Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9813 vulnerabilities reference this CWE, most recent first.

GHSA-M8JR-W275-X227

Vulnerability from github – Published: 2024-09-18 09:30 – Updated: 2024-09-20 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix double put of @cfile in smb2_set_path_size()

If smb2_compound_op() is called with a valid @cfile and returned -EINVAL, we need to call cifs_get_writable_path() before retrying it as the reference of @cfile was already dropped by previous call.

This fixes the following KASAN splat when running fstests generic/013 against Windows Server 2022:

CIFS: Attempting to mount //w22-fs0/scratch run fstests generic/013 at 2024-09-02 19:48:59 ================================================================== BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200 Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176

CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 Workqueue: cifsoplockd cifs_oplock_break [cifs] Call Trace: dump_stack_lvl+0x5d/0x80 ? detach_if_pending+0xab/0x200 print_report+0x156/0x4d9 ? detach_if_pending+0xab/0x200 ? __virt_addr_valid+0x145/0x300 ? __phys_addr+0x46/0x90 ? detach_if_pending+0xab/0x200 kasan_report+0xda/0x110 ? detach_if_pending+0xab/0x200 detach_if_pending+0xab/0x200 timer_delete+0x96/0xe0 ? __pfx_timer_delete+0x10/0x10 ? rcu_is_watching+0x20/0x50 try_to_grab_pending+0x46/0x3b0 __cancel_work+0x89/0x1b0 ? __pfxcancelwork+0x10/0x10 ? kasan_save_track+0x14/0x30 cifs_close_deferred_file+0x110/0x2c0 [cifs] ? pfx_cifs_close_deferred_file+0x10/0x10 [cifs] ? __pfx_down_read+0x10/0x10 cifs_oplock_break+0x4c1/0xa50 [cifs] ? __pfx_cifs_oplock_break+0x10/0x10 [cifs] ? lock_is_held_type+0x85/0xf0 ? mark_held_locks+0x1a/0x90 process_one_work+0x4c6/0x9f0 ? find_held_lock+0x8a/0xa0 ? __pfx_process_one_work+0x10/0x10 ? lock_acquired+0x220/0x550 ? __list_add_valid_or_report+0x37/0x100 worker_thread+0x2e4/0x570 ? __kthread_parkme+0xd1/0xf0 ? __pfx_worker_thread+0x10/0x10 kthread+0x17f/0x1c0 ? kthread+0xda/0x1c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30

Allocated by task 1118: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 cifs_new_fileinfo+0xc8/0x9d0 [cifs] cifs_atomic_open+0x467/0x770 [cifs] lookup_open.isra.0+0x665/0x8b0 path_openat+0x4c3/0x1380 do_filp_open+0x167/0x270 do_sys_openat2+0x129/0x160 __x64_sys_creat+0xad/0xe0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 83: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 poison_slab_object+0xe9/0x160 __kasan_slab_free+0x32/0x50 kfree+0xf2/0x300 process_one_work+0x4c6/0x9f0 worker_thread+0x2e4/0x570 kthread+0x17f/0x1c0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30

Last potentially related work creation: kasan_save_stack+0x30/0x50 __kasan_record_aux_stack+0xad/0xc0 insert_work+0x29/0xe0 __queue_work+0x5ea/0x760 queue_work_on+0x6d/0x90 _cifsFileInfo_put+0x3f6/0x770 [cifs] smb2_compound_op+0x911/0x3940 [cifs] smb2_set_path_size+0x228/0x270 [cifs] cifs_set_file_size+0x197/0x460 [cifs] cifs_setattr+0xd9c/0x14b0 [cifs] notify_change+0x4e3/0x740 do_truncate+0xfa/0x180 vfs_truncate+0x195/0x200 __x64_sys_truncate+0x109/0x150 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T08:15:06Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double put of @cfile in smb2_set_path_size()\n\nIf smb2_compound_op() is called with a valid @cfile and returned\n-EINVAL, we need to call cifs_get_writable_path() before retrying it\nas the reference of @cfile was already dropped by previous call.\n\nThis fixes the following KASAN splat when running fstests generic/013\nagainst Windows Server 2022:\n\n  CIFS: Attempting to mount //w22-fs0/scratch\n  run fstests generic/013 at 2024-09-02 19:48:59\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200\n  Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176\n\n  CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40\n  04/01/2014\n  Workqueue: cifsoplockd cifs_oplock_break [cifs]\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x5d/0x80\n   ? detach_if_pending+0xab/0x200\n   print_report+0x156/0x4d9\n   ? detach_if_pending+0xab/0x200\n   ? __virt_addr_valid+0x145/0x300\n   ? __phys_addr+0x46/0x90\n   ? detach_if_pending+0xab/0x200\n   kasan_report+0xda/0x110\n   ? detach_if_pending+0xab/0x200\n   detach_if_pending+0xab/0x200\n   timer_delete+0x96/0xe0\n   ? __pfx_timer_delete+0x10/0x10\n   ? rcu_is_watching+0x20/0x50\n   try_to_grab_pending+0x46/0x3b0\n   __cancel_work+0x89/0x1b0\n   ? __pfx___cancel_work+0x10/0x10\n   ? kasan_save_track+0x14/0x30\n   cifs_close_deferred_file+0x110/0x2c0 [cifs]\n   ? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]\n   ? __pfx_down_read+0x10/0x10\n   cifs_oplock_break+0x4c1/0xa50 [cifs]\n   ? __pfx_cifs_oplock_break+0x10/0x10 [cifs]\n   ? lock_is_held_type+0x85/0xf0\n   ? mark_held_locks+0x1a/0x90\n   process_one_work+0x4c6/0x9f0\n   ? find_held_lock+0x8a/0xa0\n   ? __pfx_process_one_work+0x10/0x10\n   ? lock_acquired+0x220/0x550\n   ? __list_add_valid_or_report+0x37/0x100\n   worker_thread+0x2e4/0x570\n   ? __kthread_parkme+0xd1/0xf0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x17f/0x1c0\n   ? kthread+0xda/0x1c0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x31/0x60\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 1118:\n   kasan_save_stack+0x30/0x50\n   kasan_save_track+0x14/0x30\n   __kasan_kmalloc+0xaa/0xb0\n   cifs_new_fileinfo+0xc8/0x9d0 [cifs]\n   cifs_atomic_open+0x467/0x770 [cifs]\n   lookup_open.isra.0+0x665/0x8b0\n   path_openat+0x4c3/0x1380\n   do_filp_open+0x167/0x270\n   do_sys_openat2+0x129/0x160\n   __x64_sys_creat+0xad/0xe0\n   do_syscall_64+0xbb/0x1d0\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Freed by task 83:\n   kasan_save_stack+0x30/0x50\n   kasan_save_track+0x14/0x30\n   kasan_save_free_info+0x3b/0x70\n   poison_slab_object+0xe9/0x160\n   __kasan_slab_free+0x32/0x50\n   kfree+0xf2/0x300\n   process_one_work+0x4c6/0x9f0\n   worker_thread+0x2e4/0x570\n   kthread+0x17f/0x1c0\n   ret_from_fork+0x31/0x60\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x30/0x50\n   __kasan_record_aux_stack+0xad/0xc0\n   insert_work+0x29/0xe0\n   __queue_work+0x5ea/0x760\n   queue_work_on+0x6d/0x90\n   _cifsFileInfo_put+0x3f6/0x770 [cifs]\n   smb2_compound_op+0x911/0x3940 [cifs]\n   smb2_set_path_size+0x228/0x270 [cifs]\n   cifs_set_file_size+0x197/0x460 [cifs]\n   cifs_setattr+0xd9c/0x14b0 [cifs]\n   notify_change+0x4e3/0x740\n   do_truncate+0xfa/0x180\n   vfs_truncate+0x195/0x200\n   __x64_sys_truncate+0x109/0x150\n   do_syscall_64+0xbb/0x1d0\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f",
  "id": "GHSA-m8jr-w275-x227",
  "modified": "2024-09-20T18:32:25Z",
  "published": "2024-09-18T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46796"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5a72d1edb0843e4c927a4096f81e631031c25c28"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/762099898309218b4a7954f3d49e985dc4dfd638"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f9c169b51b6ce20394594ef674d6b10efba31220"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8P9-Q552-5H79

Vulnerability from github – Published: 2025-04-20 09:30 – Updated: 2025-11-03 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work.

If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                    | ssip_xmit_work

ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi

Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-18T15:15:59Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, \u0026ssi-\u003ework is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0                                    CPU1\n\n                        | ssip_xmit_work\nssi_protocol_remove     |\nkfree(ssi);             |\n                        | struct hsi_client *cl = ssi-\u003ecl;\n                        | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove().",
  "id": "GHSA-m8p9-q552-5h79",
  "modified": "2025-11-03T21:33:41Z",
  "published": "2025-04-20T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37838"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8QQ-H68V-7P42

Vulnerability from github – Published: 2026-04-15 21:30 – Updated: 2026-04-15 21:30
VLAI
Details

Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-15T20:16:41Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-m8qq-h68v-7p42",
  "modified": "2026-04-15T21:30:19Z",
  "published": "2026-04-15T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6317"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_15.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/500091052"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8WF-2872-HP5W

Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31
VLAI
Details

Use after free in Universal Print Management Service allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T17:15:39Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Universal Print Management Service allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-m8wf-2872-hp5w",
  "modified": "2025-07-08T18:31:44Z",
  "published": "2025-07-08T18:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47986"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47986"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8WQ-C42P-JW5V

Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24
VLAI
Details

Use-after-free vulnerability in the msm_set_crop function in drivers/media/video/msm/msm_camera.c in the MSM-Camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-0568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-07T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in the msm_set_crop function in drivers/media/video/msm/msm_camera.c in the MSM-Camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.",
  "id": "GHSA-m8wq-c42p-jw5v",
  "modified": "2022-05-13T01:24:33Z",
  "published": "2022-05-13T01:24:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0568"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/projects/security-advisories/multiple-issues-camera-drivers-cve-2014-9410-cve-2015-0568"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92379"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M922-7CQ2-3FRM

Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the style property of a Field object. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6915.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-17680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-24T04:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the style property of a Field object. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6915.",
  "id": "GHSA-m922-7cq2-3frm",
  "modified": "2022-05-13T01:33:52Z",
  "published": "2022-05-13T01:33:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17680"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-18-1189"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M923-55G6-M66Q

Vulnerability from github – Published: 2024-05-01 06:31 – Updated: 2026-05-12 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wireguard: netlink: check for dangling peer via is_dead instead of empty list

If all peers are removed via wg_peer_remove_all(), rather than setting peer_list to empty, the peer is added to a temporary list with a head on the stack of wg_peer_remove_all(). If a netlink dump is resumed and the cursored peer is one that has been removed via wg_peer_remove_all(), it will iterate from that peer and then attempt to dump freed peers.

Fix this by instead checking peer->is_dead, which was explictly created for this purpose. Also move up the device_update_lock lockdep assertion, since reading is_dead relies on that.

It can be reproduced by a small script like:

echo "Setting config..."
ip link add dev wg0 type wireguard
wg setconf wg0 /big-config
(
        while true; do
                echo "Showing config..."
                wg showconf wg0 > /dev/null
        done
) &
sleep 4
wg setconf wg0 <(printf "[Peer]\nPublicKey=$(wg genkey)\n")

Resulting in:

BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20
Read of size 8 at addr ffff88811956ec70 by task wg/59
CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5
Call Trace:
 <TASK>
 dump_stack_lvl+0x47/0x70
 print_address_description.constprop.0+0x2c/0x380
 print_report+0xab/0x250
 kasan_report+0xba/0xf0
 __lock_acquire+0x182a/0x1b20
 lock_acquire+0x191/0x4b0
 down_read+0x80/0x440
 get_peer+0x140/0xcb0
 wg_get_device_dump+0x471/0x1130
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T06:15:11Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer-\u003eis_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n    echo \"Setting config...\"\n    ip link add dev wg0 type wireguard\n    wg setconf wg0 /big-config\n    (\n            while true; do\n                    echo \"Showing config...\"\n                    wg showconf wg0 \u003e /dev/null\n            done\n    ) \u0026\n    sleep 4\n    wg setconf wg0 \u003c(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n    BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n    Read of size 8 at addr ffff88811956ec70 by task wg/59\n    CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n    Call Trace:\n     \u003cTASK\u003e\n     dump_stack_lvl+0x47/0x70\n     print_address_description.constprop.0+0x2c/0x380\n     print_report+0xab/0x250\n     kasan_report+0xba/0xf0\n     __lock_acquire+0x182a/0x1b20\n     lock_acquire+0x191/0x4b0\n     down_read+0x80/0x440\n     get_peer+0x140/0xcb0\n     wg_get_device_dump+0x471/0x1130",
  "id": "GHSA-m923-55g6-m66q",
  "modified": "2026-05-12T12:31:42Z",
  "published": "2024-05-01T06:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26951"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M934-94J6-4844

Vulnerability from github – Published: 2024-12-02 09:39 – Updated: 2025-11-04 00:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer

When hvs is released, there is a possibility that vsk->trans may not be initialized to NULL, which could lead to a dangling pointer. This issue is resolved by initializing vsk->trans to NULL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-02T08:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_sock: Initializing vsk-\u003etrans to NULL to prevent a dangling pointer\n\nWhen hvs is released, there is a possibility that vsk-\u003etrans may not\nbe initialized to NULL, which could lead to a dangling pointer.\nThis issue is resolved by initializing vsk-\u003etrans to NULL.",
  "id": "GHSA-m934-94j6-4844",
  "modified": "2025-11-04T00:32:09Z",
  "published": "2024-12-02T09:39:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53103"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/285266ef92f7b4bf7d26e1e95e215ce6a6badb4a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/414476c4fb11be070c09ab8f3e75c9ee324a108a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bdc5a62c6e50600d8a1c3e18fd6dce0c27c9497"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4fe1d42f2acc463b733bb42e3f8e67dbc2a0eb2d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7cf25987820350cb950856c71b409e5b6eed52bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8621725afb38e111969c64280b71480afde2aace"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98d8dde9232250a57ad5ef16479bf6a349e09b80"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0fe3392371293175f25028020ded5267f4cd8e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e629295bd60abf4da1db85b82819ca6a4f6c1e79"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M963-W3JC-59W6

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

Use after free in Media in Google Chrome prior to 88.0.4324.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-09T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Media in Google Chrome prior to 88.0.4324.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-m963-w3jc-59w6",
  "modified": "2022-05-24T17:41:31Z",
  "published": "2022-05-24T17:41:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21119"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1160534"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21119"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M968-9R4W-7GJX

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

PDF-XChange Editor TIF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of TIF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-19108.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T02:15:12Z",
    "severity": "HIGH"
  },
  "details": "PDF-XChange Editor TIF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of TIF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-19108.",
  "id": "GHSA-m968-9r4w-7gjx",
  "modified": "2024-05-03T03:30:49Z",
  "published": "2024-05-03T03:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27348"
    },
    {
      "type": "WEB",
      "url": "https://www.tracker-software.com/product/pdf-xchange-editor/history"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.