Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-P83H-W63G-R43H

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows Installer allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:55Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Installer allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-p83h-w63g-r43h",
  "modified": "2026-07-14T18:32:27Z",
  "published": "2026-07-14T18:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50490"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50490"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P85V-6F3Q-83WG

Vulnerability from github – Published: 2026-05-20 21:31 – Updated: 2026-05-20 21:31
VLAI
Details

Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T20:16:43Z",
    "severity": "HIGH"
  },
  "details": "Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-p85v-6f3q-83wg",
  "modified": "2026-05-20T21:31:33Z",
  "published": "2026-05-20T21:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9120"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/504620824"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P865-45GC-8X47

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2023-01-17 21:30
VLAI
Details

A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-09T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.",
  "id": "GHSA-p865-45gc-8x47",
  "modified": "2023-01-17T21:30:20Z",
  "published": "2022-05-24T17:35:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29661"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=54ffccbf053b5b6ca4f6e45094b942fab92a25fc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BOB25SU6XUL4TNP7KB63WNZSYTIYFDPP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZ7OAKAEFAXQRGBZK4LYUWINCD3D2XCL"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210122-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4843"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160681/Linux-TIOCSPGRP-Broken-Locking.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164950/Kernel-Live-Patch-Security-Notice-LSN-0082-1.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/12/10/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P878-QVQR-H9FP

Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-08-03 00:00
VLAI
Details

Use after free in Bookmarks in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension and specific user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-27T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Bookmarks in Google Chrome prior to 102.0.5005.61 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension and specific user interaction.",
  "id": "GHSA-p878-qvqr-h9fp",
  "modified": "2022-08-03T00:00:53Z",
  "published": "2022-07-28T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1865"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_24.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1289192"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P87R-CPQC-F6R9

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition

This bug influences both st_nci_i2c_remove and st_nci_spi_remove. Take st_nci_i2c_remove as an example.

In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work with llt_ndlc_sm_work.

When it calls ndlc_recv or timeout handler, it will finally call schedule_work to start the work.

When we call st_nci_i2c_remove to remove the driver, there may be a sequence as follows:

Fix it by finishing the work before cleanup in ndlc_remove

CPU0 CPU1

                |llt_ndlc_sm_work

st_nci_i2c_remove | ndlc_remove | st_nci_remove | nci_free_device| kfree(ndev) | //free ndlc->ndev | |llt_ndlc_rcv_queue |nci_recv_frame |//use ndlc->ndev

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:29Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: st-nci: Fix use after free bug in ndlc_remove due to race condition\n\nThis bug influences both st_nci_i2c_remove and st_nci_spi_remove.\nTake st_nci_i2c_remove as an example.\n\nIn st_nci_i2c_probe, it called ndlc_probe and bound \u0026ndlc-\u003esm_work\nwith llt_ndlc_sm_work.\n\nWhen it calls ndlc_recv or timeout handler, it will finally call\nschedule_work to start the work.\n\nWhen we call st_nci_i2c_remove to remove the driver, there\nmay be a sequence as follows:\n\nFix it by finishing the work before cleanup in ndlc_remove\n\nCPU0                  CPU1\n\n                    |llt_ndlc_sm_work\nst_nci_i2c_remove   |\n  ndlc_remove       |\n     st_nci_remove  |\n     nci_free_device|\n     kfree(ndev)    |\n//free ndlc-\u003endev   |\n                    |llt_ndlc_rcv_queue\n                    |nci_recv_frame\n                    |//use ndlc-\u003endev",
  "id": "GHSA-p87r-cpqc-f6r9",
  "modified": "2025-11-10T18:30:29Z",
  "published": "2025-05-02T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53106"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2156490c4b7cacda9a18ec99929940b8376dc0e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3405eb641dafcc8b28d174784b203c1622c121bf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43aa468df246175207a7d5d7d6d31b231f15b49c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5000fe6c27827a61d8250a7e4a1d26c3298ef4f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e331022b448fbc5e76f24349cd0246844dcad25"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84dd9cc34014e3a3dcce0eb6d54b8a067e97676b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0c202a8dc63008205a5d546559736507a9aae66"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f589e5b56c562d99ea74e05b1c3f0eab78aa17a3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P88P-J9PX-CQ4J

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-04-17 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

class: fix use-after-free in class_register()

The lock_class_key is still registered and can be found in lock_keys_hash hlist after subsys_private is freed in error handler path.A task who iterate over the lock_keys_hash later may cause use-after-free.So fix that up and unregister the lock_class_key before kfree(cp).

On our platform, a driver fails to kset_register because of creating duplicate filename '/class/xxx'.With Kasan enabled, it prints a invalid-access bug report.

KASAN bug report:

BUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc Write of size 8 at addr 15ffff808b8c0368 by task modprobe/252 Pointer tag: [15], memory tag: [fe]

CPU: 7 PID: 252 Comm: modprobe Tainted: G W 6.6.0-mainline-maybe-dirty #1

Call trace: dump_backtrace+0x1b0/0x1e4 show_stack+0x2c/0x40 dump_stack_lvl+0xac/0xe0 print_report+0x18c/0x4d8 kasan_report+0xe8/0x148 __hwasan_store8_noabort+0x88/0x98 lockdep_register_key+0x19c/0x1bc class_register+0x94/0x1ec init_module+0xbc/0xf48 [rfkill] do_one_initcall+0x17c/0x72c do_init_module+0x19c/0x3f8 ... Memory state around the buggy address: ffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a ffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe

ffffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ ffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03

As CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access not use-after-free here.In this case, modprobe is manipulating the corrupted lock_keys_hash hlish where lock_class_key is already freed before.

It's worth noting that this only can happen if lockdep is enabled, which is not true for normal system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-26T16:27:48Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclass: fix use-after-free in class_register()\n\nThe lock_class_key is still registered and can be found in\nlock_keys_hash hlist after subsys_private is freed in error\nhandler path.A task who iterate over the lock_keys_hash\nlater may cause use-after-free.So fix that up and unregister\nthe lock_class_key before kfree(cp).\n\nOn our platform, a driver fails to kset_register because of\ncreating duplicate filename \u0027/class/xxx\u0027.With Kasan enabled,\nit prints a invalid-access bug report.\n\nKASAN bug report:\n\nBUG: KASAN: invalid-access in lockdep_register_key+0x19c/0x1bc\nWrite of size 8 at addr 15ffff808b8c0368 by task modprobe/252\nPointer tag: [15], memory tag: [fe]\n\nCPU: 7 PID: 252 Comm: modprobe Tainted: G        W\n 6.6.0-mainline-maybe-dirty #1\n\nCall trace:\ndump_backtrace+0x1b0/0x1e4\nshow_stack+0x2c/0x40\ndump_stack_lvl+0xac/0xe0\nprint_report+0x18c/0x4d8\nkasan_report+0xe8/0x148\n__hwasan_store8_noabort+0x88/0x98\nlockdep_register_key+0x19c/0x1bc\nclass_register+0x94/0x1ec\ninit_module+0xbc/0xf48 [rfkill]\ndo_one_initcall+0x17c/0x72c\ndo_init_module+0x19c/0x3f8\n...\nMemory state around the buggy address:\nffffff808b8c0100: 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a 8a\nffffff808b8c0200: 8a 8a 8a 8a 8a 8a 8a 8a fe fe fe fe fe fe fe fe\n\u003effffff808b8c0300: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe\n                                     ^\nffffff808b8c0400: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03\n\nAs CONFIG_KASAN_GENERIC is not set, Kasan reports invalid-access\nnot use-after-free here.In this case, modprobe is manipulating\nthe corrupted lock_keys_hash hlish where lock_class_key is already\nfreed before.\n\nIt\u0027s worth noting that this only can happen if lockdep is enabled,\nwhich is not true for normal system.",
  "id": "GHSA-p88p-j9px-cq4j",
  "modified": "2024-04-17T21:30:45Z",
  "published": "2024-02-26T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52468"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f1486dafca3398c4c46b9f6e6452fa27e73b559"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93ec4a3b76404bce01bd5c9032bef5df6feb1d62"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b57196a5ec5e4c0ffecde8348b085b778c7dce04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P89G-X367-23HF

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 15:30
VLAI
Details

Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T23:16:52Z",
    "severity": "HIGH"
  },
  "details": "Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
  "id": "GHSA-p89g-x367-23hf",
  "modified": "2026-05-29T15:30:31Z",
  "published": "2026-05-29T00:38:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9946"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/503596863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8CW-CCQ5-GWG9

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-05-24 16:58
VLAI
Details

ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-14T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.",
  "id": "GHSA-p8cw-ccq5-gwg9",
  "modified": "2022-05-24T16:58:44Z",
  "published": "2022-05-24T16:58:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17541"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/1641"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/39f226a9c137f547e12afde972eeba7551124493"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/compare/7.0.8-54...7.0.8-55"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P8GG-CP5H-W499

Vulnerability from github – Published: 2024-09-05 06:31 – Updated: 2025-11-04 18:31
VLAI
Details

The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing.

Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-05T05:15:13Z",
    "severity": "HIGH"
  },
  "details": "The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root.  Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.  A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.",
  "id": "GHSA-p8gg-cp5h-w499",
  "modified": "2025-11-04T18:31:19Z",
  "published": "2024-09-05T06:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45063"
    },
    {
      "type": "WEB",
      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240920-0010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8H7-JC93-WGQ3

Vulnerability from github – Published: 2024-02-29 06:30 – Updated: 2025-01-13 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mctp: perform route lookups under a RCU read-side lock

Our current route lookups (mctp_route_lookup and mctp_route_lookup_null) traverse the net's route list without the RCU read lock held. This means the route lookup is subject to preemption, resulting in an potential grace period expiry, and so an eventual kfree() while we still have the route pointer.

Add the proper read-side critical section locks around the route lookups, preventing premption and a possible parallel kfree.

The remaining net->mctp.routes accesses are already under a rcu_read_lock, or protected by the RTNL for updates.

Based on an analysis from Sili Luo rootlab@huawei.com, where introducing a delay in the route lookup could cause a UAF on simultaneous sendmsg() and route deletion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T06:15:46Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: perform route lookups under a RCU read-side lock\n\nOur current route lookups (mctp_route_lookup and mctp_route_lookup_null)\ntraverse the net\u0027s route list without the RCU read lock held. This means\nthe route lookup is subject to preemption, resulting in an potential\ngrace period expiry, and so an eventual kfree() while we still have the\nroute pointer.\n\nAdd the proper read-side critical section locks around the route\nlookups, preventing premption and a possible parallel kfree.\n\nThe remaining net-\u003emctp.routes accesses are already under a\nrcu_read_lock, or protected by the RTNL for updates.\n\nBased on an analysis from Sili Luo \u003crootlab@huawei.com\u003e, where\nintroducing a delay in the route lookup could cause a UAF on\nsimultaneous sendmsg() and route deletion.",
  "id": "GHSA-p8h7-jc93-wgq3",
  "modified": "2025-01-13T18:31:55Z",
  "published": "2024-02-29T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52483"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1db0724a01b558feb1ecae551782add1951a114a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2405f64a95a7a094eb24cba9bcfaffd1ea264de4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5093bbfc10ab6636b32728e35813cbd79feb063c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c52b12159049046483fdb0c411a0a1869c41a67"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.