CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-MPXP-VVHQ-P258
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 21:31Type Confusion in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-11061"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:17:10Z",
"severity": "CRITICAL"
},
"details": "Type Confusion in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-mpxp-vvhq-p258",
"modified": "2026-06-05T21:31:57Z",
"published": "2026-06-05T00:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11061"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/499031961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQ33-37WV-8G5G
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-26 00:30In the Linux kernel, the following vulnerability has been resolved:
habanalabs: fix UAF in export_dmabuf()
As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with any kind of access to objects that would be destroyed on close (be it the struct file itself or anything destroyed by its ->release()), we have a UAF.
dma_buf_fd() is a combination of reserving a descriptor and fd_install(). habanalabs export_dmabuf() calls it and then proceeds to access the objects destroyed on close. In particular, it grabs an extra reference to another struct file that will be dropped as part of ->release() for ours; that "will be" is actually "might have already been".
Fix that by reserving descriptor before anything else and do fd_install() only when everything had been set up. As a side benefit, we no longer have the failure exit with file already created, but reference to underlying file (as well as ->dmabuf_export_cnt, etc.) not grabbed yet; unlike dma_buf_fd(), fd_install() can't fail.
{
"affected": [],
"aliases": [
"CVE-2025-38722"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:41Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhabanalabs: fix UAF in export_dmabuf()\n\nAs soon as we\u0027d inserted a file reference into descriptor table, another\nthread could close it. That\u0027s fine for the case when all we are doing is\nreturning that descriptor to userland (it\u0027s a race, but it\u0027s a userland\nrace and there\u0027s nothing the kernel can do about it). However, if we\nfollow fd_install() with any kind of access to objects that would be\ndestroyed on close (be it the struct file itself or anything destroyed\nby its -\u003erelease()), we have a UAF.\n\ndma_buf_fd() is a combination of reserving a descriptor and fd_install().\nhabanalabs export_dmabuf() calls it and then proceeds to access the\nobjects destroyed on close. In particular, it grabs an extra reference to\nanother struct file that will be dropped as part of -\u003erelease() for ours;\nthat \"will be\" is actually \"might have already been\".\n\nFix that by reserving descriptor before anything else and do fd_install()\nonly when everything had been set up. As a side benefit, we no longer\nhave the failure exit with file already created, but reference to\nunderlying file (as well as -\u003edmabuf_export_cnt, etc.) not grabbed yet;\nunlike dma_buf_fd(), fd_install() can\u0027t fail.",
"id": "GHSA-mq33-37wv-8g5g",
"modified": "2025-11-26T00:30:16Z",
"published": "2025-09-05T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38722"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/33927f3d0ecdcff06326d6e4edb6166aed42811c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/40deceb38f9db759772d1c289c28fd2a543f57fc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/55c232d7e0241f1d5120b595e7a9de24c75ed3d8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c07886761fd6251db6938d4e747002e3d150d231"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQ4P-GW24-JJJR
Vulnerability from github – Published: 2023-02-27 21:30 – Updated: 2023-03-08 18:30A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13. An app may be able to cause unexpected system termination or potentially execute code with kernel privileges.
{
"affected": [],
"aliases": [
"CVE-2022-46712"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-27T20:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13. An app may be able to cause unexpected system termination or potentially execute code with kernel privileges.",
"id": "GHSA-mq4p-gw24-jjjr",
"modified": "2023-03-08T18:30:25Z",
"published": "2023-02-27T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46712"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQ6G-3VJ7-6G88
Vulnerability from github – Published: 2025-01-06 18:31 – Updated: 2025-01-08 00:30In the Linux kernel, the following vulnerability has been resolved:
ublk: detach gendisk from ublk device if add_disk() fails
Inside ublk_abort_requests(), gendisk is grabbed for aborting all inflight requests. And ublk_abort_requests() is called when exiting the uring context or handling timeout.
If add_disk() fails, the gendisk may have been freed when calling ublk_abort_requests(), so use-after-free can be caused when getting disk's reference in ublk_abort_requests().
Fixes the bug by detaching gendisk from ublk device if add_disk() fails.
{
"affected": [],
"aliases": [
"CVE-2024-56764"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T17:15:42Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: detach gendisk from ublk device if add_disk() fails\n\nInside ublk_abort_requests(), gendisk is grabbed for aborting all\ninflight requests. And ublk_abort_requests() is called when exiting\nthe uring context or handling timeout.\n\nIf add_disk() fails, the gendisk may have been freed when calling\nublk_abort_requests(), so use-after-free can be caused when getting\ndisk\u0027s reference in ublk_abort_requests().\n\nFixes the bug by detaching gendisk from ublk device if add_disk() fails.",
"id": "GHSA-mq6g-3vj7-6g88",
"modified": "2025-01-08T00:30:49Z",
"published": "2025-01-06T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56764"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/75cd4005da5492129917a4a4ee45e81660556104"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d680f2f76a3417fdfc3946da7471e81464f7b41"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQ7V-47J3-RC24
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
{
"affected": [],
"aliases": [
"CVE-2021-20181"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-13T16:15:00Z",
"severity": "HIGH"
},
"details": "A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.",
"id": "GHSA-mq7v-47j3-rc24",
"modified": "2022-05-24T19:02:21Z",
"published": "2022-05-24T19:02:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20181"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927007"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210720-0009"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-159"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQ8H-F329-FXX2
Vulnerability from github – Published: 2025-02-24 09:35 – Updated: 2025-11-03 21:32In the Linux kernel, the following vulnerability has been resolved:
IORING_OP_READ did not correctly consume the provided buffer list when read i/o returned < 0 (except for -EAGAIN and -EIOCBQUEUED return). This can lead to a potential use-after-free when the completion via io_rw_done runs at separate context.
{
"affected": [],
"aliases": [
"CVE-2023-52926"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-24T09:15:09Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nIORING_OP_READ did not correctly consume the provided buffer list when\nread i/o returned \u003c 0 (except for -EAGAIN and -EIOCBQUEUED return).\nThis can lead to a potential use-after-free when the completion via\nio_rw_done runs at separate context.",
"id": "GHSA-mq8h-f329-fxx2",
"modified": "2025-11-03T21:32:52Z",
"published": "2025-02-24T09:35:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52926"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c27fc6a783c8a77c756dd5461b15e465020d075"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72060434a14caea20925e492310d6e680e3f9007"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a08d195b586a217d76b42062f88f375a3eedda4d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQ95-27MR-XGRH
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2024-05-02 00:30MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.
{
"affected": [],
"aliases": [
"CVE-2022-27458"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-14T13:15:00Z",
"severity": "HIGH"
},
"details": "MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.",
"id": "GHSA-mq95-27mr-xgrh",
"modified": "2024-05-02T00:30:47Z",
"published": "2022-04-15T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27458"
},
{
"type": "WEB",
"url": "https://jira.mariadb.org/browse/MDEV-28099"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220526-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQ98-F72Q-HFX8
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.7, Safari 14.1.2, macOS Big Sur 11.5, watchOS 7.6, tvOS 14.7. Processing maliciously crafted web content may lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2021-30795"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T14:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.7, Safari 14.1.2, macOS Big Sur 11.5, watchOS 7.6, tvOS 14.7. Processing maliciously crafted web content may lead to arbitrary code execution.",
"id": "GHSA-mq98-f72q-hfx8",
"modified": "2022-05-24T19:13:42Z",
"published": "2022-05-24T19:13:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30795"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212601"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212602"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212604"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212605"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212606"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MQF6-PG39-X737
Vulnerability from github – Published: 2026-03-12 00:31 – Updated: 2026-03-12 15:30Use after free in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-3919"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T22:16:34Z",
"severity": "HIGH"
},
"details": "Use after free in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-mqf6-pg39-x737",
"modified": "2026-03-12T15:30:24Z",
"published": "2026-03-12T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3919"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/444176961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQF6-RPJP-V4FC
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Acrobat Reader DC versions versions 2021.001.20155 (and earlier), 2020.001.30025 (and earlier) and 2017.011.30196 (and earlier) are affected by an Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-28631"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-24T18:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC versions versions 2021.001.20155 (and earlier), 2020.001.30025 (and earlier) and 2017.011.30196 (and earlier) are affected by an Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-mqf6-rpjp-v4fc",
"modified": "2022-05-24T19:12:00Z",
"published": "2022-05-24T19:12:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28631"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb21-37.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.