Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-JH47-C26G-FR5Q

Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-11-04 00:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create

There is a race condition between ksmbd_smb2_session_create and ksmbd_expire_session. This patch add missing sessions_table_lock while adding/deleting session from global session table.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T02:16:30Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-use-after-free in ksmbd_smb2_session_create\n\nThere is a race condition between ksmbd_smb2_session_create and\nksmbd_expire_session. This patch add missing sessions_table_lock\nwhile adding/deleting session from global session table.",
  "id": "GHSA-jh47-c26g-fr5q",
  "modified": "2025-11-04T00:32:03Z",
  "published": "2024-11-19T03:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50286"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a77715db22611df50b178374c51e2ba0d58866e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e7a2ad2044377853cf8c59528dac808a08a99c72"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e923503a56b3385b64ae492e3225e4623f560c5b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f56446ba5378d19e31040b548a14ee9a8f1500ea"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH9G-J7QF-9CM4

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Microsoft Windows allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50476"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:53Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Microsoft Windows allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-jh9g-j7qf-9cm4",
  "modified": "2026-07-14T18:32:26Z",
  "published": "2026-07-14T18:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50476"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50476"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH9M-9MR6-3GHC

Vulnerability from github – Published: 2026-02-13 15:30 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required.

nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; / skip active, process inactive /

With the buggy catchall version:

nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; / skip inactive, process active /

The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES.

Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-13T14:16:10Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n  nft_mapelem_activate():\n    if (nft_set_elem_active(ext, iter-\u003egenmask))\n        return 0;   /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n  nft_map_catchall_activate():\n    if (!nft_set_elem_active(ext, genmask))\n        continue;   /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones.",
  "id": "GHSA-jh9m-9mr6-3ghc",
  "modified": "2026-07-14T15:31:39Z",
  "published": "2026-02-13T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23111"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23111.json"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439687"
    },
    {
      "type": "WEB",
      "url": "https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-23111"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:9112"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6570"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18134"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10996"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:10108"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH9W-W754-X3HR

Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2022-10-01 00:00
VLAI
Details

There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-29T03:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.",
  "id": "GHSA-jh9w-w754-x3hr",
  "modified": "2022-10-01T00:00:19Z",
  "published": "2022-09-30T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38222"
    },
    {
      "type": "WEB",
      "url": "https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=42320"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHG9-GWWM-6QW2

Vulnerability from github – Published: 2024-09-11 15:31 – Updated: 2024-09-12 15:33
VLAI
Details

Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T14:15:14Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-jhg9-gwwm-6qw2",
  "modified": "2024-09-12T15:33:00Z",
  "published": "2024-09-11T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8639"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_10.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/362658609"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHHC-7J6X-MV69

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:08
VLAI
Details

This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Calculate actions. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8759.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-04T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Calculate actions. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8759.",
  "id": "GHSA-jhhc-7j6x-mv69",
  "modified": "2024-04-04T02:08:38Z",
  "published": "2022-05-24T16:57:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13317"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-634"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHJ6-5P6X-HW75

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

atm: lec: fix use-after-free in sock_def_readable()

A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sock_def_readable() when accessing the socket's wait queue.

The root cause is that lec_atm_close() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown.

Fix this by converting priv->lecd to an RCU-protected pointer: - Mark priv->lecd as __rcu in lec.h - Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment - Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach() - Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd - Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock. - Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns.

v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue().

Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T15:16:51Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix use-after-free in sock_def_readable()\n\nA race condition exists between lec_atm_close() setting priv-\u003elecd\nto NULL and concurrent access to priv-\u003elecd in send_to_lecd(),\nlec_handle_bridge(), and lec_atm_send(). When the socket is freed\nvia RCU while another thread is still using it, a use-after-free\noccurs in sock_def_readable() when accessing the socket\u0027s wait queue.\n\nThe root cause is that lec_atm_close() clears priv-\u003elecd without\nany synchronization, while callers dereference priv-\u003elecd without\nany protection against concurrent teardown.\n\nFix this by converting priv-\u003elecd to an RCU-protected pointer:\n- Mark priv-\u003elecd as __rcu in lec.h\n- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()\n  for safe pointer assignment\n- Use rcu_access_pointer() for NULL checks that do not dereference\n  the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and\n  lecd_attach()\n- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),\n  lec_handle_bridge() and lec_atm_send() to safely access lecd\n- Use rcu_assign_pointer() followed by synchronize_rcu() in\n  lec_atm_close() to ensure all readers have completed before\n  proceeding. This is safe since lec_atm_close() is called from\n  vcc_release() which holds lock_sock(), a sleeping lock.\n- Remove the manual sk_receive_queue drain from lec_atm_close()\n  since vcc_destroy_socket() already drains it after lec_atm_close()\n  returns.\n\nv2: Switch from spinlock + sock_hold/put approach to RCU to properly\n    fix the race. The v1 spinlock approach had two issues pointed out\n    by Eric Dumazet:\n    1. priv-\u003elecd was still accessed directly after releasing the\n       lock instead of using a local copy.\n    2. The spinlock did not prevent packets being queued after\n       lec_atm_close() drains sk_receive_queue since timer and\n       workqueue paths bypass netif_stop_queue().\n\nNote: Syzbot patch testing was attempted but the test VM terminated\n    unexpectedly with \"Connection to localhost closed by remote host\",\n    likely due to a QEMU AHCI emulation issue unrelated to this fix.\n    Compile testing with \"make W=1 net/atm/lec.o\" passes cleanly.",
  "id": "GHSA-jhj6-5p6x-hw75",
  "modified": "2026-05-07T18:30:34Z",
  "published": "2026-05-01T15:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43050"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHM7-8QM3-8X49

Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30
VLAI
Details

Microsoft Management Console Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T17:15:31Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Management Console Remote Code Execution Vulnerability",
  "id": "GHSA-jhm7-8qm3-8x49",
  "modified": "2024-09-10T18:30:46Z",
  "published": "2024-09-10T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38259"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38259"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHM9-RFGJ-FX79

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the value attribute of Field objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4980.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-20T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the value attribute of Field objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4980.",
  "id": "GHSA-jhm9-rfgj-fx79",
  "modified": "2022-05-13T01:38:18Z",
  "published": "2022-05-13T01:38:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10958"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-17-860"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JHMJ-WHJ3-74PR

Vulnerability from github – Published: 2022-12-15 21:30 – Updated: 2022-12-20 03:30
VLAI
Details

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.",
  "id": "GHSA-jhmj-whj3-74pr",
  "modified": "2022-12-20T03:30:28Z",
  "published": "2022-12-15T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42867"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-32"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213530"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213532"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213535"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213536"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213537"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/20"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/23"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/26"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/27"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/28"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/12/26/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.