Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9820 vulnerabilities reference this CWE, most recent first.

GHSA-M23J-MXGF-384M

Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07
VLAI
Details

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, iOS 15.7.6 and iPadOS 15.7.6, macOS Ventura 13.4, tvOS 16.5, iOS 16.5 and iPadOS 16.5, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to execute arbitrary code with kernel privileges

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-23T18:15:12Z",
    "severity": "HIGH"
  },
  "details": "A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, iOS 15.7.6 and iPadOS 15.7.6, macOS Ventura 13.4, tvOS 16.5, iOS 16.5 and iPadOS 16.5, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to execute arbitrary code with kernel privileges",
  "id": "GHSA-m23j-mxgf-384m",
  "modified": "2024-04-04T05:07:58Z",
  "published": "2023-06-23T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32398"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213757"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213758"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213759"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213760"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213761"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213764"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213765"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M253-3J38-482H

Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

This is the candidate patch of CVE-2023-47233 : https://nvd.nist.gov/vuln/detail/CVE-2023-47233

In brcm80211 driver,it starts with the following invoking chain to start init a timeout worker:

->brcmf_usb_probe ->brcmf_usb_probe_cb ->brcmf_attach ->brcmf_bus_started ->brcmf_cfg80211_attach ->wl_init_priv ->brcmf_init_escan ->INIT_WORK(&cfg->escan_timeout_work, brcmf_cfg80211_escan_timeout_worker);

If we disconnect the USB by hotplug, it will call brcmf_usb_disconnect to make cleanup. The invoking chain is :

brcmf_usb_disconnect ->brcmf_usb_disconnect_cb ->brcmf_detach ->brcmf_cfg80211_detach ->kfree(cfg);

While the timeout woker may still be running. This will cause a use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.

Fix it by deleting the timer and canceling the worker in brcmf_cfg80211_detach.

[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T14:15:15Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n-\u003ebrcmf_usb_probe\n  -\u003ebrcmf_usb_probe_cb\n    -\u003ebrcmf_attach\n      -\u003ebrcmf_bus_started\n        -\u003ebrcmf_cfg80211_attach\n          -\u003ewl_init_priv\n            -\u003ebrcmf_init_escan\n              -\u003eINIT_WORK(\u0026cfg-\u003eescan_timeout_work,\n\t\t  brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n  -\u003ebrcmf_usb_disconnect_cb\n    -\u003ebrcmf_detach\n      -\u003ebrcmf_cfg80211_detach\n        -\u003ekfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]",
  "id": "GHSA-m253-3j38-482h",
  "modified": "2026-05-12T12:31:46Z",
  "published": "2024-05-17T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35811"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M286-XWP3-RFRJ

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of StrikeOut annotations. By manipulating a document's elements, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6219.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of StrikeOut annotations. By manipulating a document\u0027s elements, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6219.",
  "id": "GHSA-m286-xwp3-rfrj",
  "modified": "2022-05-13T01:34:34Z",
  "published": "2022-05-13T01:34:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14303"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-763"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M28G-H5XQ-JC4P

Vulnerability from github – Published: 2026-06-26 00:32 – Updated: 2026-06-26 03:31
VLAI
Details

Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T22:17:00Z",
    "severity": "MODERATE"
  },
  "details": "Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: High)",
  "id": "GHSA-m28g-h5xq-jc4p",
  "modified": "2026-06-26T03:31:29Z",
  "published": "2026-06-26T00:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13282"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01245939337.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/517522620"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M28V-7RQJ-VXQ5

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Use after free in Payments in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to install a malicious payments app to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-04T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Payments in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to install a malicious payments app to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-m28v-7rqj-vxq5",
  "modified": "2022-05-24T19:04:01Z",
  "published": "2022-05-24T19:04:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30519"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1194058"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M293-66RR-7HMG

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T17:16:55Z",
    "severity": "CRITICAL"
  },
  "details": "Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally.",
  "id": "GHSA-m293-66rr-7hmg",
  "modified": "2026-07-14T18:32:02Z",
  "published": "2026-07-14T18:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49798"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49798"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2CH-6VR7-X72R

Vulnerability from github – Published: 2022-05-14 03:37 – Updated: 2022-05-14 03:37
VLAI
Details

An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JBIG2 decoder. The vulnerability is triggered by a crafted PDF file that contains a malformed JBIG2 stream. Successful exploitation could lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-27T05:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the JBIG2 decoder. The vulnerability is triggered by a crafted PDF file that contains a malformed JBIG2 stream. Successful exploitation could lead to arbitrary code execution.",
  "id": "GHSA-m2ch-6vr7-x72r",
  "modified": "2022-05-14T03:37:31Z",
  "published": "2022-05-14T03:37:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4892"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb18-02.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102995"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2F3-4P6H-4879

Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-03-25 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/mediatek: fix use-after-free on probe deferral

The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers.

Fix this by keeping the references as expected while the iommu driver is bound.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T16:16:06Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: fix use-after-free on probe deferral\n\nThe driver is dropping the references taken to the larb devices during\nprobe after successful lookup as well as on errors. This can\npotentially lead to a use-after-free in case a larb device has not yet\nbeen bound to its driver so that the iommu driver probe defers.\n\nFix this by keeping the references as expected while the iommu driver is\nbound.",
  "id": "GHSA-m2f3-4p6h-4879",
  "modified": "2026-03-25T21:30:20Z",
  "published": "2026-01-13T18:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71071"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2FF-6895-CR34

Vulnerability from github – Published: 2023-12-19 15:30 – Updated: 2026-05-12 12:31
VLAI
Details

A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.

A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.

We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-19T14:15:08Z",
    "severity": "HIGH"
  },
  "details": "A use-after-free vulnerability in the Linux kernel\u0027s ipv4: igmp component can be exploited to achieve local privilege escalation.\n\nA race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.\n\nWe recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.",
  "id": "GHSA-m2ff-6895-cr34",
  "modified": "2026-05-12T12:31:34Z",
  "published": "2023-12-19T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6932"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-794697.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=e2b706c691905fe78468c361aaabc719d0a496f1"
    },
    {
      "type": "WEB",
      "url": "https://kernel.dance/e2b706c691905fe78468c361aaabc719d0a496f1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/177029/Kernel-Live-Patch-Security-Notice-LSN-0100-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2GV-RR38-G5R4

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tipc: re-fetch skb cb after tipc_msg_validate

As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash.

BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc]

This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:12Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: re-fetch skb cb after tipc_msg_validate\n\nAs the call trace shows, the original skb was freed in tipc_msg_validate(),\nand dereferencing the old skb cb would cause an use-after-free crash.\n\n  BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]\n  Call Trace:\n   \u003cIRQ\u003e\n   tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]\n   tipc_crypto_rcv+0xd32/0x1ec0 [tipc]\n   tipc_rcv+0x744/0x1150 [tipc]\n  ...\n  Allocated by task 47078:\n   kmem_cache_alloc_node+0x158/0x4d0\n   __alloc_skb+0x1c1/0x270\n   tipc_buf_acquire+0x1e/0xe0 [tipc]\n   tipc_msg_create+0x33/0x1c0 [tipc]\n   tipc_link_build_proto_msg+0x38a/0x2100 [tipc]\n   tipc_link_timeout+0x8b8/0xef0 [tipc]\n   tipc_node_timeout+0x2a1/0x960 [tipc]\n   call_timer_fn+0x2d/0x1c0\n  ...\n  Freed by task 47078:\n   tipc_msg_validate+0x7b/0x440 [tipc]\n   tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]\n   tipc_crypto_rcv+0xd32/0x1ec0 [tipc]\n   tipc_rcv+0x744/0x1150 [tipc]\n\nThis patch fixes it by re-fetching the skb cb from the new allocated skb\nafter calling tipc_msg_validate().",
  "id": "GHSA-m2gv-rr38-g5r4",
  "modified": "2024-10-24T21:31:02Z",
  "published": "2024-10-21T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49017"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1daec0815655e110c6f206c5e777a4af8168ff58"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3067bc61fcfe3081bf4807ce65560f499e895e77"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a1ba595e35aa3afbe417ff0af353afb9f65559c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e128190adb2edfd5042105b5d1ed4553f295f5ef"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.