Common Weakness Enumeration

CWE-401

Allowed

Missing Release of Memory after Effective Lifetime

Abstraction: Variant · Status: Draft

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

2002 vulnerabilities reference this CWE, most recent first.

GHSA-2FPJ-CV6P-P352

Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-21 21:30
VLAI
Details

MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contain a memory leak in the function gf_isom_add_chapter at /isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contain a memory leak in the function gf_isom_add_chapter at /isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.",
  "id": "GHSA-2fpj-cv6p-p352",
  "modified": "2023-11-21T21:30:21Z",
  "published": "2023-11-14T21:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47384"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/issues/2672"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GPX-GJMM-6PFF

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-24 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler

The UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function allocates memory for the device path using kobject_get_path(). If the length of the device path exceeds the output buffer length, the function returns -ENOSPC but does not free the allocated memory, resulting in a memory leak.

Add a kfree() call to the error path to ensure the allocated memory is properly freed.

Compile tested only. Issue found using a prototype static analysis tool and code review.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler\n\nThe UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function\nallocates memory for the device path using kobject_get_path(). If the\nlength of the device path exceeds the output buffer length, the function\nreturns -ENOSPC but does not free the allocated memory, resulting in a\nmemory leak.\n\nAdd a kfree() call to the error path to ensure the allocated memory is\nproperly freed.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review.",
  "id": "GHSA-2gpx-gjmm-6pff",
  "modified": "2026-06-24T18:32:28Z",
  "published": "2026-05-27T15:33:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45922"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b9d253908478f504297ac283c514e5953ddafa6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2bc649c18fbe8a7fd38d17266da3dcbfbcc44d2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3a10eca24fcfe913c0875e620f19596001bd6dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee998cdbff6680891b0efd9d6ce53a388e5342c3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GW5-9PX7-VP56

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-01-07 12:30
VLAI
Details

In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked. This vulnerability affects Firefox < 118.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:42Z",
    "severity": "HIGH"
  },
  "details": "In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked. This vulnerability affects Firefox \u003c 118.",
  "id": "GHSA-2gw5-9px7-vp56",
  "modified": "2024-01-07T12:30:29Z",
  "published": "2023-09-27T15:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5170"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1846686"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-10"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-41"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H76-3PQM-PM8J

Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-03 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk

When the best clk is searched, we iterate over all possible clk.

If we find a better match, the previous one, if any, needs to be freed. If a better match has already been found, we still need to free the new one, otherwise it leaks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T16:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk\n\nWhen the best clk is searched, we iterate over all possible clk.\n\nIf we find a better match, the previous one, if any, needs to be freed.\nIf a better match has already been found, we still need to free the new\none, otherwise it leaks.",
  "id": "GHSA-2h76-3pqm-pm8j",
  "modified": "2026-02-03T18:30:30Z",
  "published": "2025-10-07T18:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53687"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01dd8a43a84616c830782166ba3cceb01ad95363"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1962717c4649e026a4252fe6625175affd28a593"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f426293fef1c13742b2a685bf7e363f51f6ee03"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/46574e5a0a2aee41e6ebb979cfe1dbaea8693e16"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/832e231cff476102e8204a9e7bddfe5c6154a375"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/933e5b2998bc3a527d15efbf1e97c9e63297aa3c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9dd8091959bc41fee51d0827276a2b982e84adf0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f0bf102ef9b05d7294bd8d506755465f6867d944"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H7H-J22F-V4P9

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-11T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a \"big\" pool.",
  "id": "GHSA-2h7h-j22f-v4p9",
  "modified": "2022-05-13T01:22:43Z",
  "published": "2022-05-13T01:22:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6493"
    },
    {
      "type": "WEB",
      "url": "https://downwithup.github.io/CVEPosts.html"
    },
    {
      "type": "WEB",
      "url": "https://www.iobit.com/en/iobitsmartdefrag.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HF5-VJ7W-QQ52

Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: libertas: fix memory leak in lbs_init_adapter()

When kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not released. Add free memory to processing error path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:40Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix memory leak in lbs_init_adapter()\n\nWhen kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not\nreleased. Add free memory to processing error path.",
  "id": "GHSA-2hf5-vj7w-qq52",
  "modified": "2025-12-03T21:30:59Z",
  "published": "2025-09-15T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50294"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/037f84c0bfae5c436c651d0e804264e2648010ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16a03958618fb91bb1bc7077cf3211055162cc2f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23b34e08de5c2380414c9d3c33e8235094bcccae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c102ad59bfa66c0f6662af64fa3b9007b02c20f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/653d13a73e498d0bb6aeaf689aaa960defa7878b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98e0ff6980c89239d9e5d3da90d791c2383dc23a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9c8f50c7433bdfba1588831c413136ecc3f29f99"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d46c33f667b05c22bc5c5b69aa730349c4b6fe31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HGR-Q34G-9RRW

Vulnerability from github – Published: 2023-08-29 00:32 – Updated: 2023-11-04 03:30
VLAI
Details

A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-28T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak.",
  "id": "GHSA-2hgr-q34g-9rrw",
  "modified": "2023-11-04T03:30:18Z",
  "published": "2023-08-29T00:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4569"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4569"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235470"
    },
    {
      "type": "WEB",
      "url": "https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230812110526.49808-1-fw@strlen.de"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5492"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HQP-7448-QRW3

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-22 00:00
VLAI
Details

The MPTCP module has the memory leak vulnerability. Successful exploitation of this vulnerability can cause memory leaks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The MPTCP module has the memory leak vulnerability. Successful exploitation of this vulnerability can cause memory leaks.",
  "id": "GHSA-2hqp-7448-qrw3",
  "modified": "2022-09-22T00:00:31Z",
  "published": "2022-09-17T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39005"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/9"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202209-0000001392278845"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HWX-F32F-7QP6

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-14 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()

The xfer structure allocated by renesas_i3c_alloc_xfer() was never freed in the renesas_i3c_i3c_xfers() function. Use the __free(kfree) cleanup attribute to automatically free the memory when the variable goes out of scope.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()\n\nThe xfer structure allocated by renesas_i3c_alloc_xfer() was never freed\nin the renesas_i3c_i3c_xfers() function. Use the __free(kfree) cleanup\nattribute to automatically free the memory when the variable goes out of\nscope.",
  "id": "GHSA-2hwx-f32f-7qp6",
  "modified": "2026-07-14T21:31:29Z",
  "published": "2026-06-24T18:32:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53030"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b6a7e94be678d34a9ccb9db7e2443ae02ad2bc8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab8f00ffcca0f618fb8198d358f24728950d9860"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d7665c3b4f575251e449e2656879392346ca612b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2J2F-9HJH-V2XM

Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-17 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().

syzbot reported various memory leaks related to NFC, struct nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]

The leading log hinted that nfc_llcp_send_ui_frame() failed to allocate skb due to sock_error(sk) being -ENXIO.

ENXIO is set by nfc_llcp_socket_release() when struct nfc_llcp_local is destroyed by local_cleanup().

The problem is that there is no synchronisation between nfc_llcp_send_ui_frame() and local_cleanup(), and skb could be put into local->tx_queue after it was purged in local_cleanup():

CPU1 CPU2 ---- ---- nfc_llcp_send_ui_frame() local_cleanup() |- do { ' |- pdu = nfc_alloc_send_skb(..., &err) | . | |- nfc_llcp_socket_release(local, false, ENXIO); | |- skb_queue_purge(&local->tx_queue); | | ' | |- skb_queue_tail(&local->tx_queue, pdu); | ... | |- pdu = nfc_alloc_send_skb(..., &err) | ^._________.'

local_cleanup() is called for struct nfc_llcp_local only after nfc_llcp_remove_local() unlinks it from llcp_devices.

If we hold local->tx_queue.lock then, we can synchronise the thread and nfc_llcp_send_ui_frame().

Let's do that and check list_empty(&local->list) before queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().

[0]: [ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881272f6800 (size 1024): comm "syz.0.17", pid 6096, jiffies 4294942766 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc da58d84d): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 kmalloc_noprof include/linux/slab.h:961 [inline] sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 sk_alloc+0x36/0x360 net/core/sock.c:2295 nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 __sock_create+0x1a9/0x340 net/socket.c:1605 sock_create net/socket.c:1663 [inline] __sys_socket_create net/socket.c:1700 [inline] __sys_socket+0xb9/0x1a0 net/socket.c:1747 __do_sys_socket net/socket.c:1761 [inline] __se_sys_socket net/socket.c:1759 [inline] __x64_sys_socket+0x1b/0x30 net/socket.c:1759 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak unreferenced object 0xffff88810fbd9800 (size 240): comm "syz.0.17", pid 6096, jiffies 4294942850 hex dump (first 32 bytes): 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... backtrace (crc 6cc652b1): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/sk ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T16:15:55Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().\n\nsyzbot reported various memory leaks related to NFC, struct\nnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]\n\nThe leading log hinted that nfc_llcp_send_ui_frame() failed\nto allocate skb due to sock_error(sk) being -ENXIO.\n\nENXIO is set by nfc_llcp_socket_release() when struct\nnfc_llcp_local is destroyed by local_cleanup().\n\nThe problem is that there is no synchronisation between\nnfc_llcp_send_ui_frame() and local_cleanup(), and skb\ncould be put into local-\u003etx_queue after it was purged in\nlocal_cleanup():\n\n  CPU1                          CPU2\n  ----                          ----\n  nfc_llcp_send_ui_frame()      local_cleanup()\n  |- do {                       \u0027\n     |- pdu = nfc_alloc_send_skb(..., \u0026err)\n     |                          .\n     |                          |- nfc_llcp_socket_release(local, false, ENXIO);\n     |                          |- skb_queue_purge(\u0026local-\u003etx_queue);      |\n     |                          \u0027                                          |\n     |- skb_queue_tail(\u0026local-\u003etx_queue, pdu);                             |\n    ...                                                                    |\n     |- pdu = nfc_alloc_send_skb(..., \u0026err)                                |\n                                       ^._________________________________.\u0027\n\nlocal_cleanup() is called for struct nfc_llcp_local only\nafter nfc_llcp_remove_local() unlinks it from llcp_devices.\n\nIf we hold local-\u003etx_queue.lock then, we can synchronise\nthe thread and nfc_llcp_send_ui_frame().\n\nLet\u0027s do that and check list_empty(\u0026local-\u003elist) before\nqueuing skb to local-\u003etx_queue in nfc_llcp_send_ui_frame().\n\n[0]:\n[   56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)\n[   64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881272f6800 (size 1024):\n  comm \"syz.0.17\", pid 6096, jiffies 4294942766\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00  \u0027..@............\n  backtrace (crc da58d84d):\n    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n    slab_post_alloc_hook mm/slub.c:4979 [inline]\n    slab_alloc_node mm/slub.c:5284 [inline]\n    __do_kmalloc_node mm/slub.c:5645 [inline]\n    __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658\n    kmalloc_noprof include/linux/slab.h:961 [inline]\n    sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239\n    sk_alloc+0x36/0x360 net/core/sock.c:2295\n    nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979\n    llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044\n    nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31\n    __sock_create+0x1a9/0x340 net/socket.c:1605\n    sock_create net/socket.c:1663 [inline]\n    __sys_socket_create net/socket.c:1700 [inline]\n    __sys_socket+0xb9/0x1a0 net/socket.c:1747\n    __do_sys_socket net/socket.c:1761 [inline]\n    __se_sys_socket net/socket.c:1759 [inline]\n    __x64_sys_socket+0x1b/0x30 net/socket.c:1759\n    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n    do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBUG: memory leak\nunreferenced object 0xffff88810fbd9800 (size 240):\n  comm \"syz.0.17\", pid 6096, jiffies 4294942850\n  hex dump (first 32 bytes):\n    68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff  h.......h.......\n    00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff  .........h/\u0027....\n  backtrace (crc 6cc652b1):\n    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n    slab_post_alloc_hook mm/slub.c:4979 [inline]\n    slab_alloc_node mm/slub.c:5284 [inline]\n    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336\n    __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n    alloc_skb include/linux/skbuff.h:1383 [inline]\n    alloc_skb_with_frags+0x69/0x3f0 net/core/sk\n---truncated---",
  "id": "GHSA-2j2f-9hjh-v2xm",
  "modified": "2026-03-17T21:31:41Z",
  "published": "2026-02-14T18:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23150"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-41
Implementation

Strategy: Libraries or Frameworks

  • Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
  • For example, glibc in Linux provides protection against free of invalid pointers.
  • When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
  • To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Architecture and Design Build and Compilation

Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.

No CAPEC attack patterns related to this CWE.