CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9818 vulnerabilities reference this CWE, most recent first.
GHSA-MH6M-GJCW-57PH
Vulnerability from github – Published: 2024-12-28 12:30 – Updated: 2025-11-03 21:32In the Linux kernel, the following vulnerability has been resolved:
brd: defer automatic disk creation until module initialization succeeds
My colleague Wupeng found the following problems during fault injection:
BUG: unable to handle page fault for address: fffffbfff809d073 PGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:__asan_load8+0x4c/0xa0 ... Call Trace: blkdev_put_whole+0x41/0x70 bdev_release+0x1a3/0x250 blkdev_release+0x11/0x20 __fput+0x1d7/0x4a0 task_work_run+0xfc/0x180 syscall_exit_to_user_mode+0x1de/0x1f0 do_syscall_64+0x6b/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e
loop_init() is calling loop_add() after __register_blkdev() succeeds and is ignoring disk_add() failure from loop_add(), for loop_add() failure is not fatal and successfully created disks are already visible to bdev_open().
brd_init() is currently calling brd_alloc() before __register_blkdev() succeeds and is releasing successfully created disks when brd_init() returns an error. This can cause UAF for the latter two case:
case 1: T1: modprobe brd brd_init brd_alloc(0) // success add_disk disk_scan_partitions bdev_file_open_by_dev // alloc file fput // won't free until back to userspace brd_alloc(1) // failed since mem alloc error inject // error path for modprobe will release code segment // back to userspace __fput blkdev_release bdev_release blkdev_put_whole bdev->bd_disk->fops->release // fops is freed now, UAF!
case 2: T1: T2: modprobe brd brd_init brd_alloc(0) // success open(/dev/ram0) brd_alloc(1) // fail // error path for modprobe
close(/dev/ram0)
...
/* UAF! */
bdev->bd_disk->fops->release
Fix this problem by following what loop_init() does. Besides, reintroduce brd_devices_mutex to help serialize modifications to brd_list.
{
"affected": [],
"aliases": [
"CVE-2024-56693"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-28T10:15:14Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrd: defer automatic disk creation until module initialization succeeds\n\nMy colleague Wupeng found the following problems during fault injection:\n\nBUG: unable to handle page fault for address: fffffbfff809d073\nPGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:__asan_load8+0x4c/0xa0\n...\nCall Trace:\n \u003cTASK\u003e\n blkdev_put_whole+0x41/0x70\n bdev_release+0x1a3/0x250\n blkdev_release+0x11/0x20\n __fput+0x1d7/0x4a0\n task_work_run+0xfc/0x180\n syscall_exit_to_user_mode+0x1de/0x1f0\n do_syscall_64+0x6b/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nloop_init() is calling loop_add() after __register_blkdev() succeeds and\nis ignoring disk_add() failure from loop_add(), for loop_add() failure\nis not fatal and successfully created disks are already visible to\nbdev_open().\n\nbrd_init() is currently calling brd_alloc() before __register_blkdev()\nsucceeds and is releasing successfully created disks when brd_init()\nreturns an error. This can cause UAF for the latter two case:\n\ncase 1:\n T1:\nmodprobe brd\n brd_init\n brd_alloc(0) // success\n add_disk\n disk_scan_partitions\n bdev_file_open_by_dev // alloc file\n fput // won\u0027t free until back to userspace\n brd_alloc(1) // failed since mem alloc error inject\n // error path for modprobe will release code segment\n // back to userspace\n __fput\n blkdev_release\n bdev_release\n blkdev_put_whole\n bdev-\u003ebd_disk-\u003efops-\u003erelease // fops is freed now, UAF!\n\ncase 2:\n T1: T2:\nmodprobe brd\n brd_init\n brd_alloc(0) // success\n open(/dev/ram0)\n brd_alloc(1) // fail\n // error path for modprobe\n\n close(/dev/ram0)\n ...\n /* UAF! */\n bdev-\u003ebd_disk-\u003efops-\u003erelease\n\nFix this problem by following what loop_init() does. Besides,\nreintroduce brd_devices_mutex to help serialize modifications to\nbrd_list.",
"id": "GHSA-mh6m-gjcw-57ph",
"modified": "2025-11-03T21:32:01Z",
"published": "2024-12-28T12:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56693"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/259bf925583ec9e3781df778cadf00594095090d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/410896624db639500f24f46478b4bfa05c76bf56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41219c147df8bbd6591f59af5d695fb6c9a1cbff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/63dfd728b30f79495dacc886127695a379805152"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/826cc42adf44930a633d11a5993676d85ddb0842"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c0c2744cd2939ec5999c51dbaf2af16886548b7b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MH8M-XX9M-XM5H
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36In destroyResources of ComposerClient.h, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-155769496
{
"affected": [],
"aliases": [
"CVE-2020-0484"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-15T16:15:00Z",
"severity": "MODERATE"
},
"details": "In destroyResources of ComposerClient.h, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-155769496",
"id": "GHSA-mh8m-xx9m-xm5h",
"modified": "2022-05-24T17:36:25Z",
"published": "2022-05-24T17:36:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0484"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2020-12-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MHFC-6HHR-W9GW
Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2022-08-31 00:00A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2022-2978"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-24T16:15:00Z",
"severity": "HIGH"
},
"details": "A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.",
"id": "GHSA-mhfc-6hhr-w9gw",
"modified": "2022-08-31T00:00:20Z",
"published": "2022-08-25T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2978"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/linux-fsdevel/20220816040859.659129-1-dzm91@hust.edu.cn/T/#u"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHFP-6MC3-V4Q5
Vulnerability from github – Published: 2022-05-14 03:55 – Updated: 2022-05-14 03:55Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4272, CVE-2016-4279, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, and CVE-2016-6932.
{
"affected": [],
"aliases": [
"CVE-2016-6921"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-14T18:59:00Z",
"severity": "CRITICAL"
},
"details": "Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before 23.0.0.162 on Windows and OS X and before 11.2.202.635 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4272, CVE-2016-4279, CVE-2016-6923, CVE-2016-6925, CVE-2016-6926, CVE-2016-6927, CVE-2016-6929, CVE-2016-6930, CVE-2016-6931, and CVE-2016-6932.",
"id": "GHSA-mhfp-6mc3-v4q5",
"modified": "2022-05-14T03:55:57Z",
"published": "2022-05-14T03:55:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6921"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb16-29.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201610-10"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1865.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92927"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036791"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHG9-7866-M76H
Vulnerability from github – Published: 2024-06-25 06:30 – Updated: 2024-07-03 18:46A maliciously crafted SLDPRT file, when parsed in ASMKERN229A.dll through Autodesk applications, can cause a use-after-free vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.
{
"affected": [],
"aliases": [
"CVE-2024-37004"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T04:15:15Z",
"severity": "HIGH"
},
"details": "A maliciously crafted SLDPRT file, when parsed in ASMKERN229A.dll through Autodesk applications, can cause a use-after-free vulnerability. This vulnerability, along with other vulnerabilities, could lead to code execution in the current process.",
"id": "GHSA-mhg9-7866-m76h",
"modified": "2024-07-03T18:46:55Z",
"published": "2024-06-25T06:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37004"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHH7-9RP6-6F9F
Vulnerability from github – Published: 2025-10-10 18:31 – Updated: 2025-10-10 18:31NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause a use-after-free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-23280"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-10T18:15:39Z",
"severity": "HIGH"
},
"details": "NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause a use-after-free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure.",
"id": "GHSA-mhh7-9rp6-6f9f",
"modified": "2025-10-10T18:31:23Z",
"published": "2025-10-10T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23280"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5703"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23280"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHJ8-75XV-5RG4
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Windows Shell Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43552"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:20Z",
"severity": "HIGH"
},
"details": "Windows Shell Remote Code Execution Vulnerability",
"id": "GHSA-mhj8-75xv-5rg4",
"modified": "2024-10-08T18:33:16Z",
"published": "2024-10-08T18:33:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43552"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43552"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHJF-5WGW-7V8G
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Remote Desktop Protocol Server Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43582"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:25Z",
"severity": "HIGH"
},
"details": "Remote Desktop Protocol Server Remote Code Execution Vulnerability",
"id": "GHSA-mhjf-5wgw-7v8g",
"modified": "2024-10-08T18:33:17Z",
"published": "2024-10-08T18:33:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43582"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43582"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHJG-QMR3-W2XC
Vulnerability from github – Published: 2025-04-17 00:30 – Updated: 2025-04-17 15:32ComponentInstaller Modification in ComponentInstaller in Google ChromeOS 124.0.6367.34 on Chromebooks allows enrolled users with local access to unenroll devices and intercept device management requests via loading components from the unencrypted stateful partition.
{
"affected": [],
"aliases": [
"CVE-2025-1704"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T23:15:44Z",
"severity": "CRITICAL"
},
"details": "ComponentInstaller Modification in ComponentInstaller in Google ChromeOS 124.0.6367.34 on Chromebooks allows enrolled users with local access to unenroll devices \nand intercept device management requests via loading components from the unencrypted stateful partition.",
"id": "GHSA-mhjg-qmr3-w2xc",
"modified": "2025-04-17T15:32:35Z",
"published": "2025-04-17T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1704"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/b/359915523"
},
{
"type": "WEB",
"url": "https://issuetracker.google.com/issues/359915523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHPW-274M-W54V
Vulnerability from github – Published: 2022-05-28 00:00 – Updated: 2022-06-04 00:00Use After Free in GitHub repository vim/vim prior to 8.2.
{
"affected": [],
"aliases": [
"CVE-2022-1898"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-27T09:15:00Z",
"severity": "HIGH"
},
"details": "Use After Free in GitHub repository vim/vim prior to 8.2.",
"id": "GHSA-mhpw-274m-w54v",
"modified": "2022-06-04T00:00:42Z",
"published": "2022-05-28T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1898"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/45aad635-c2f1-47ca-a4f9-db5b25979cea"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-32"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-16"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213488"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Oct/28"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Oct/41"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.