CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-PFFQ-9WR4-6HJX
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
net: ena: PHC: Fix potential use-after-free in get_timestamp
Move the phc->active check and resp pointer assignment to after acquiring the spinlock. Previously, phc->active was checked without holding the lock, and resp was cached from ena_dev->phc.virt_addr before the lock was acquired.
If ena_com_phc_destroy() runs between the lockless active check and the lock acquisition, it sets active=false, releases the lock, frees the DMA memory, and sets virt_addr=NULL. The get_timestamp path would then read a NULL virt_addr and dereference it.
With both the active check and the pointer read under the lock, destroy cannot free the memory while get_timestamp is using it.
{
"affected": [],
"aliases": [
"CVE-2026-52971"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: PHC: Fix potential use-after-free in get_timestamp\n\nMove the phc-\u003eactive check and resp pointer assignment to after\nacquiring the spinlock. Previously, phc-\u003eactive was checked without\nholding the lock, and resp was cached from ena_dev-\u003ephc.virt_addr\nbefore the lock was acquired.\n\nIf ena_com_phc_destroy() runs between the lockless active check and\nthe lock acquisition, it sets active=false, releases the lock, frees\nthe DMA memory, and sets virt_addr=NULL. The get_timestamp path would\nthen read a NULL virt_addr and dereference it.\n\nWith both the active check and the pointer read under the lock,\ndestroy cannot free the memory while get_timestamp is using it.",
"id": "GHSA-pffq-9wr4-6hjx",
"modified": "2026-06-28T09:31:37Z",
"published": "2026-06-24T18:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52971"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95e8ae9af2a61b4e72f5c585bf4c7d8aaf2a2c98"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca9ed40f28949353911dcb524ff8fff2f3409c97"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e42c755582f0960e684298762f0ab927b3778376"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFGJ-6MXG-PMFV
Vulnerability from github – Published: 2022-07-28 00:00 – Updated: 2022-08-04 00:00Use after free in Indexed DB in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-1853"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-27T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Use after free in Indexed DB in Google Chrome prior to 102.0.5005.61 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.",
"id": "GHSA-pfgj-6mxg-pmfv",
"modified": "2022-08-04T00:00:23Z",
"published": "2022-07-28T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1853"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_24.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1324864"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFM5-3WCH-G359
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41In process of C2SoftHevcDec.cpp, there is a possible out of bounds write due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-160346309
{
"affected": [],
"aliases": [
"CVE-2021-0335"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T17:15:00Z",
"severity": "MODERATE"
},
"details": "In process of C2SoftHevcDec.cpp, there is a possible out of bounds write due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-160346309",
"id": "GHSA-pfm5-3wch-g359",
"modified": "2022-05-24T17:41:45Z",
"published": "2022-05-24T17:41:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0335"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-02-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PFQJ-J743-CXWM
Vulnerability from github – Published: 2022-07-24 00:00 – Updated: 2022-07-28 00:00Use after free in WebRTC Perf in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-1133"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-23T00:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in WebRTC Perf in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-pfqj-j743-cxwm",
"modified": "2022-07-28T00:00:48Z",
"published": "2022-07-24T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1133"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1305776"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQR-532X-CJJM
Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2025-05-21 18:32Use after free in Tab Strip in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interaction.
{
"affected": [],
"aliases": [
"CVE-2022-3071"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-26T16:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Tab Strip in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interaction.",
"id": "GHSA-pfqr-532x-cjjm",
"modified": "2025-05-21T18:32:59Z",
"published": "2022-09-27T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3071"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1333995"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFRH-CQRM-8C83
Vulnerability from github – Published: 2026-04-29 00:30 – Updated: 2026-04-29 15:30Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-7363"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T23:16:23Z",
"severity": "HIGH"
},
"details": "Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)",
"id": "GHSA-pfrh-cqrm-8c83",
"modified": "2026-04-29T15:30:38Z",
"published": "2026-04-29T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7363"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/494352590"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFWP-6WW7-H9WR
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-50459"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:51Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally.",
"id": "GHSA-pfwp-6ww7-h9wr",
"modified": "2026-07-14T18:32:25Z",
"published": "2026-07-14T18:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50459"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50459"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFXX-3WW7-5WC8
Vulnerability from github – Published: 2022-01-28 00:01 – Updated: 2022-02-03 00:00Jsish v3.5.0 was discovered to contain a heap-use-after-free via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732. This vulnerability can lead to a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2021-46503"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-27T21:15:00Z",
"severity": "MODERATE"
},
"details": "Jsish v3.5.0 was discovered to contain a heap-use-after-free via /usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732. This vulnerability can lead to a Denial of Service (DoS).",
"id": "GHSA-pfxx-3ww7-5wc8",
"modified": "2022-02-03T00:00:33Z",
"published": "2022-01-28T00:01:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46503"
},
{
"type": "WEB",
"url": "https://github.com/pcmacdon/jsish/issues/88"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PG25-7CX5-CVCM
Vulnerability from github – Published: 2026-04-13 18:30 – Updated: 2026-06-30 03:36Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.
The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
{
"affected": [],
"aliases": [
"CVE-2026-6100"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T18:16:31Z",
"severity": "CRITICAL"
},
"details": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
"id": "GHSA-pg25-7cx5-cvcm",
"modified": "2026-06-30T03:36:16Z",
"published": "2026-04-13T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6100"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/148395"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/148396"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30087"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30078"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26187"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25096"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21682"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21275"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19590"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19576"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19571"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10117"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30089"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8822"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8824"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9228"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-6100"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
},
{
"type": "WEB",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6100.json"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10140"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10141"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10711"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10745"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10774"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10949"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10950"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11077"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11768"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13692"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13812"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:14652"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:14653"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:14656"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16699"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17525"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17619"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19019"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19064"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19175"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19176"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19177"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19216"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19549"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19570"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/13/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PG2F-924C-5QQX
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-17 00:00Adobe Photoshop versions 22.5.8 (and earlier) and 23.4.2 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-38434"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T18:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Photoshop versions 22.5.8 (and earlier) and 23.4.2 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-pg2f-924c-5qqx",
"modified": "2022-09-17T00:00:33Z",
"published": "2022-09-17T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38434"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb22-52.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.