CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-2FPJ-CV6P-P352
Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-21 21:30MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contain a memory leak in the function gf_isom_add_chapter at /isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
{
"affected": [],
"aliases": [
"CVE-2023-47384"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T20:15:08Z",
"severity": "MODERATE"
},
"details": "MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contain a memory leak in the function gf_isom_add_chapter at /isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.",
"id": "GHSA-2fpj-cv6p-p352",
"modified": "2023-11-21T21:30:21Z",
"published": "2023-11-14T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47384"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/2672"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2GPX-GJMM-6PFF
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-24 18:32In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
The UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function allocates memory for the device path using kobject_get_path(). If the length of the device path exceeds the output buffer length, the function returns -ENOSPC but does not free the allocated memory, resulting in a memory leak.
Add a kfree() call to the error path to ensure the allocated memory is properly freed.
Compile tested only. Issue found using a prototype static analysis tool and code review.
{
"affected": [],
"aliases": [
"CVE-2026-45922"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:07Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler\n\nThe UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function\nallocates memory for the device path using kobject_get_path(). If the\nlength of the device path exceeds the output buffer length, the function\nreturns -ENOSPC but does not free the allocated memory, resulting in a\nmemory leak.\n\nAdd a kfree() call to the error path to ensure the allocated memory is\nproperly freed.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review.",
"id": "GHSA-2gpx-gjmm-6pff",
"modified": "2026-06-24T18:32:28Z",
"published": "2026-05-27T15:33:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45922"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b9d253908478f504297ac283c514e5953ddafa6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2bc649c18fbe8a7fd38d17266da3dcbfbcc44d2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3a10eca24fcfe913c0875e620f19596001bd6dc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee998cdbff6680891b0efd9d6ce53a388e5342c3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2GW5-9PX7-VP56
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-01-07 12:30In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked. This vulnerability affects Firefox < 118.
{
"affected": [],
"aliases": [
"CVE-2023-5170"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:42Z",
"severity": "HIGH"
},
"details": "In canvas rendering, a compromised content process could have caused a surface to change unexpectedly, leading to a memory leak of a privileged process. This memory leak could be used to effect a sandbox escape if the correct data was leaked. This vulnerability affects Firefox \u003c 118.",
"id": "GHSA-2gw5-9px7-vp56",
"modified": "2024-01-07T12:30:29Z",
"published": "2023-09-27T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5170"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1846686"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-10"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-41"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2H76-3PQM-PM8J
Vulnerability from github – Published: 2025-10-07 18:31 – Updated: 2026-02-03 18:30In the Linux kernel, the following vulnerability has been resolved:
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk
When the best clk is searched, we iterate over all possible clk.
If we find a better match, the previous one, if any, needs to be freed. If a better match has already been found, we still need to free the new one, otherwise it leaks.
{
"affected": [],
"aliases": [
"CVE-2023-53687"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-07T16:15:53Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk\n\nWhen the best clk is searched, we iterate over all possible clk.\n\nIf we find a better match, the previous one, if any, needs to be freed.\nIf a better match has already been found, we still need to free the new\none, otherwise it leaks.",
"id": "GHSA-2h76-3pqm-pm8j",
"modified": "2026-02-03T18:30:30Z",
"published": "2025-10-07T18:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53687"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01dd8a43a84616c830782166ba3cceb01ad95363"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1962717c4649e026a4252fe6625175affd28a593"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f426293fef1c13742b2a685bf7e363f51f6ee03"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/46574e5a0a2aee41e6ebb979cfe1dbaea8693e16"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/832e231cff476102e8204a9e7bddfe5c6154a375"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/933e5b2998bc3a527d15efbf1e97c9e63297aa3c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9dd8091959bc41fee51d0827276a2b982e84adf0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f0bf102ef9b05d7294bd8d506755465f6867d944"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2H7H-J22F-V4P9
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a "big" pool.
{
"affected": [],
"aliases": [
"CVE-2019-6493"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-11T20:29:00Z",
"severity": "MODERATE"
},
"details": "SmartDefragDriver.sys (2.0) in IObit Smart Defrag 6 never frees an executable kernel pool that is allocated with user defined bytes and size when IOCTL 0x9C401CC0 is called. This kernel pointer can be leaked if the kernel pool becomes a \"big\" pool.",
"id": "GHSA-2h7h-j22f-v4p9",
"modified": "2022-05-13T01:22:43Z",
"published": "2022-05-13T01:22:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6493"
},
{
"type": "WEB",
"url": "https://downwithup.github.io/CVEPosts.html"
},
{
"type": "WEB",
"url": "https://www.iobit.com/en/iobitsmartdefrag.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2HF5-VJ7W-QQ52
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:30In the Linux kernel, the following vulnerability has been resolved:
wifi: libertas: fix memory leak in lbs_init_adapter()
When kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not released. Add free memory to processing error path.
{
"affected": [],
"aliases": [
"CVE-2022-50294"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:40Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix memory leak in lbs_init_adapter()\n\nWhen kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not\nreleased. Add free memory to processing error path.",
"id": "GHSA-2hf5-vj7w-qq52",
"modified": "2025-12-03T21:30:59Z",
"published": "2025-09-15T15:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50294"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/037f84c0bfae5c436c651d0e804264e2648010ec"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/16a03958618fb91bb1bc7077cf3211055162cc2f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23b34e08de5c2380414c9d3c33e8235094bcccae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4c102ad59bfa66c0f6662af64fa3b9007b02c20f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/653d13a73e498d0bb6aeaf689aaa960defa7878b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98e0ff6980c89239d9e5d3da90d791c2383dc23a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c8f50c7433bdfba1588831c413136ecc3f29f99"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d46c33f667b05c22bc5c5b69aa730349c4b6fe31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2HGR-Q34G-9RRW
Vulnerability from github – Published: 2023-08-29 00:32 – Updated: 2023-11-04 03:30A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak.
{
"affected": [],
"aliases": [
"CVE-2023-4569"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-28T22:15:10Z",
"severity": "MODERATE"
},
"details": "A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak.",
"id": "GHSA-2hgr-q34g-9rrw",
"modified": "2023-11-04T03:30:18Z",
"published": "2023-08-29T00:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4569"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-4569"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235470"
},
{
"type": "WEB",
"url": "https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230812110526.49808-1-fw@strlen.de"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5492"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2HQP-7448-QRW3
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-22 00:00The MPTCP module has the memory leak vulnerability. Successful exploitation of this vulnerability can cause memory leaks.
{
"affected": [],
"aliases": [
"CVE-2022-39005"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-16T18:15:00Z",
"severity": "HIGH"
},
"details": "The MPTCP module has the memory leak vulnerability. Successful exploitation of this vulnerability can cause memory leaks.",
"id": "GHSA-2hqp-7448-qrw3",
"modified": "2022-09-22T00:00:31Z",
"published": "2022-09-17T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39005"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/9"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202209-0000001392278845"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2HWX-F32F-7QP6
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-14 21:31In the Linux kernel, the following vulnerability has been resolved:
i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()
The xfer structure allocated by renesas_i3c_alloc_xfer() was never freed in the renesas_i3c_i3c_xfers() function. Use the __free(kfree) cleanup attribute to automatically free the memory when the variable goes out of scope.
{
"affected": [],
"aliases": [
"CVE-2026-53030"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:14Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()\n\nThe xfer structure allocated by renesas_i3c_alloc_xfer() was never freed\nin the renesas_i3c_i3c_xfers() function. Use the __free(kfree) cleanup\nattribute to automatically free the memory when the variable goes out of\nscope.",
"id": "GHSA-2hwx-f32f-7qp6",
"modified": "2026-07-14T21:31:29Z",
"published": "2026-06-24T18:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53030"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b6a7e94be678d34a9ccb9db7e2443ae02ad2bc8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab8f00ffcca0f618fb8198d358f24728950d9860"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d7665c3b4f575251e449e2656879392346ca612b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2J2F-9HJH-V2XM
Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-17 21:31In the Linux kernel, the following vulnerability has been resolved:
nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
syzbot reported various memory leaks related to NFC, struct nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
The leading log hinted that nfc_llcp_send_ui_frame() failed to allocate skb due to sock_error(sk) being -ENXIO.
ENXIO is set by nfc_llcp_socket_release() when struct nfc_llcp_local is destroyed by local_cleanup().
The problem is that there is no synchronisation between nfc_llcp_send_ui_frame() and local_cleanup(), and skb could be put into local->tx_queue after it was purged in local_cleanup():
CPU1 CPU2 ---- ---- nfc_llcp_send_ui_frame() local_cleanup() |- do { ' |- pdu = nfc_alloc_send_skb(..., &err) | . | |- nfc_llcp_socket_release(local, false, ENXIO); | |- skb_queue_purge(&local->tx_queue); | | ' | |- skb_queue_tail(&local->tx_queue, pdu); | ... | |- pdu = nfc_alloc_send_skb(..., &err) | ^._________.'
local_cleanup() is called for struct nfc_llcp_local only after nfc_llcp_remove_local() unlinks it from llcp_devices.
If we hold local->tx_queue.lock then, we can synchronise the thread and nfc_llcp_send_ui_frame().
Let's do that and check list_empty(&local->list) before queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
[0]: [ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6) [ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881272f6800 (size 1024): comm "syz.0.17", pid 6096, jiffies 4294942766 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc da58d84d): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] __do_kmalloc_node mm/slub.c:5645 [inline] __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658 kmalloc_noprof include/linux/slab.h:961 [inline] sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239 sk_alloc+0x36/0x360 net/core/sock.c:2295 nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979 llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044 nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31 __sock_create+0x1a9/0x340 net/socket.c:1605 sock_create net/socket.c:1663 [inline] __sys_socket_create net/socket.c:1700 [inline] __sys_socket+0xb9/0x1a0 net/socket.c:1747 __do_sys_socket net/socket.c:1761 [inline] __se_sys_socket net/socket.c:1759 [inline] __x64_sys_socket+0x1b/0x30 net/socket.c:1759 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak unreferenced object 0xffff88810fbd9800 (size 240): comm "syz.0.17", pid 6096, jiffies 4294942850 hex dump (first 32 bytes): 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... backtrace (crc 6cc652b1): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4979 [inline] slab_alloc_node mm/slub.c:5284 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/sk ---truncated---
{
"affected": [],
"aliases": [
"CVE-2026-23150"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-14T16:15:55Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().\n\nsyzbot reported various memory leaks related to NFC, struct\nnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]\n\nThe leading log hinted that nfc_llcp_send_ui_frame() failed\nto allocate skb due to sock_error(sk) being -ENXIO.\n\nENXIO is set by nfc_llcp_socket_release() when struct\nnfc_llcp_local is destroyed by local_cleanup().\n\nThe problem is that there is no synchronisation between\nnfc_llcp_send_ui_frame() and local_cleanup(), and skb\ncould be put into local-\u003etx_queue after it was purged in\nlocal_cleanup():\n\n CPU1 CPU2\n ---- ----\n nfc_llcp_send_ui_frame() local_cleanup()\n |- do { \u0027\n |- pdu = nfc_alloc_send_skb(..., \u0026err)\n | .\n | |- nfc_llcp_socket_release(local, false, ENXIO);\n | |- skb_queue_purge(\u0026local-\u003etx_queue); |\n | \u0027 |\n |- skb_queue_tail(\u0026local-\u003etx_queue, pdu); |\n ... |\n |- pdu = nfc_alloc_send_skb(..., \u0026err) |\n ^._________________________________.\u0027\n\nlocal_cleanup() is called for struct nfc_llcp_local only\nafter nfc_llcp_remove_local() unlinks it from llcp_devices.\n\nIf we hold local-\u003etx_queue.lock then, we can synchronise\nthe thread and nfc_llcp_send_ui_frame().\n\nLet\u0027s do that and check list_empty(\u0026local-\u003elist) before\nqueuing skb to local-\u003etx_queue in nfc_llcp_send_ui_frame().\n\n[0]:\n[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)\n[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881272f6800 (size 1024):\n comm \"syz.0.17\", pid 6096, jiffies 4294942766\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 \u0027..@............\n backtrace (crc da58d84d):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n __do_kmalloc_node mm/slub.c:5645 [inline]\n __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658\n kmalloc_noprof include/linux/slab.h:961 [inline]\n sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239\n sk_alloc+0x36/0x360 net/core/sock.c:2295\n nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979\n llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044\n nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31\n __sock_create+0x1a9/0x340 net/socket.c:1605\n sock_create net/socket.c:1663 [inline]\n __sys_socket_create net/socket.c:1700 [inline]\n __sys_socket+0xb9/0x1a0 net/socket.c:1747\n __do_sys_socket net/socket.c:1761 [inline]\n __se_sys_socket net/socket.c:1759 [inline]\n __x64_sys_socket+0x1b/0x30 net/socket.c:1759\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBUG: memory leak\nunreferenced object 0xffff88810fbd9800 (size 240):\n comm \"syz.0.17\", pid 6096, jiffies 4294942850\n hex dump (first 32 bytes):\n 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......\n 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/\u0027....\n backtrace (crc 6cc652b1):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4979 [inline]\n slab_alloc_node mm/slub.c:5284 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/sk\n---truncated---",
"id": "GHSA-2j2f-9hjh-v2xm",
"modified": "2026-03-17T21:31:41Z",
"published": "2026-02-14T18:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23150"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.