Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9813 vulnerabilities reference this CWE, most recent first.

GHSA-MCW3-9C29-VJV5

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

Maxon Cinema 4D SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Maxon Cinema 4D. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21435.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:22Z",
    "severity": "HIGH"
  },
  "details": "Maxon Cinema 4D SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Maxon Cinema 4D. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21435.",
  "id": "GHSA-mcw3-9c29-vjv5",
  "modified": "2024-05-03T03:30:58Z",
  "published": "2024-05-03T03:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40487"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1192"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCWJ-MJ5H-P34C

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

Use after free in WebRTC in Google Chrome on Linux, ChromeOS prior to 93.0.4577.63 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-03T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in WebRTC in Google Chrome on Linux, ChromeOS prior to 93.0.4577.63 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-mcwj-mj5h-p34c",
  "modified": "2022-05-24T19:12:59Z",
  "published": "2022-05-24T19:12:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30612"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/08/stable-channel-update-for-desktop_31.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1234284"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5LVY4WIWTVVYKQMROJJS365TZBKEARCF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJPUSAWIJMQFBQQQYXAICLI4EKFQOH6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QW4R2K5HVJ4R6XDZYOJCCFPIN2XHNS3L"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30612"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MCXH-3PW2-4RMG

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2025-03-14 15:31
VLAI
Details

VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T16:16:06Z",
    "severity": "CRITICAL"
  },
  "details": "VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device.\u00a0A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine\u0027s VMX process running on the host.",
  "id": "GHSA-mcxh-3pw2-4rmg",
  "modified": "2025-03-14T15:31:57Z",
  "published": "2024-05-14T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22267"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF3R-G9FH-76HW

Vulnerability from github – Published: 2022-05-14 02:00 – Updated: 2022-05-14 02:00
VLAI
Details

In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while calling IPA_IOC_MDFY_RT_RULE IPA IOCTL, header entry is not checked before use. If IPA_IOC_MDFY_RT_RULE IOCTL called for header entries formerly deleted, a Use after free condition will occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-18T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, while calling IPA_IOC_MDFY_RT_RULE IPA IOCTL, header entry is not checked before use. If IPA_IOC_MDFY_RT_RULE IOCTL called for header entries formerly deleted, a Use after free condition will occur.",
  "id": "GHSA-mf3r-g9fh-76hw",
  "modified": "2022-05-14T02:00:27Z",
  "published": "2022-05-14T02:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11281"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-09-01#qualcomm-components"
    },
    {
      "type": "WEB",
      "url": "https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=c9861d16283cb4279de98a6695e0a4e6ea0230cb"
    },
    {
      "type": "WEB",
      "url": "https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=4bc7311e9ea9145a615184626cc43a8b92e7619c"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2018/09/04/september-2018-code-aurora-security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF3W-J4FP-PV84

Vulnerability from github – Published: 2023-09-11 21:30 – Updated: 2024-04-04 07:36
VLAI
Details

In MtpPropertyValue of MtpProperty.h, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-11T21:15:42Z",
    "severity": "HIGH"
  },
  "details": "In MtpPropertyValue of MtpProperty.h, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-mf3w-j4fp-pv84",
  "modified": "2024-04-04T07:36:53Z",
  "published": "2023-09-11T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35687"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/av/+/ea6131efa76a0b2a12724ffd157909e2c6fb4036"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-09-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF46-35GJ-3768

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2023-10-03 15:30
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop 16.6.3.84. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DWG files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-13311.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenText Brava! Desktop 16.6.3.84. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DWG files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-13311.",
  "id": "GHSA-mf46-35gj-3768",
  "modified": "2023-10-03T15:30:27Z",
  "published": "2022-05-24T19:05:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31497"
    },
    {
      "type": "WEB",
      "url": "https://www.cvedetails.com/vulnerability-list/vendor_id-2032/product_id-96672/Opentext-Brava-Desktop.html?page=1\u0026opec=1\u0026order=1\u0026trc=35\u0026sha=37f4ed0596f8ccacca7d571f22a38c97b0f19f4c"
    },
    {
      "type": "WEB",
      "url": "https://www.opentext.com/products/brava"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-637"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF54-6363-29H5

Vulnerability from github – Published: 2022-05-01 23:27 – Updated: 2024-02-03 03:30
VLAI
Details

Use-after-free vulnerability in Microsoft Internet Explorer 6 SP1, 6 SP2, and and 7 allows remote attackers to execute arbitrary code by assigning malformed values to certain properties, as demonstrated using the by property of an animateMotion SVG element, aka "Property Memory Corruption Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-0077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-02-12T23:00:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in Microsoft Internet Explorer 6 SP1, 6 SP2, and and 7 allows remote attackers to execute arbitrary code by assigning malformed values to certain properties, as demonstrated using the by property of an animateMotion SVG element, aka \"Property Memory Corruption Vulnerability.\"",
  "id": "GHSA-mf54-6363-29h5",
  "modified": "2024-02-03T03:30:26Z",
  "published": "2022-05-01T23:27:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-0077"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-010"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5396"
    },
    {
      "type": "WEB",
      "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=661"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=120361015026386\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/28903"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/228569"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/488048/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/27666"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1019380"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA08-043C.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0512/references"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-08-006.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF5M-9F46-24PV

Vulnerability from github – Published: 2024-05-19 09:34 – Updated: 2024-12-30 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential UAF in cifs_stats_proc_write()

Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-19T09:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.",
  "id": "GHSA-mf5m-9f46-24pv",
  "modified": "2024-12-30T18:30:41Z",
  "published": "2024-05-19T09:34:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35868"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF8M-3P99-JG2C

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-12 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ACPICA: Fix error code path in acpi_ds_call_control_method()

A use-after-free in acpi_ps_parse_aml() after a failing invocaion of acpi_ds_call_control_method() is reported by KASAN [1] and code inspection reveals that next_walk_state pushed to the thread by acpi_ds_create_walk_state() is freed on errors, but it is not popped from the thread beforehand. Thus acpi_ds_get_current_walk_state() called by acpi_ps_parse_aml() subsequently returns it as the new walk state which is incorrect.

To address this, make acpi_ds_call_control_method() call acpi_ds_pop_walk_state() to pop next_walk_state from the thread before returning an error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:44Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix error code path in acpi_ds_call_control_method()\n\nA use-after-free in acpi_ps_parse_aml() after a failing invocaion of\nacpi_ds_call_control_method() is reported by KASAN [1] and code\ninspection reveals that next_walk_state pushed to the thread by\nacpi_ds_create_walk_state() is freed on errors, but it is not popped\nfrom the thread beforehand.  Thus acpi_ds_get_current_walk_state()\ncalled by acpi_ps_parse_aml() subsequently returns it as the new\nwalk state which is incorrect.\n\nTo address this, make acpi_ds_call_control_method() call\nacpi_ds_pop_walk_state() to pop next_walk_state from the thread before\nreturning an error.",
  "id": "GHSA-mf8m-3p99-jg2c",
  "modified": "2025-12-12T18:30:28Z",
  "published": "2025-09-18T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50411"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0462fec709d51762ba486245bc344f44cc6cfa97"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2deb42c4f9776e59bee247c14af9c5e8c05ca9a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38e251d356a01b61a86cb35213cafd7e8fe7090c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/404ec60438add1afadaffaed34bb5fe4ddcadd40"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5777432ebaaf797e24f059979b42df3139967163"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/799881db3e03b5e98fe6a900d9d7de8c7d61e7ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ef353c92f9d04c88de3af1a46859c1fb76db0f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0b83d3f3ffa96e8395c56b83d6197e184902a34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f520d181477ec29a496c0b3bbfbdb7e2606c2713"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MFCJ-FWJX-5Q54

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-28 21:36
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix trace_marker copy link list updates

When the "copy_trace_marker" option is enabled for an instance, anything written into /sys/kernel/tracing/trace_marker is also copied into that instances buffer. When the option is set, that instance's trace_array descriptor is added to the marker_copies link list. This list is protected by RCU, as all iterations uses an RCU protected list traversal.

When the instance is deleted, all the flags that were enabled are cleared. This also clears the copy_trace_marker flag and removes the trace_array descriptor from the list.

The issue is after the flags are called, a direct call to update_marker_trace() is performed to clear the flag. This function returns true if the state of the flag changed and false otherwise. If it returns true here, synchronize_rcu() is called to make sure all readers see that its removed from the list.

But since the flag was already cleared, the state does not change and the synchronization is never called, leaving a possible UAF bug.

Move the clearing of all flags below the updating of the copy_trace_marker option which then makes sure the synchronization is performed.

Also use the flag for checking the state in update_marker_trace() instead of looking at if the list is empty.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix trace_marker copy link list updates\n\nWhen the \"copy_trace_marker\" option is enabled for an instance, anything\nwritten into /sys/kernel/tracing/trace_marker is also copied into that\ninstances buffer. When the option is set, that instance\u0027s trace_array\ndescriptor is added to the marker_copies link list. This list is protected\nby RCU, as all iterations uses an RCU protected list traversal.\n\nWhen the instance is deleted, all the flags that were enabled are cleared.\nThis also clears the copy_trace_marker flag and removes the trace_array\ndescriptor from the list.\n\nThe issue is after the flags are called, a direct call to\nupdate_marker_trace() is performed to clear the flag. This function\nreturns true if the state of the flag changed and false otherwise. If it\nreturns true here, synchronize_rcu() is called to make sure all readers\nsee that its removed from the list.\n\nBut since the flag was already cleared, the state does not change and the\nsynchronization is never called, leaving a possible UAF bug.\n\nMove the clearing of all flags below the updating of the copy_trace_marker\noption which then makes sure the synchronization is performed.\n\nAlso use the flag for checking the state in update_marker_trace() instead\nof looking at if the list is empty.",
  "id": "GHSA-mfcj-fwjx-5q54",
  "modified": "2026-04-28T21:36:01Z",
  "published": "2026-04-24T15:32:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31541"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07183aac4a6828e474f00b37c9d795d0d99e18a7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75668e58244e63ec3785098a02e1cdcff14a6c2e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc267e4b4302247dc67ef937a9ac587a696a43c1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.