CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-JR6M-743Q-G8Q2
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the resetForm method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5416.
{
"affected": [],
"aliases": [
"CVE-2018-11618"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-31T20:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the resetForm method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5416.",
"id": "GHSA-jr6m-743q-g8q2",
"modified": "2022-05-13T01:34:49Z",
"published": "2022-05-13T01:34:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11618"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-18-695"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR6R-67V2-9H76
Vulnerability from github – Published: 2022-05-12 00:00 – Updated: 2022-05-12 00:00Acrobat Reader DC versions 20.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-24103"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T18:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC versions 20.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-jr6r-67v2-9h76",
"modified": "2022-05-12T00:00:41Z",
"published": "2022-05-12T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24103"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-16.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR74-QGJG-JJPH
Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00Use after free in Ozone in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via running a Wayland test.
{
"affected": [],
"aliases": [
"CVE-2022-1487"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-26T22:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Ozone in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via running a Wayland test.",
"id": "GHSA-jr74-qgjg-jjph",
"modified": "2022-07-29T00:00:19Z",
"published": "2022-07-27T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1487"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1304368"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR85-6G96-46PC
Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2022-09-02 00:01A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-0216"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-26T18:15:00Z",
"severity": "MODERATE"
},
"details": "A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.",
"id": "GHSA-jr85-6g96-46pc",
"modified": "2022-09-02T00:01:10Z",
"published": "2022-08-27T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0216"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0216"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2036953"
},
{
"type": "WEB",
"url": "https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4"
},
{
"type": "WEB",
"url": "https://gitlab.com/qemu-project/qemu/-/issues/972"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTY7TVHX62OJWF6IOBCIGLR2N5K4QN3E"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTY7TVHX62OJWF6IOBCIGLR2N5K4QN3E"
},
{
"type": "WEB",
"url": "https://starlabs.sg/advisories/22/22-0216"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR9W-Q6F5-5C6C
Vulnerability from github – Published: 2024-02-29 06:30 – Updated: 2024-12-09 21:31In the Linux kernel, the following vulnerability has been resolved:
Input: powermate - fix use-after-free in powermate_config_complete
syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug.
Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection.
[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e
{
"affected": [],
"aliases": [
"CVE-2023-52475"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T06:15:45Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: powermate - fix use-after-free in powermate_config_complete\n\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct. When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\n\nUse usb_kill_urb() on pm-\u003econfig to cancel any in-progress requests upon\ndevice disconnection.\n\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e",
"id": "GHSA-jr9w-q6f5-5c6c",
"modified": "2024-12-09T21:31:00Z",
"published": "2024-02-29T06:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52475"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JRCC-3VP8-HGHG
Vulnerability from github – Published: 2022-05-14 00:55 – Updated: 2022-05-14 00:55A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.
{
"affected": [],
"aliases": [
"CVE-2018-14625"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-10T13:29:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.",
"id": "GHSA-jrcc-3vp8-hghg",
"modified": "2022-05-14T00:55:02Z",
"published": "2022-05-14T00:55:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14625"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2029"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2043"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4154"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2018-14625"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1619846"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14625"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html"
},
{
"type": "WEB",
"url": "https://syzkaller.appspot.com/bug?extid=bd391451452fb0b93039"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3871-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3871-3"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3871-4"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3871-5"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3872-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3878-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3878-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JRFC-F73C-QMRR
Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-03-17 00:03In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.
{
"affected": [],
"aliases": [
"CVE-2021-3738"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-02T23:15:00Z",
"severity": "HIGH"
},
"details": "In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called \u0027association groups\u0027. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid \u0027struct session_info\u0027. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.",
"id": "GHSA-jrfc-f73c-qmrr",
"modified": "2022-03-17T00:03:59Z",
"published": "2022-03-04T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3738"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2021726"
},
{
"type": "WEB",
"url": "https://bugzilla.samba.org/show_bug.cgi?id=14468"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-06"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/security/CVE-2021-3738.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JRFM-2H82-XG28
Vulnerability from github – Published: 2023-07-06 21:30 – Updated: 2024-05-03 10:26Withdrawn Advisory
This advisory has been withdrawn because it has been found to not be an issue. Please see the issue here for more information.
## Original Description
A use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "scipy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29824"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T18:55:58Z",
"nvd_published_at": "2023-07-06T21:15:09Z",
"severity": "CRITICAL"
},
"details": "## Withdrawn Advisory\n\nThis advisory has been withdrawn because it has been found to not be an issue. Please see the issue [here](https://github.com/scipy/scipy/issues/14713#issuecomment-1629468565) for more information.\n\n ## Original Description\n\nA use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0.",
"id": "GHSA-jrfm-2h82-xg28",
"modified": "2024-05-03T10:26:19Z",
"published": "2023-07-06T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29824"
},
{
"type": "WEB",
"url": "https://github.com/scipy/scipy/issues/14713"
},
{
"type": "WEB",
"url": "https://github.com/scipy/scipy/issues/14713#issuecomment-1629468565"
},
{
"type": "WEB",
"url": "https://github.com/scipy/scipy/pull/15013"
},
{
"type": "WEB",
"url": "https://github.com/scipy/scipy/commit/e32fc2329d3dd23298725153c5b2cc7fcd0f14f1"
},
{
"type": "WEB",
"url": "http://www.square16.org/achievement/cve-2023-29824"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn: Use after free in SciPy",
"withdrawn": "2024-05-03T10:26:19Z"
}
GHSA-JRGJ-HH7M-7W4F
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-49699"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T17:15:56Z",
"severity": "HIGH"
},
"details": "Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.",
"id": "GHSA-jrgj-hh7m-7w4f",
"modified": "2025-07-08T18:31:48Z",
"published": "2025-07-08T18:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49699"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49699"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JRGX-W3XF-MQ5R
Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-03 18:30Memory corruption may occour occur when stopping the WLAN interface after processing a WMI command from the interface.
{
"affected": [],
"aliases": [
"CVE-2024-45571"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-03T17:15:19Z",
"severity": "HIGH"
},
"details": "Memory corruption may occour occur when stopping the WLAN interface after processing a WMI command from the interface.",
"id": "GHSA-jrgx-w3xf-mq5r",
"modified": "2025-02-03T18:30:42Z",
"published": "2025-02-03T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45571"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.