CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-JH47-C26G-FR5Q
Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-11-04 00:32In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
There is a race condition between ksmbd_smb2_session_create and ksmbd_expire_session. This patch add missing sessions_table_lock while adding/deleting session from global session table.
{
"affected": [],
"aliases": [
"CVE-2024-50286"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T02:16:30Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-use-after-free in ksmbd_smb2_session_create\n\nThere is a race condition between ksmbd_smb2_session_create and\nksmbd_expire_session. This patch add missing sessions_table_lock\nwhile adding/deleting session from global session table.",
"id": "GHSA-jh47-c26g-fr5q",
"modified": "2025-11-04T00:32:03Z",
"published": "2024-11-19T03:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50286"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0a77715db22611df50b178374c51e2ba0d58866e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7a2ad2044377853cf8c59528dac808a08a99c72"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e923503a56b3385b64ae492e3225e4623f560c5b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f56446ba5378d19e31040b548a14ee9a8f1500ea"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH9G-J7QF-9CM4
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Microsoft Windows allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-50476"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:53Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Windows allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-jh9g-j7qf-9cm4",
"modified": "2026-07-14T18:32:26Z",
"published": "2026-07-14T18:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50476"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50476"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH9M-9MR6-3GHC
Vulnerability from github – Published: 2026-02-13 15:30 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required.
nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones.
Compare the non-catchall activate callback, which is correct:
nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; / skip active, process inactive /
With the buggy catchall version:
nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; / skip inactive, process active /
The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free.
This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES.
Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
{
"affected": [],
"aliases": [
"CVE-2026-23111"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-13T14:16:10Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter-\u003egenmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones.",
"id": "GHSA-jh9m-9mr6-3ghc",
"modified": "2026-07-14T15:31:39Z",
"published": "2026-02-13T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23111"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23111.json"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f41c5d151078c5348271ffaf8e7410d96f2d82f8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9b6573421de51829f7ec1cce76d85f5f6fbbd7f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c760ba4e36c750379d13569f23f5a6e185333f5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b68a45f9722f2babe9e7bad00aa74638addf081"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/42c574c1504aa089a0a142e4c13859327570473d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1444ff890b4653add12f734ffeffc173d42862dd"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439687"
},
{
"type": "WEB",
"url": "https://blog.exodusintel.com/2026/06/08/off-by-exploiting-a-use-after-free-in-the-linux-kernel"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-23111"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9112"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6570"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18134"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10996"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH9W-W754-X3HR
Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2022-10-01 00:00There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.
{
"affected": [],
"aliases": [
"CVE-2022-38222"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-29T03:15:00Z",
"severity": "HIGH"
},
"details": "There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.",
"id": "GHSA-jh9w-w754-x3hr",
"modified": "2022-10-01T00:00:19Z",
"published": "2022-09-30T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38222"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=42320"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHG9-GWWM-6QW2
Vulnerability from github – Published: 2024-09-11 15:31 – Updated: 2024-09-12 15:33Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2024-8639"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T14:15:14Z",
"severity": "HIGH"
},
"details": "Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-jhg9-gwwm-6qw2",
"modified": "2024-09-12T15:33:00Z",
"published": "2024-09-11T15:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8639"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_10.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/362658609"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHHC-7J6X-MV69
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:08This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Calculate actions. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8759.
{
"affected": [],
"aliases": [
"CVE-2019-13317"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-04T18:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Calculate actions. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-8759.",
"id": "GHSA-jhhc-7j6x-mv69",
"modified": "2024-04-04T02:08:38Z",
"published": "2022-05-24T16:57:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13317"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-634"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHJ6-5P6X-HW75
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-07 18:30In the Linux kernel, the following vulnerability has been resolved:
atm: lec: fix use-after-free in sock_def_readable()
A race condition exists between lec_atm_close() setting priv->lecd to NULL and concurrent access to priv->lecd in send_to_lecd(), lec_handle_bridge(), and lec_atm_send(). When the socket is freed via RCU while another thread is still using it, a use-after-free occurs in sock_def_readable() when accessing the socket's wait queue.
The root cause is that lec_atm_close() clears priv->lecd without any synchronization, while callers dereference priv->lecd without any protection against concurrent teardown.
Fix this by converting priv->lecd to an RCU-protected pointer: - Mark priv->lecd as __rcu in lec.h - Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment - Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach() - Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd - Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock. - Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns.
v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue().
Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
{
"affected": [],
"aliases": [
"CVE-2026-43050"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:51Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: lec: fix use-after-free in sock_def_readable()\n\nA race condition exists between lec_atm_close() setting priv-\u003elecd\nto NULL and concurrent access to priv-\u003elecd in send_to_lecd(),\nlec_handle_bridge(), and lec_atm_send(). When the socket is freed\nvia RCU while another thread is still using it, a use-after-free\noccurs in sock_def_readable() when accessing the socket\u0027s wait queue.\n\nThe root cause is that lec_atm_close() clears priv-\u003elecd without\nany synchronization, while callers dereference priv-\u003elecd without\nany protection against concurrent teardown.\n\nFix this by converting priv-\u003elecd to an RCU-protected pointer:\n- Mark priv-\u003elecd as __rcu in lec.h\n- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach()\n for safe pointer assignment\n- Use rcu_access_pointer() for NULL checks that do not dereference\n the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and\n lecd_attach()\n- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(),\n lec_handle_bridge() and lec_atm_send() to safely access lecd\n- Use rcu_assign_pointer() followed by synchronize_rcu() in\n lec_atm_close() to ensure all readers have completed before\n proceeding. This is safe since lec_atm_close() is called from\n vcc_release() which holds lock_sock(), a sleeping lock.\n- Remove the manual sk_receive_queue drain from lec_atm_close()\n since vcc_destroy_socket() already drains it after lec_atm_close()\n returns.\n\nv2: Switch from spinlock + sock_hold/put approach to RCU to properly\n fix the race. The v1 spinlock approach had two issues pointed out\n by Eric Dumazet:\n 1. priv-\u003elecd was still accessed directly after releasing the\n lock instead of using a local copy.\n 2. The spinlock did not prevent packets being queued after\n lec_atm_close() drains sk_receive_queue since timer and\n workqueue paths bypass netif_stop_queue().\n\nNote: Syzbot patch testing was attempted but the test VM terminated\n unexpectedly with \"Connection to localhost closed by remote host\",\n likely due to a QEMU AHCI emulation issue unrelated to this fix.\n Compile testing with \"make W=1 net/atm/lec.o\" passes cleanly.",
"id": "GHSA-jhj6-5p6x-hw75",
"modified": "2026-05-07T18:30:34Z",
"published": "2026-05-01T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43050"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/317843d5355062020649124eb4a0d7acbcc3f53e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3989740fa4978e1d2d51ecc62be1b01093e104ad"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3e8b25f32f2f35549d03d77da030a24a45bdef5b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5fbbb1ff936d7ff9528d929c1549977e8123d8a8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/750a33f417f3d196b86375f8d9f8938bacf130fe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/922814879542c2e397b0e9641fd36b8202a8e555"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/abc10f85a3965ac14b9ed7ad3e67b35604a63aa3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b256d055da47258e63f8b40965f276c5f23d229a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHM7-8QM3-8X49
Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30Microsoft Management Console Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-38259"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T17:15:31Z",
"severity": "HIGH"
},
"details": "Microsoft Management Console Remote Code Execution Vulnerability",
"id": "GHSA-jhm7-8qm3-8x49",
"modified": "2024-09-10T18:30:46Z",
"published": "2024-09-10T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38259"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38259"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHM9-RFGJ-FX79
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the value attribute of Field objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4980.
{
"affected": [],
"aliases": [
"CVE-2017-10958"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-20T14:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the value attribute of Field objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4980.",
"id": "GHSA-jhm9-rfgj-fx79",
"modified": "2022-05-13T01:38:18Z",
"published": "2022-05-13T01:38:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10958"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-17-860"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHMJ-WHJ3-74PR
Vulnerability from github – Published: 2022-12-15 21:30 – Updated: 2022-12-20 03:30A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2022-42867"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-15T19:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.",
"id": "GHSA-jhmj-whj3-74pr",
"modified": "2022-12-20T03:30:28Z",
"published": "2022-12-15T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42867"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-32"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213530"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213532"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213535"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213536"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213537"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/20"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/23"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/26"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/27"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/28"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/12/26/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.