CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-J5R5-JMR3-48C5
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 15:30A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.
Note: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects Firefox ESR < 102.6, Firefox < 105, and Thunderbird < 102.6.
{
"affected": [],
"aliases": [
"CVE-2022-46880"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.\u003cbr /\u003e*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects Firefox ESR \u003c 102.6, Firefox \u003c 105, and Thunderbird \u003c 102.6.",
"id": "GHSA-j5r5-jmr3-48c5",
"modified": "2025-04-15T15:30:38Z",
"published": "2022-12-22T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46880"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1749292"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-06"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-13"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-40"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-52"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5VH-VFG7-3V94
Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2026-05-12 15:30In the Linux kernel, the following vulnerability has been resolved:
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer.
In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop.
net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
{
"affected": [],
"aliases": [
"CVE-2024-53057"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T18:15:25Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT\n\nIn qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed\nto be either root or ingress. This assumption is bogus since it\u0027s valid\nto create egress qdiscs with major handle ffff:\nBudimir Markovic found that for qdiscs like DRR that maintain an active\nclass list, it will cause a UAF with a dangling class pointer.\n\nIn 066a3b5b2346, the concern was to avoid iterating over the ingress\nqdisc since its parent is itself. The proper fix is to stop when parent\nTC_H_ROOT is reached because the only way to retrieve ingress is when a\nhierarchy which does not contain a ffff: major handle call into\nqdisc_lookup with TC_H_MAJ(TC_H_ROOT).\n\nIn the scenario where major ffff: is an egress qdisc in any of the tree\nlevels, the updates will also propagate to TC_H_ROOT, which then the\niteration must stop.\n\n\n net/sched/sch_api.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)",
"id": "GHSA-j5vh-vfg7-3v94",
"modified": "2026-05-12T15:30:42Z",
"published": "2024-11-19T18:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53057"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/05df1b1dff8f197f1c275b57ccb2ca33021df552"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e95c4384438adeaa772caa560244b1a2efef816"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/580b3189c1972aff0f993837567d36392e9d981b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/597cf9748c3477bf61bc35f0634129f56764ad24"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9995909615c3431a5304c1210face5f268d24dba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce691c814bc7a3c30c220ffb5b7422715458fd9b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dbe778b08b5101df9e89bc06e0a3a7ecd2f4ef20"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7f9a6f97eb067599a74f3bcb6761976b0ed303e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5VV-GJ42-CWRM
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2025-12-11 18:30In the Linux kernel, the following vulnerability has been resolved:
scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
When executing SMP task failed, the smp_execute_task_sg() calls del_timer() to delete "slow_task->timer". However, if the timer handler sas_task_internal_timedout() is running, the del_timer() in smp_execute_task_sg() will not stop it and a UAF will happen. The process is shown below:
(thread 1) | (thread 2)
smp_execute_task_sg() | sas_task_internal_timedout() ... | del_timer() | ... | ... sas_free_task(task) | kfree(task->slow_task) //FREE| | task->slow_task->... //USE
Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure the timer handler have finished before the "task->slow_task" is deallocated.
{
"affected": [],
"aliases": [
"CVE-2022-50422"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:33Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libsas: Fix use-after-free bug in smp_execute_task_sg()\n\nWhen executing SMP task failed, the smp_execute_task_sg() calls del_timer()\nto delete \"slow_task-\u003etimer\". However, if the timer handler\nsas_task_internal_timedout() is running, the del_timer() in\nsmp_execute_task_sg() will not stop it and a UAF will happen. The process\nis shown below:\n\n (thread 1) | (thread 2)\nsmp_execute_task_sg() | sas_task_internal_timedout()\n ... |\n del_timer() |\n ... | ...\n sas_free_task(task) |\n kfree(task-\u003eslow_task) //FREE|\n | task-\u003eslow_task-\u003e... //USE\n\nFix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure\nthe timer handler have finished before the \"task-\u003eslow_task\" is\ndeallocated.",
"id": "GHSA-j5vv-gj42-cwrm",
"modified": "2025-12-11T18:30:36Z",
"published": "2025-10-01T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50422"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e12ce270f0d926085c1209cc90397e307deef97"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/46ba53c30666717cb06c2b3c5d896301cd00d0c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a9e5176ead6de64f572ad5c87a72825d9d3c82ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e45a1516d2933703a4823d9db71e17c3abeba24f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7a785177611ffc97d645fcbc196e6de6ad2421d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5XV-WJFV-F3GX
Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-10 19:01Use after free in Peer Connection in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2022-3450"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-09T19:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Peer Connection in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-j5xv-wjfv-f3gx",
"modified": "2022-11-10T19:01:05Z",
"published": "2022-11-10T12:01:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3450"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_11.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1369882"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J656-4P6J-H695
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Use after free in Audio in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-10933"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:16:55Z",
"severity": "HIGH"
},
"details": "Use after free in Audio in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-j656-4p6j-h695",
"modified": "2026-06-05T03:31:31Z",
"published": "2026-06-05T00:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10933"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/501557633"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J665-W9JF-C86M
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Use after free in Printing in Google Chrome prior to 92.0.4515.159 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2021-30600"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-26T18:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Printing in Google Chrome prior to 92.0.4515.159 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-j665-w9jf-c86m",
"modified": "2022-05-24T19:12:16Z",
"published": "2022-05-24T19:12:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30600"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1231134"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LVY4WIWTVVYKQMROJJS365TZBKEARCF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJPUSAWIJMQFBQQQYXAICLI4EKFQOH6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QW4R2K5HVJ4R6XDZYOJCCFPIN2XHNS3L"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J667-F3J6-GRR4
Vulnerability from github – Published: 2023-10-03 06:30 – Updated: 2024-04-04 08:03Memory corruption in Automotive Display while destroying the image handle created using connected display driver.
{
"affected": [],
"aliases": [
"CVE-2023-33039"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-03T06:15:27Z",
"severity": "HIGH"
},
"details": "Memory corruption in Automotive Display while destroying the image handle created using connected display driver.",
"id": "GHSA-j667-f3j6-grr4",
"modified": "2024-04-04T08:03:23Z",
"published": "2023-10-03T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33039"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J66F-JC3V-93VP
Vulnerability from github – Published: 2024-02-21 15:30 – Updated: 2024-03-15 15:30In the Linux kernel, the following vulnerability has been resolved:
net: tls: fix use-after-free with partial reads and async decrypt
tls_decrypt_sg doesn't take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb.
{
"affected": [],
"aliases": [
"CVE-2024-26582"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T15:15:09Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix use-after-free with partial reads and async decrypt\n\ntls_decrypt_sg doesn\u0027t take a reference on the pages from clear_skb,\nso the put_page() in tls_decrypt_done releases them, and we trigger\na use-after-free in process_rx_list when we try to read from the\npartially-read skb.",
"id": "GHSA-j66f-jc3v-93vp",
"modified": "2024-03-15T15:30:42Z",
"published": "2024-02-21T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J66M-F2PJ-CWR3
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24Use-after-free vulnerability in WebKit, as used in Apple iTunes before 10.2 on Windows, Apple Safari, and Google Chrome before 6.0.472.59, allows remote attackers to execute arbitrary code or cause a denial of service via vectors related to SVG styles, the DOM tree, and error messages.
{
"affected": [],
"aliases": [
"CVE-2010-1824"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-09-24T19:00:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in WebKit, as used in Apple iTunes before 10.2 on Windows, Apple Safari, and Google Chrome before 6.0.472.59, allows remote attackers to execute arbitrary code or cause a denial of service via vectors related to SVG styles, the DOM tree, and error messages.",
"id": "GHSA-j66m-f2pj-cwr3",
"modified": "2022-05-13T01:24:49Z",
"published": "2022-05-13T01:24:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1824"
},
{
"type": "WEB",
"url": "https://bugs.webkit.org/show_bug.cgi?id=43260"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7151"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=50712"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2011/Mar/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/43068"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4554"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4566"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0212"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-11-095"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J69R-W7X9-CQH4
Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-01-05 00:01A use after free issue was addressed with improved memory management. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra. A malicious application may be able to execute arbitrary code with kernel privileges.
{
"affected": [],
"aliases": [
"CVE-2020-3886"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-23T20:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra. A malicious application may be able to execute arbitrary code with kernel privileges.",
"id": "GHSA-j69r-w7x9-cqh4",
"modified": "2022-01-05T00:01:45Z",
"published": "2021-12-24T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3886"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT211100"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.