Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-JR6M-743Q-G8Q2

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the resetForm method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5416.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the resetForm method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5416.",
  "id": "GHSA-jr6m-743q-g8q2",
  "modified": "2022-05-13T01:34:49Z",
  "published": "2022-05-13T01:34:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11618"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-695"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR6R-67V2-9H76

Vulnerability from github – Published: 2022-05-12 00:00 – Updated: 2022-05-12 00:00
VLAI
Details

Acrobat Reader DC versions 20.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-11T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Acrobat Reader DC versions 20.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-jr6r-67v2-9h76",
  "modified": "2022-05-12T00:00:41Z",
  "published": "2022-05-12T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24103"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb22-16.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR74-QGJG-JJPH

Vulnerability from github – Published: 2022-07-27 00:00 – Updated: 2022-07-29 00:00
VLAI
Details

Use after free in Ozone in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via running a Wayland test.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-26T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Ozone in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via running a Wayland test.",
  "id": "GHSA-jr74-qgjg-jjph",
  "modified": "2022-07-29T00:00:19Z",
  "published": "2022-07-27T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1487"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1304368"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR85-6G96-46PC

Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2022-09-02 00:01
VLAI
Details

A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-26T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.",
  "id": "GHSA-jr85-6g96-46pc",
  "modified": "2022-09-02T00:01:10Z",
  "published": "2022-08-27T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0216"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-0216"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2036953"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/qemu-project/qemu/-/issues/972"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTY7TVHX62OJWF6IOBCIGLR2N5K4QN3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTY7TVHX62OJWF6IOBCIGLR2N5K4QN3E"
    },
    {
      "type": "WEB",
      "url": "https://starlabs.sg/advisories/22/22-0216"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR9W-Q6F5-5C6C

Vulnerability from github – Published: 2024-02-29 06:30 – Updated: 2024-12-09 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Input: powermate - fix use-after-free in powermate_config_complete

syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug.

Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection.

[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T06:15:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: powermate - fix use-after-free in powermate_config_complete\n\nsyzbot has found a use-after-free bug [1] in the powermate driver. This\nhappens when the device is disconnected, which leads to a memory free from\nthe powermate_device struct.  When an asynchronous control message\ncompletes after the kfree and its callback is invoked, the lock does not\nexist anymore and hence the bug.\n\nUse usb_kill_urb() on pm-\u003econfig to cancel any in-progress requests upon\ndevice disconnection.\n\n[1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e",
  "id": "GHSA-jr9w-q6f5-5c6c",
  "modified": "2024-12-09T21:31:00Z",
  "published": "2024-02-29T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52475"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2efe67c581a2a6122b328d4bb6f21b3f36f40d46"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5aa514100aaf59868d745196258269a16737c7bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c15c60e7be615f05a45cd905093a54b11f461bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67cace72606baf1758fd60feb358f4c6be92e1cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a4a396386404e62fb59bc3bde48871a64a82b4f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8677575c4f39d65bf0d719b5d20e8042e550ccb9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd2fbfd8b922b7fdd50732e47d797754ab59cb06"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e528b1b9d60743e0b26224e3fe7aa74c24b8b2f8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRCC-3VP8-HGHG

Vulnerability from github – Published: 2022-05-14 00:55 – Updated: 2022-05-14 00:55
VLAI
Details

A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-10T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.",
  "id": "GHSA-jrcc-3vp8-hghg",
  "modified": "2022-05-14T00:55:02Z",
  "published": "2022-05-14T00:55:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14625"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2029"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2043"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:4154"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-14625"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1619846"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14625"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://syzkaller.appspot.com/bug?extid=bd391451452fb0b93039"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3871-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3871-3"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3871-4"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3871-5"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3872-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3878-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3878-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRFC-F73C-QMRR

Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2022-03-17 00:03
VLAI
Details

In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-02T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called \u0027association groups\u0027. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid \u0027struct session_info\u0027. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.",
  "id": "GHSA-jrfc-f73c-qmrr",
  "modified": "2022-03-17T00:03:59Z",
  "published": "2022-03-04T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3738"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2021726"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.samba.org/show_bug.cgi?id=14468"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202309-06"
    },
    {
      "type": "WEB",
      "url": "https://www.samba.org/samba/security/CVE-2021-3738.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRFM-2H82-XG28

Vulnerability from github – Published: 2023-07-06 21:30 – Updated: 2024-05-03 10:26
VLAI
Summary
Withdrawn: Use after free in SciPy
Details

Withdrawn Advisory

This advisory has been withdrawn because it has been found to not be an issue. Please see the issue here for more information.

## Original Description

A use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scipy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T18:55:58Z",
    "nvd_published_at": "2023-07-06T21:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "## Withdrawn Advisory\n\nThis advisory has been withdrawn because it has been found to not be an issue. Please see the issue [here](https://github.com/scipy/scipy/issues/14713#issuecomment-1629468565) for more information.\n\n ## Original Description\n\nA use-after-free issue was discovered in Py_FindObjects() function in SciPy versions prior to 1.8.0.",
  "id": "GHSA-jrfm-2h82-xg28",
  "modified": "2024-05-03T10:26:19Z",
  "published": "2023-07-06T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29824"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scipy/scipy/issues/14713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scipy/scipy/issues/14713#issuecomment-1629468565"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scipy/scipy/pull/15013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scipy/scipy/commit/e32fc2329d3dd23298725153c5b2cc7fcd0f14f1"
    },
    {
      "type": "WEB",
      "url": "http://www.square16.org/achievement/cve-2023-29824"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn: Use after free in SciPy",
  "withdrawn": "2024-05-03T10:26:19Z"
}

GHSA-JRGJ-HH7M-7W4F

Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31
VLAI
Details

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T17:15:56Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-jrgj-hh7m-7w4f",
  "modified": "2025-07-08T18:31:48Z",
  "published": "2025-07-08T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49699"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49699"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRGX-W3XF-MQ5R

Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-03 18:30
VLAI
Details

Memory corruption may occour occur when stopping the WLAN interface after processing a WMI command from the interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-03T17:15:19Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption may occour occur when stopping the WLAN interface after processing a WMI command from the interface.",
  "id": "GHSA-jrgx-w3xf-mq5r",
  "modified": "2025-02-03T18:30:42Z",
  "published": "2025-02-03T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45571"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.