Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-JJP3-MQ3X-295M

Vulnerability from github – Published: 2026-04-03 02:39 – Updated: 2026-04-06 23:10
VLAI
Summary
Electron: Use-after-free in PowerMonitor on Windows and macOS
Details

Impact

Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.

All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "38.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "39.0.0-alpha.1"
            },
            {
              "fixed": "39.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "40.0.0-alpha.1"
            },
            {
              "fixed": "40.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "41.0.0-alpha.1"
            },
            {
              "fixed": "41.0.0-beta.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T02:39:52Z",
    "nvd_published_at": "2026-04-04T00:16:17Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nApps that use the `powerMonitor` module may be vulnerable to a use-after-free. After the native `PowerMonitor` object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.\n\nAll apps that access `powerMonitor` events (`suspend`, `resume`, `lock-screen`, etc.) are potentially affected. The issue is not directly renderer-controllable.\n\n### Workarounds\nThere are no app side workarounds, you must update to a patched version of Electron.\n\n### Fixed Versions\n* `41.0.0-beta.8`\n* `40.8.0`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)",
  "id": "GHSA-jjp3-mq3x-295m",
  "modified": "2026-04-06T23:10:41Z",
  "published": "2026-04-03T02:39:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/security/advisories/GHSA-jjp3-mq3x-295m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34770"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electron/electron"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Electron: Use-after-free in PowerMonitor on Windows and macOS"
}

GHSA-JJQR-RXFX-R766

Vulnerability from github – Published: 2022-07-14 00:00 – Updated: 2022-07-26 00:01
VLAI
Details

In various functions of C2DmaBufAllocator.cpp, there is a possible memory corruption due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-213850092

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-13T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In various functions of C2DmaBufAllocator.cpp, there is a possible memory corruption due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-213850092",
  "id": "GHSA-jjqr-rxfx-r766",
  "modified": "2022-07-26T00:01:10Z",
  "published": "2022-07-14T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20228"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-07-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJWJ-47J7-VGX9

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31
VLAI
Details

Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T00:17:08Z",
    "severity": "HIGH"
  },
  "details": "Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)",
  "id": "GHSA-jjwj-47j7-vgx9",
  "modified": "2026-06-05T03:31:34Z",
  "published": "2026-06-05T00:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11307"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/504551617"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JM22-PFQV-J62P

Vulnerability from github – Published: 2022-05-12 00:00 – Updated: 2022-05-12 00:00
VLAI
Details

Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by a use-after-free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-11T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by a use-after-free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-jm22-pfqv-j62p",
  "modified": "2022-05-12T00:00:55Z",
  "published": "2022-05-12T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28256"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb22-16.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JM2C-WMW4-M4MR

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30
VLAI
Details

After Effects versions 25.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T18:16:30Z",
    "severity": "HIGH"
  },
  "details": "After Effects versions 25.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-jm2c-wmw4-m4mr",
  "modified": "2026-02-10T18:30:42Z",
  "published": "2026-02-10T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21326"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/after_effects/apsb26-15.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JM36-C9R2-G7RQ

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-12T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.",
  "id": "GHSA-jm36-c9r2-g7rq",
  "modified": "2022-05-24T19:02:25Z",
  "published": "2022-05-24T19:02:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23134"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZYORWNQIHNWRFYRDXBWYWBYM46PDZEN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QALNQT4LJFVSSA3MWCIECVY4AFPP4X77"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210625-0007"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/05/11/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JM67-CPRV-V6WX

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-03-05 21:32
VLAI
Details

A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-08T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use-after-free flaw was found in the Linux kernel\u2019s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
  "id": "GHSA-jm67-cprv-v6wx",
  "modified": "2025-03-05T21:32:01Z",
  "published": "2023-07-06T19:24:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2157270"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230413-0010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JM8Q-RHCF-W4HG

Vulnerability from github – Published: 2022-05-14 01:53 – Updated: 2022-05-14 01:53
VLAI
Details

A UrlfWTPPagePtr KERedirect Use-After-Free Privilege Escalation vulnerability in Trend Micro Antivirus for Mac (Consumer) 7.0 (2017) and above could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "A UrlfWTPPagePtr KERedirect Use-After-Free Privilege Escalation vulnerability in Trend Micro Antivirus for Mac (Consumer) 7.0 (2017) and above could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
  "id": "GHSA-jm8q-rhcf-w4hg",
  "modified": "2022-05-14T01:53:43Z",
  "published": "2022-05-14T01:53:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15366"
    },
    {
      "type": "WEB",
      "url": "https://esupport.trendmicro.com/en-US/home/pages/technical-support/1121296.aspx"
    },
    {
      "type": "WEB",
      "url": "https://esupport.trendmicro.com/solution/ja-jp/1121350.aspx"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1293"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105757"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMF6-3V74-7X28

Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Fix UAF at snd_timer_user_params()

At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses.

Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free.

This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T09:16:36Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Fix UAF at snd_timer_user_params()\n\nAt releasing a timer object, e.g. when a userspace timer\n(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it\ntries to detach the timer instances and release the resources.\nHowever, it\u0027s still possible that other in-flight tasks are holding\nthe timer instance where the to-be-deleted timer object is associated,\nand this may lead to racy accesses.\n\nFortunately, most of ioctls dealing with the timer instance list\nalready have the protection with register_mutex, and this also avoids\nsuch races.  But, SNDRV_TIMER_IOCTL_PARAMS isn\u0027t protected, hence the\nconcurrent ioctl may lead to use-after-free.\n\nThis patch just adds the guard with register_mutex to protect\nsnd_timer_user_params() for covering the code path as a quick\nworkaround.  It\u0027s no hot-path but rather a rarely issued ioctl, so the\nperformance penalty doesn\u0027t matter.",
  "id": "GHSA-jmf6-3v74-7x28",
  "modified": "2026-06-28T09:31:43Z",
  "published": "2026-06-25T09:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53192"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/053a401b592be424fea9d57c789f66cd5d8cec11"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/117743d62e1225e208568a3ffc2c07214f1347cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/306427adf9b97e29e5958cb9cf3096c6151fc9ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38034d04d4a75bbca01df2b313ced0bcd0fa3242"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d39da65b5c422c5e5afb7d5651b0698d060a827"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92ad2d7f80cad43b046f093e808e11fe919d304a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2214914e461d0466548a52dfe4f4ee8ce362276"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e2331730175f74169046d2af8db1b47243df7c7a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMFP-WCF2-3H67

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 18:31
VLAI
Details

Use after free in Accessibility in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T23:16:48Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Accessibility in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-jmfp-wcf2-3h67",
  "modified": "2026-05-29T18:31:23Z",
  "published": "2026-05-29T00:38:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9902"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/498205735"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.