CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9813 vulnerabilities reference this CWE, most recent first.
GHSA-M7WF-2QXG-448X
Vulnerability from github – Published: 2024-05-20 12:30 – Updated: 2026-05-12 12:31In the Linux kernel, the following vulnerability has been resolved:
kprobes: Fix possible use-after-free issue on kprobe registration
When unloading a module, its state is changing MODULE_STATE_LIVE ->
MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take
a time. is_module_text_address() and __module_text_address()
works with MODULE_STATE_LIVE and MODULE_STATE_GOING.
If we use is_module_text_address() and __module_text_address()
separately, there is a chance that the first one is succeeded but the
next one is failed because module->state becomes MODULE_STATE_UNFORMED
between those operations.
In check_kprobe_address_safe(), if the second __module_text_address()
is failed, that is ignored because it expected a kernel_text address.
But it may have failed simply because module->state has been changed
to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify
non-exist module text address (use-after-free).
To fix this problem, we should not use separated is_module_text_address()
and __module_text_address(), but use only __module_text_address()
once and do try_module_get(module) which is only available with
MODULE_STATE_LIVE.
{
"affected": [],
"aliases": [
"CVE-2024-35955"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-20T10:15:10Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE -\u003e\n MODULE_STATE_GOING -\u003e MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module-\u003estate becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module-\u003estate has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.",
"id": "GHSA-m7wf-2qxg-448x",
"modified": "2026-05-12T12:31:51Z",
"published": "2024-05-20T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35955"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M848-8F5R-6J4G
Vulnerability from github – Published: 2024-06-25 00:34 – Updated: 2024-07-03 18:46Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2024-6292"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-24T22:15:10Z",
"severity": "HIGH"
},
"details": "Use after free in Dawn in Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-m848-8f5r-6j4g",
"modified": "2024-07-03T18:46:39Z",
"published": "2024-06-25T00:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6292"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_24.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/342545100"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6OJ65HWXYSYMH55VDO6N36EOZFUNL4O"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHV5WTU27YOIBIM2CON42SHWY6J2HPRS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M864-6JWP-PM7G
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31Use after free in Windows Event Tracing allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-49660"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T17:15:48Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Event Tracing allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-m864-6jwp-pm7g",
"modified": "2025-07-08T18:31:46Z",
"published": "2025-07-08T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49660"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49660"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M882-RGXP-C7JH
Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support.
{
"affected": [],
"aliases": [
"CVE-2024-43491"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T17:15:36Z",
"severity": "CRITICAL"
},
"details": "Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024\u2014KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.\nThis servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order.\nNote: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support.",
"id": "GHSA-m882-rgxp-c7jh",
"modified": "2024-09-10T18:30:47Z",
"published": "2024-09-10T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43491"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43491"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M884-M9X6-6RG3
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 15:34Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
{
"affected": [],
"aliases": [
"CVE-2022-22737"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "HIGH"
},
"details": "Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR \u003c 91.5, Firefox \u003c 96, and Thunderbird \u003c 91.5.",
"id": "GHSA-m884-m9x6-6rg3",
"modified": "2025-04-16T15:34:04Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22737"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1745874"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-01"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-02"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M893-832R-QFW5
Vulnerability from github – Published: 2023-01-10 21:30 – Updated: 2023-01-13 15:30Use after free in Cart in Google Chrome prior to 109.0.5414.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via database corruption and a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2023-0134"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-10T20:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Cart in Google Chrome prior to 109.0.5414.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via database corruption and a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-m893-832r-qfw5",
"modified": "2023-01-13T15:30:27Z",
"published": "2023-01-10T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0134"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1385709"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-10"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M89C-C8G5-FGPG
Vulnerability from github – Published: 2022-05-14 02:34 – Updated: 2022-05-14 02:34Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1307.
{
"affected": [],
"aliases": [
"CVE-2013-0811"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-05-15T03:36:00Z",
"severity": "HIGH"
},
"details": "Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka \"Internet Explorer Use After Free Vulnerability,\" a different vulnerability than CVE-2013-1307.",
"id": "GHSA-m89c-c8g5-fgpg",
"modified": "2022-05-14T02:34:48Z",
"published": "2022-05-14T02:34:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0811"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-037"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15979"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/ncas/alerts/TA13-134A"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M89G-9PP2-34QM
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2024-11-27 21:32This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18403.
{
"affected": [],
"aliases": [
"CVE-2022-42374"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T18:59:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18403.",
"id": "GHSA-m89g-9pp2-34qm",
"modified": "2024-11-27T21:32:37Z",
"published": "2023-01-26T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42374"
},
{
"type": "WEB",
"url": "https://www.tracker-software.com/product/pdf-xchange-editor/history"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1361"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M8F2-RW7M-JRXF
Vulnerability from github – Published: 2026-01-14 15:33 – Updated: 2026-03-25 21:30In the Linux kernel, the following vulnerability has been resolved:
mm/slub: reset KASAN tag in defer_free() before accessing freed memory
When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe).
When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report:
BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe]
Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes.
{
"affected": [],
"aliases": [
"CVE-2025-71110"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-14T15:16:00Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: reset KASAN tag in defer_free() before accessing freed memory\n\nWhen CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free()\nbefore defer_free(). On ARM64 with MTE (Memory Tagging Extension),\nkasan_slab_free() poisons the memory and changes the tag from the\noriginal (e.g., 0xf3) to a poison tag (0xfe).\n\nWhen defer_free() then tries to write to the freed object to build the\ndeferred free list via llist_add(), the pointer still has the old tag,\ncausing a tag mismatch and triggering a KASAN use-after-free report:\n\n BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537\n Write at addr f3f000000854f020 by task kworker/u8:6/983\n Pointer tag: [f3], memory tag: [fe]\n\nFix this by calling kasan_reset_tag() before accessing the freed memory.\nThis is safe because defer_free() is part of the allocator itself and is\nexpected to manipulate freed memory for bookkeeping purposes.",
"id": "GHSA-m8f2-rw7m-jrxf",
"modified": "2026-03-25T21:30:22Z",
"published": "2026-01-14T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71110"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M8G4-X9R5-F656
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02A use after free in Blink in Google Chrome prior to 59.0.3071.104 for Mac, Windows, and Linux, and 59.0.3071.117 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page, aka an IndexedDB sandbox escape.
{
"affected": [],
"aliases": [
"CVE-2017-5087"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-27T05:29:00Z",
"severity": "HIGH"
},
"details": "A use after free in Blink in Google Chrome prior to 59.0.3071.104 for Mac, Windows, and Linux, and 59.0.3071.117 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page, aka an IndexedDB sandbox escape.",
"id": "GHSA-m8g4-x9r5-f656",
"modified": "2022-05-13T01:02:44Z",
"published": "2022-05-13T01:02:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5087"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1495"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html"
},
{
"type": "WEB",
"url": "https://crbug.com/725032"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201706-20"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3926"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99096"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038765"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.