CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9820 vulnerabilities reference this CWE, most recent first.
GHSA-MJH9-M22P-4J4M
Vulnerability from github – Published: 2023-09-07 15:30 – Updated: 2024-04-04 07:32Adobe Premiere Pro versions 22.0 (and earlier) and 15.4.2 (and earlier) are affected by an Use-After-Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-40790"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-07T13:15:07Z",
"severity": "MODERATE"
},
"details": "Adobe Premiere Pro versions 22.0 (and earlier) and 15.4.2 (and earlier) are affected by an Use-After-Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-mjh9-m22p-4j4m",
"modified": "2024-04-04T07:32:35Z",
"published": "2023-09-07T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40790"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/premiere_pro/apsb21-117.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJHM-5R72-MJX7
Vulnerability from github – Published: 2024-10-24 21:31 – Updated: 2024-11-05 18:32An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function within the Assimp library.
{
"affected": [],
"aliases": [
"CVE-2024-48423"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-24T21:15:14Z",
"severity": "HIGH"
},
"details": "An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function within the Assimp library.",
"id": "GHSA-mjhm-5r72-mjx7",
"modified": "2024-11-05T18:32:01Z",
"published": "2024-10-24T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48423"
},
{
"type": "WEB",
"url": "https://github.com/assimp/assimp/issues/5788"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJP5-6CQ8-QV5G
Vulnerability from github – Published: 2025-01-28 21:31 – Updated: 2025-01-28 21:31In TBD of TBD, there is a possible use-after-free due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-40649"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-28T20:15:49Z",
"severity": "HIGH"
},
"details": "In TBD of TBD, there is a possible use-after-free due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-mjp5-6cq8-qv5g",
"modified": "2025-01-28T21:31:03Z",
"published": "2025-01-28T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40649"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2024-10-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJP6-8Q33-2QX3
Vulnerability from github – Published: 2025-05-09 09:33 – Updated: 2025-11-17 15:30In the Linux kernel, the following vulnerability has been resolved:
tracing: fprobe events: Fix possible UAF on modules
Commit ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module refcount") moved try_module_get() from __find_tracepoint_module_cb() to find_tracepoint() caller, but that introduced a possible UAF because the module can be unloaded before try_module_get(). In this case, the module object should be freed too. Thus, try_module_get() does not only fail but may access to the freed object.
To avoid that, try_module_get() in __find_tracepoint_module_cb() again.
{
"affected": [],
"aliases": [
"CVE-2025-37845"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-09T07:16:05Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: fprobe events: Fix possible UAF on modules\n\nCommit ac91052f0ae5 (\"tracing: tprobe-events: Fix leakage of module\nrefcount\") moved try_module_get() from __find_tracepoint_module_cb()\nto find_tracepoint() caller, but that introduced a possible UAF\nbecause the module can be unloaded before try_module_get(). In this\ncase, the module object should be freed too. Thus, try_module_get()\ndoes not only fail but may access to the freed object.\n\nTo avoid that, try_module_get() in __find_tracepoint_module_cb()\nagain.",
"id": "GHSA-mjp6-8q33-2qx3",
"modified": "2025-11-17T15:30:30Z",
"published": "2025-05-09T09:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37845"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/626f01f4d26e8cf92e69c1df53036153c8e98a20"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/868df4eb784c3ccc7e4340a9ea993cbbedca167e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a27d2de2472b1cc7d582ab405d1d5832a80481de"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd941507a9486252d6fcf11814387666792020f3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJPW-8R5P-RMGP
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-58632"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:45Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-mjpw-8r5p-rmgp",
"modified": "2026-07-14T18:32:42Z",
"published": "2026-07-14T18:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58632"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58632"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJVF-V49W-4RWJ
Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-16 00:00Use after free in Extensions API in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interactions.
{
"affected": [],
"aliases": [
"CVE-2022-2617"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-12T20:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Extensions API in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interactions.",
"id": "GHSA-mjvf-v49w-4rwj",
"modified": "2022-08-16T00:00:24Z",
"published": "2022-08-13T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2617"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1292451"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJWR-V9J5-22PX
Vulnerability from github – Published: 2022-05-12 00:00 – Updated: 2022-05-12 00:00Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-28240"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T18:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by a use-after-free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-mjwr-v9j5-22px",
"modified": "2022-05-12T00:00:47Z",
"published": "2022-05-12T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28240"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-16.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MM39-X96Q-96J9
Vulnerability from github – Published: 2026-07-09 00:31 – Updated: 2026-07-09 12:30Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-15133"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T23:16:54Z",
"severity": "HIGH"
},
"details": "Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-mm39-x96q-96j9",
"modified": "2026-07-09T12:30:27Z",
"published": "2026-07-09T00:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15133"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/527406824"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MM44-Q4Q5-7MG9
Vulnerability from github – Published: 2025-10-30 21:30 – Updated: 2025-10-30 21:30Kitware VTK (Visualization Toolkit) 9.5.0 is vulnerable to Heap Use-After-Free in vtkGLTFImporter::ImportActors. When processing GLTF files with invalid scene node references, the application accesses string members of mesh objects that have been previously freed during actor import operations.
{
"affected": [],
"aliases": [
"CVE-2025-57109"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T19:16:35Z",
"severity": "MODERATE"
},
"details": "Kitware VTK (Visualization Toolkit) 9.5.0 is vulnerable to Heap Use-After-Free in vtkGLTFImporter::ImportActors. When processing GLTF files with invalid scene node references, the application accesses string members of mesh objects that have been previously freed during actor import operations.",
"id": "GHSA-mm44-q4q5-7mg9",
"modified": "2025-10-30T21:30:46Z",
"published": "2025-10-30T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57109"
},
{
"type": "WEB",
"url": "https://gitlab.kitware.com/vtk/vtk/-/issues/19735"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MM4J-FWQR-3CF4
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
mtk_free_dev() calls metadata_dst_free() which frees the metadata_dst with kfree() immediately, bypassing the RCU grace period. In the RX path, skb_dst_set_noref() sets a non-refcounted pointer from the skb to the metadata_dst. This function requires RCU read-side protection and the dst must remain valid until all RCU readers complete. Since metadata_dst_free() calls kfree() directly, a use-after-free can occur if any skb still holds a noref pointer to the dst when the driver tears it down. Replace metadata_dst_free() with dst_release() which properly goes through the refcount path: when the refcount drops to zero, it schedules the actual free via call_rcu_hurry(), ensuring all RCU readers have completed before the memory is freed.
{
"affected": [],
"aliases": [
"CVE-2026-53247"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:42Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown\n\nmtk_free_dev() calls metadata_dst_free() which frees the metadata_dst\nwith kfree() immediately, bypassing the RCU grace period.\nIn the RX path, skb_dst_set_noref() sets a non-refcounted pointer from\nthe skb to the metadata_dst. This function requires RCU read-side\nprotection and the dst must remain valid until all RCU readers complete.\nSince metadata_dst_free() calls kfree() directly, a use-after-free can\noccur if any skb still holds a noref pointer to the dst when the driver\ntears it down.\nReplace metadata_dst_free() with dst_release() which properly goes\nthrough the refcount path: when the refcount drops to zero, it schedules\nthe actual free via call_rcu_hurry(), ensuring all RCU readers have\ncompleted before the memory is freed.",
"id": "GHSA-mm4j-fwqr-3cf4",
"modified": "2026-06-28T09:31:46Z",
"published": "2026-06-25T09:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53247"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d86aeb46d5f69c704065a8c69822582787272a1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/459c6f35c58cf0fd5247e55d73ddaa29571d9b7e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72775977e89c25c99ee84d2c5baa3f86a8ba5cb4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/80df409e1a483676826a6c66e693dba6ac507751"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e634408d2b0cd939cfe019398a21fb47b7a8ffe3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.