/\nhttps://lwn.net/Articles/932136/",
"id": "GHSA-j4rf-7357-f4cg",
"modified": "2023-07-07T23:16:31Z",
"published": "2023-04-25T19:48:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1184"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30549"
},
{
"type": "WEB",
"url": "https://github.com/apptainer/apptainer/commit/5a4964f5ba9c8d89a0e353b97f51fd607670a9f7"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/2220eaf90992c11d888fe771055d4de3303"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/4f04351888a83e595571de672e0a4a8b74f"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/61a1d87a324ad5e3ed27c6699dfc93218fcf3201"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/65f8ea4cd57dbd46ea13b41dc8bac03176b04233"
},
{
"type": "WEB",
"url": "https://www.suse.com/security/cve/CVE-2022-1184.html"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2022-1184"
},
{
"type": "WEB",
"url": "https://sylabs.io/2023/04/response-to-cve-2023-30549"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-13"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2022-1184"
},
{
"type": "WEB",
"url": "https://lwn.net/Articles/932137"
},
{
"type": "WEB",
"url": "https://lwn.net/Articles/932136"
},
{
"type": "WEB",
"url": "https://github.com/apptainer/apptainer/releases/tag/v1.1.8"
},
{
"type": "PACKAGE",
"url": "https://github.com/apptainer/apptainer"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2022-1184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer"
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.