CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9821 vulnerabilities reference this CWE, most recent first.
GHSA-PWRG-H5J6-7F43
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:06Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free when sending SASL login to the server.
{
"affected": [],
"aliases": [
"CVE-2019-13045"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-29T14:15:00Z",
"severity": "HIGH"
},
"details": "Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free when sending SASL login to the server.",
"id": "GHSA-pwrg-h5j6-7f43",
"modified": "2024-04-04T01:06:50Z",
"published": "2022-05-24T16:49:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13045"
},
{
"type": "WEB",
"url": "https://github.com/irssi/irssi/commit/d23b0d22cc611e43c88d99192a59f413f951a955"
},
{
"type": "WEB",
"url": "https://irssi.org/security/irssi_sa_2019_06.txt"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Jun/41"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4046-1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00004.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00030.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153480/Slackware-Security-Advisory-irssi-Updates.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/06/29/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108998"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWVQ-PX6V-HPC8
Vulnerability from github – Published: 2022-05-14 01:29 – Updated: 2022-05-14 01:29Re-entry of a destructor in Networking Disk Cache in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2018-6085"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-04T17:29:00Z",
"severity": "HIGH"
},
"details": "Re-entry of a destructor in Networking Disk Cache in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page.",
"id": "GHSA-pwvq-px6v-hpc8",
"modified": "2022-05-14T01:29:43Z",
"published": "2022-05-14T01:29:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6085"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1195"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/826626"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201804-22"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4182"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103917"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWWC-8QXC-5W7F
Vulnerability from github – Published: 2024-02-27 21:31 – Updated: 2024-08-01 15:31In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: Avoid potential use after free in MHI send
It is possible that the MHI ul_callback will be invoked immediately following the queueing of the skb for transmission, leading to the callback decrementing the refcount of the associated sk and freeing the skb.
As such the dereference of skb and the increment of the sk refcount must happen before the skb is queued, to avoid the skb to be used after free and potentially the sk to drop its last refcount..
{
"affected": [],
"aliases": [
"CVE-2021-46973"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-27T19:04:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: Avoid potential use after free in MHI send\n\nIt is possible that the MHI ul_callback will be invoked immediately\nfollowing the queueing of the skb for transmission, leading to the\ncallback decrementing the refcount of the associated sk and freeing the\nskb.\n\nAs such the dereference of skb and the increment of the sk refcount must\nhappen before the skb is queued, to avoid the skb to be used after free\nand potentially the sk to drop its last refcount..",
"id": "GHSA-pwwc-8qxc-5w7f",
"modified": "2024-08-01T15:31:28Z",
"published": "2024-02-27T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46973"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/03c649dee8b1eb5600212a249542a70f47a5ab40"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47a017f33943278570c072bc71681809b2567b3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48ec949ac979b4b42d740f67b6177797af834f80"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea474054c2cc6e1284604b21361f475c7cc8c0a0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWWJ-WFMW-V2H8
Vulnerability from github – Published: 2022-11-30 00:30 – Updated: 2022-12-02 00:30Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI interaction. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2022-4192"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-30T00:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI interaction. (Chromium security severity: Medium)",
"id": "GHSA-pwwj-wfmw-v2h8",
"modified": "2022-12-02T00:30:25Z",
"published": "2022-11-30T00:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4192"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1344514"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-10"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWWP-3Q7J-9MX8
Vulnerability from github – Published: 2024-09-17 21:30 – Updated: 2024-09-25 18:18A vulnerability was found in MicroPython 1.22.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file py/objarray.c. The manipulation leads to use after free. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 1.23.0 is able to address this issue. The identifier of the patch is 4bed614e707c0644c06e117f848fa12605c711cd. It is recommended to upgrade the affected component. In micropython objarray component, when a bytes object is resized and copied into itself, it may reference memory that has already been freed.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "micropython-copy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.3.3.post3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "micropython-io"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8947"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-25T18:18:16Z",
"nvd_published_at": "2024-09-17T19:15:29Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in MicroPython 1.22.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file py/objarray.c. The manipulation leads to use after free. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 1.23.0 is able to address this issue. The identifier of the patch is 4bed614e707c0644c06e117f848fa12605c711cd. It is recommended to upgrade the affected component. In micropython objarray component, when a bytes object is resized and copied into itself, it may reference memory that has already been freed.",
"id": "GHSA-pwwp-3q7j-9mx8",
"modified": "2024-09-25T18:18:16Z",
"published": "2024-09-17T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8947"
},
{
"type": "WEB",
"url": "https://github.com/micropython/micropython/issues/13283"
},
{
"type": "WEB",
"url": "https://github.com/micropython/micropython/issues/13283#issuecomment-1918479709"
},
{
"type": "WEB",
"url": "https://github.com/micropython/micropython/commit/4bed614e707c0644c06e117f848fa12605c711cd"
},
{
"type": "WEB",
"url": "https://github.com/micropython/micropython/releases/tag/v1.23.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/micropython-copy/PYSEC-2024-92.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/micropython-io/PYSEC-2024-94.yaml"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.277765"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.277765"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.409316"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Use After Free in MicroPython"
}
GHSA-PWXF-VP8F-F327
Vulnerability from github – Published: 2025-03-27 15:31 – Updated: 2025-07-06 12:30In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free on inode when scanning root during em shrinking
At btrfs_scan_root() we are accessing the inode's root (and fs_info) in a call to btrfs_fs_closing() after we have scheduled the inode for a delayed iput, and that can result in a use-after-free on the inode in case the cleaner kthread does the iput before we dereference the inode in the call to btrfs_fs_closing().
Fix this by using the fs_info stored already in a local variable instead of doing inode->root->fs_info.
{
"affected": [],
"aliases": [
"CVE-2025-21879"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T15:15:55Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free on inode when scanning root during em shrinking\n\nAt btrfs_scan_root() we are accessing the inode\u0027s root (and fs_info) in a\ncall to btrfs_fs_closing() after we have scheduled the inode for a delayed\niput, and that can result in a use-after-free on the inode in case the\ncleaner kthread does the iput before we dereference the inode in the call\nto btrfs_fs_closing().\n\nFix this by using the fs_info stored already in a local variable instead\nof doing inode-\u003eroot-\u003efs_info.",
"id": "GHSA-pwxf-vp8f-f327",
"modified": "2025-07-06T12:30:24Z",
"published": "2025-03-27T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21879"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/07836bc18f4ae42da4e922244f4685561c18755e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59f37036bb7ab3d554c24abc856aabca01126414"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5e79d26014f9386387575b9ed60d342057cee49b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX27-V386-GC8Q
Vulnerability from github – Published: 2026-04-09 00:32 – Updated: 2026-04-16 18:31Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-5883"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T22:16:27Z",
"severity": "HIGH"
},
"details": "Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-px27-v386-gc8q",
"modified": "2026-04-16T18:31:21Z",
"published": "2026-04-09T00:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5883"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/482958590"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX2P-6FMH-CRPV
Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-01-07 18:30In the Linux kernel, the following vulnerability has been resolved:
net/smc: do not leave a dangling sk pointer in __smc_create()
Thanks to commit 4bbd360a5084 ("socket: Print pf->create() when it does not clear sock->sk on failure."), syzbot found an issue with AF_SMC:
smc_create must clear sock->sk on failure, family: 43, type: 1, protocol: 0 WARNING: CPU: 0 PID: 5827 at net/socket.c:1565 __sock_create+0x96f/0xa30 net/socket.c:1563 Modules linked in: CPU: 0 UID: 0 PID: 5827 Comm: syz-executor259 Not tainted 6.12.0-rc6-next-20241106-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__sock_create+0x96f/0xa30 net/socket.c:1563 Code: 03 00 74 08 4c 89 e7 e8 4f 3b 85 f8 49 8b 34 24 48 c7 c7 40 89 0c 8d 8b 54 24 04 8b 4c 24 0c 44 8b 44 24 08 e8 32 78 db f7 90 <0f> 0b 90 90 e9 d3 fd ff ff 89 e9 80 e1 07 fe c1 38 c1 0f 8c ee f7 RSP: 0018:ffffc90003e4fda0 EFLAGS: 00010246 RAX: 099c6f938c7f4700 RBX: 1ffffffff1a595fd RCX: ffff888034823c00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00000000ffffffe9 R08: ffffffff81567052 R09: 1ffff920007c9f50 R10: dffffc0000000000 R11: fffff520007c9f51 R12: ffffffff8d2cafe8 R13: 1ffffffff1a595fe R14: ffffffff9a789c40 R15: ffff8880764298c0 FS: 000055557b518380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa62ff43225 CR3: 0000000031628000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sock_create net/socket.c:1616 [inline] __sys_socket_create net/socket.c:1653 [inline] __sys_socket+0x150/0x3c0 net/socket.c:1700 __do_sys_socket net/socket.c:1714 [inline] __se_sys_socket net/socket.c:1712 [inline]
For reference, see commit 2d859aff775d ("Merge branch 'do-not-leave-dangling-sk-pointers-in-pf-create-functions'")
{
"affected": [],
"aliases": [
"CVE-2024-50293"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T02:16:31Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: do not leave a dangling sk pointer in __smc_create()\n\nThanks to commit 4bbd360a5084 (\"socket: Print pf-\u003ecreate() when\nit does not clear sock-\u003esk on failure.\"), syzbot found an issue with AF_SMC:\n\nsmc_create must clear sock-\u003esk on failure, family: 43, type: 1, protocol: 0\n WARNING: CPU: 0 PID: 5827 at net/socket.c:1565 __sock_create+0x96f/0xa30 net/socket.c:1563\nModules linked in:\nCPU: 0 UID: 0 PID: 5827 Comm: syz-executor259 Not tainted 6.12.0-rc6-next-20241106-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__sock_create+0x96f/0xa30 net/socket.c:1563\nCode: 03 00 74 08 4c 89 e7 e8 4f 3b 85 f8 49 8b 34 24 48 c7 c7 40 89 0c 8d 8b 54 24 04 8b 4c 24 0c 44 8b 44 24 08 e8 32 78 db f7 90 \u003c0f\u003e 0b 90 90 e9 d3 fd ff ff 89 e9 80 e1 07 fe c1 38 c1 0f 8c ee f7\nRSP: 0018:ffffc90003e4fda0 EFLAGS: 00010246\nRAX: 099c6f938c7f4700 RBX: 1ffffffff1a595fd RCX: ffff888034823c00\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 00000000ffffffe9 R08: ffffffff81567052 R09: 1ffff920007c9f50\nR10: dffffc0000000000 R11: fffff520007c9f51 R12: ffffffff8d2cafe8\nR13: 1ffffffff1a595fe R14: ffffffff9a789c40 R15: ffff8880764298c0\nFS: 000055557b518380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa62ff43225 CR3: 0000000031628000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n sock_create net/socket.c:1616 [inline]\n __sys_socket_create net/socket.c:1653 [inline]\n __sys_socket+0x150/0x3c0 net/socket.c:1700\n __do_sys_socket net/socket.c:1714 [inline]\n __se_sys_socket net/socket.c:1712 [inline]\n\nFor reference, see commit 2d859aff775d (\"Merge branch\n\u0027do-not-leave-dangling-sk-pointers-in-pf-create-functions\u0027\")",
"id": "GHSA-px2p-6fmh-crpv",
"modified": "2025-01-07T18:30:44Z",
"published": "2024-11-19T03:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50293"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d293958a8595ba566fb90b99da4d6263e14fee15"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d2cc492124e1f22daa1700f069bcc58788043381"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX36-28H2-FMCP
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Windows Kernel Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43570"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:24Z",
"severity": "MODERATE"
},
"details": "Windows Kernel Elevation of Privilege Vulnerability",
"id": "GHSA-px36-28h2-fmcp",
"modified": "2024-10-08T18:33:16Z",
"published": "2024-10-08T18:33:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43570"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43570"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX39-2R97-X6X6
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-03-24 21:31Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149.
{
"affected": [],
"aliases": [
"CVE-2026-4725"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:08Z",
"severity": "CRITICAL"
},
"details": "Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox \u003c 149.",
"id": "GHSA-px39-2r97-x6x6",
"modified": "2026-03-24T21:31:23Z",
"published": "2026-03-24T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4725"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2017108"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.