CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-434P-VVGH-4RF9
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-08 18:31In the Linux kernel, the following vulnerability has been resolved:
usb: misc: usbio: Fix URB memory leak on submit failure
When usb_submit_urb() fails in usbio_probe(), the previously allocated URB is never freed, causing a memory leak.
Fix this by jumping to err_free_urb label to properly release the URB on the error path.
{
"affected": [],
"aliases": [
"CVE-2026-31757"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: misc: usbio: Fix URB memory leak on submit failure\n\nWhen usb_submit_urb() fails in usbio_probe(), the previously allocated\nURB is never freed, causing a memory leak.\n\nFix this by jumping to err_free_urb label to properly release the URB\non the error path.",
"id": "GHSA-434p-vvgh-4rf9",
"modified": "2026-05-08T18:31:25Z",
"published": "2026-05-01T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31757"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1762dc43b983d321180582afba4a0c5185fae04c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/33cfe0709b6bf1a7f1a16d5e8d65d003a71b6a21"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65ff09f48b0e72e4049096a989723406aabcf091"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-449V-6J3R-MXHJ
Vulnerability from github – Published: 2025-06-23 03:30 – Updated: 2025-06-23 03:30A vulnerability classified as problematic has been found in HTACG tidy-html5 5.8.0. Affected is the function defaultAlloc of the file src/alloc.c. The manipulation leads to memory leak. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-6498"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-23T02:15:20Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in HTACG tidy-html5 5.8.0. Affected is the function defaultAlloc of the file src/alloc.c. The manipulation leads to memory leak. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-449v-6j3r-mxhj",
"modified": "2025-06-23T03:30:30Z",
"published": "2025-06-23T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6498"
},
{
"type": "WEB",
"url": "https://github.com/htacg/tidy-html5/issues/1152"
},
{
"type": "WEB",
"url": "https://github.com/user-attachments/files/20438303/tidy-html5_crash_3.txt"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.313614"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.313614"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.601009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-44FP-W29J-9VJ5
Vulnerability from github – Published: 2025-05-19 22:04 – Updated: 2025-05-19 22:04Impact
Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance.
This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.
Patches
Users should upgrade to 2.0.0
Workarounds
None
References
- https://github.com/expressjs/multer/pull/1120
- https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "multer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47935"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-19T22:04:17Z",
"nvd_published_at": "2025-05-19T20:15:25Z",
"severity": "HIGH"
},
"details": "### Impact\n\nMulter \u003c2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance.\n\nThis leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.\n\n\n### Patches\n\nUsers should upgrade to `2.0.0`\n\n\n### Workarounds\n\nNone\n\n### References\n\n- https://github.com/expressjs/multer/pull/1120\n- https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665",
"id": "GHSA-44fp-w29j-9vj5",
"modified": "2025-05-19T22:04:17Z",
"published": "2025-05-19T22:04:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47935"
},
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/pull/1120"
},
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665"
},
{
"type": "PACKAGE",
"url": "https://github.com/expressjs/multer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams"
}
GHSA-44G3-HWMH-JX63
Vulnerability from github – Published: 2025-09-15 15:31 – Updated: 2025-12-03 21:30In the Linux kernel, the following vulnerability has been resolved:
watchdog: Fix kmemleak in watchdog_cdev_register
kmemleak reports memory leaks in watchdog_dev_register, as follows: unreferenced object 0xffff888116233000 (size 2048): comm ""modprobe"", pid 28147, jiffies 4353426116 (age 61.741s) hex dump (first 32 bytes): 80 fa b9 05 81 88 ff ff 08 30 23 16 81 88 ff ff .........0#..... 08 30 23 16 81 88 ff ff 00 00 00 00 00 00 00 00 .0#............. backtrace: [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220 [<000000006a389304>] kmalloc_trace+0x21/0x110 [<000000008d640eea>] watchdog_dev_register+0x4e/0x780 [watchdog] [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog] [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog] [<000000001f730178>] 0xffffffffc10880ae [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0 [<00000000b98be325>] do_init_module+0x1ca/0x5f0 [<0000000046d08e7c>] load_module+0x6133/0x70f0 ...
unreferenced object 0xffff888105b9fa80 (size 16): comm ""modprobe"", pid 28147, jiffies 4353426116 (age 61.741s) hex dump (first 16 bytes): 77 61 74 63 68 64 6f 67 31 00 b9 05 81 88 ff ff watchdog1....... backtrace: [<000000007f001ffd>] __kmem_cache_alloc_node+0x157/0x220 [<00000000486ab89b>] __kmalloc_node_track_caller+0x44/0x1b0 [<000000005a39aab0>] kvasprintf+0xb5/0x140 [<0000000024806f85>] kvasprintf_const+0x55/0x180 [<000000009276cb7f>] kobject_set_name_vargs+0x56/0x150 [<00000000a92e820b>] dev_set_name+0xab/0xe0 [<00000000cec812c6>] watchdog_dev_register+0x285/0x780 [watchdog] [<0000000053c9f248>] __watchdog_register_device+0x4f0/0x680 [watchdog] [<00000000b2979824>] watchdog_register_device+0xd2/0x110 [watchdog] [<000000001f730178>] 0xffffffffc10880ae [<000000007a1a8bcc>] do_one_initcall+0xcb/0x4d0 [<00000000b98be325>] do_init_module+0x1ca/0x5f0 [<0000000046d08e7c>] load_module+0x6133/0x70f0 ...
The reason is that put_device is not be called if cdev_device_add fails and wdd->id != 0.
watchdog_cdev_register wd_data = kzalloc [1] err = dev_set_name [2] .. err = cdev_device_add if (err) { if (wdd->id == 0) { // wdd->id != 0 .. } return err; // [1],[2] would be leaked
To fix it, call put_device in all wdd->id cases.
{
"affected": [],
"aliases": [
"CVE-2023-53234"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T15:15:50Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: Fix kmemleak in watchdog_cdev_register\n\nkmemleak reports memory leaks in watchdog_dev_register, as follows:\nunreferenced object 0xffff888116233000 (size 2048):\n comm \"\"modprobe\"\", pid 28147, jiffies 4353426116 (age 61.741s)\n hex dump (first 32 bytes):\n 80 fa b9 05 81 88 ff ff 08 30 23 16 81 88 ff ff .........0#.....\n 08 30 23 16 81 88 ff ff 00 00 00 00 00 00 00 00 .0#.............\n backtrace:\n [\u003c000000007f001ffd\u003e] __kmem_cache_alloc_node+0x157/0x220\n [\u003c000000006a389304\u003e] kmalloc_trace+0x21/0x110\n [\u003c000000008d640eea\u003e] watchdog_dev_register+0x4e/0x780 [watchdog]\n [\u003c0000000053c9f248\u003e] __watchdog_register_device+0x4f0/0x680 [watchdog]\n [\u003c00000000b2979824\u003e] watchdog_register_device+0xd2/0x110 [watchdog]\n [\u003c000000001f730178\u003e] 0xffffffffc10880ae\n [\u003c000000007a1a8bcc\u003e] do_one_initcall+0xcb/0x4d0\n [\u003c00000000b98be325\u003e] do_init_module+0x1ca/0x5f0\n [\u003c0000000046d08e7c\u003e] load_module+0x6133/0x70f0\n ...\n\nunreferenced object 0xffff888105b9fa80 (size 16):\n comm \"\"modprobe\"\", pid 28147, jiffies 4353426116 (age 61.741s)\n hex dump (first 16 bytes):\n 77 61 74 63 68 64 6f 67 31 00 b9 05 81 88 ff ff watchdog1.......\n backtrace:\n [\u003c000000007f001ffd\u003e] __kmem_cache_alloc_node+0x157/0x220\n [\u003c00000000486ab89b\u003e] __kmalloc_node_track_caller+0x44/0x1b0\n [\u003c000000005a39aab0\u003e] kvasprintf+0xb5/0x140\n [\u003c0000000024806f85\u003e] kvasprintf_const+0x55/0x180\n [\u003c000000009276cb7f\u003e] kobject_set_name_vargs+0x56/0x150\n [\u003c00000000a92e820b\u003e] dev_set_name+0xab/0xe0\n [\u003c00000000cec812c6\u003e] watchdog_dev_register+0x285/0x780 [watchdog]\n [\u003c0000000053c9f248\u003e] __watchdog_register_device+0x4f0/0x680 [watchdog]\n [\u003c00000000b2979824\u003e] watchdog_register_device+0xd2/0x110 [watchdog]\n [\u003c000000001f730178\u003e] 0xffffffffc10880ae\n [\u003c000000007a1a8bcc\u003e] do_one_initcall+0xcb/0x4d0\n [\u003c00000000b98be325\u003e] do_init_module+0x1ca/0x5f0\n [\u003c0000000046d08e7c\u003e] load_module+0x6133/0x70f0\n ...\n\nThe reason is that put_device is not be called if cdev_device_add fails\nand wdd-\u003eid != 0.\n\nwatchdog_cdev_register\n wd_data = kzalloc [1]\n err = dev_set_name [2]\n ..\n err = cdev_device_add\n if (err) {\n if (wdd-\u003eid == 0) { // wdd-\u003eid != 0\n ..\n }\n return err; // [1],[2] would be leaked\n\nTo fix it, call put_device in all wdd-\u003eid cases.",
"id": "GHSA-44g3-hwmh-jx63",
"modified": "2025-12-03T21:30:59Z",
"published": "2025-09-15T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53234"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/13721a2ac66b246f5802ba1b75ad8637e53eeecc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/23cc41c3f19c4d858c3708f1c0a06e94958e6c3b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/50808d034e199fe3ff7a9d2068a4eebeb6b4098a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59e391b3fc507a15b7e8e9d9f4de87cae177c366"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c1655600f4f2839fb844fe8c70b2b65fadc7a56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac099d94e0480c937aa9172ab64074981ca1a4d3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf26b0e430ce34261f45959989edaf680b64d538"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5a21a5501508ae3afa2fe6d5a3e74a37fa48df3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-45HW-XGGF-P88G
Vulnerability from github – Published: 2026-04-03 18:31 – Updated: 2026-05-20 15:35In the Linux kernel, the following vulnerability has been resolved:
soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()
In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails, the function returns immediately without freeing the allocated memory for sys_controller, leading to a memory leak.
Fix this by jumping to the out_free label to ensure the memory is properly freed.
Also, consolidate the error handling for the mbox_request_channel() failure case to use the same label.
{
"affected": [],
"aliases": [
"CVE-2026-23464"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T16:16:33Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()\n\nIn mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails,\nthe function returns immediately without freeing the allocated memory\nfor sys_controller, leading to a memory leak.\n\nFix this by jumping to the out_free label to ensure the memory is\nproperly freed.\n\nAlso, consolidate the error handling for the mbox_request_channel()\nfailure case to use the same label.",
"id": "GHSA-45hw-xggf-p88g",
"modified": "2026-05-20T15:35:21Z",
"published": "2026-04-03T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23464"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/17c84fb7cf3971cc621646185d785670e9530ca1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a741f8cc6fe62542f955cd8d24933a1b6589cbd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da4b44c42f40501db35f5d0a6243708a061490a0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e3dd5cffba07de6574165a72851471cd42cc6d15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-45VC-784V-VP78
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-02 00:31In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow
When an invalid stc_type is provided, the function allocates memory for shared_stc but jumps to unlock_and_out without freeing it, causing a memory leak.
Fix by jumping to free_shared_stc label instead to ensure proper cleanup.
{
"affected": [],
"aliases": [
"CVE-2025-39834"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T14:15:51Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow\n\nWhen an invalid stc_type is provided, the function allocates memory for\nshared_stc but jumps to unlock_and_out without freeing it, causing a\nmemory leak.\n\nFix by jumping to free_shared_stc label instead to ensure proper cleanup.",
"id": "GHSA-45vc-784v-vp78",
"modified": "2025-12-02T00:31:10Z",
"published": "2025-09-16T15:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39834"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/051fd8576a2e4e95d5870c5c9f8679c5b16882e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a630f83592cdad1253523a1b760cfe78fef6cd9c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-46FR-3C87-QQ5V
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix memory leak when a wq is reset
idxd_wq_disable_cleanup() which is called from the reset path for a workqueue, sets the wq type to NONE, which for other parts of the driver mean that the wq is empty (all its resources were released).
Only set the wq type to NONE after its resources are released.
{
"affected": [],
"aliases": [
"CVE-2026-31441"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix memory leak when a wq is reset\n\nidxd_wq_disable_cleanup() which is called from the reset path for a\nworkqueue, sets the wq type to NONE, which for other parts of the\ndriver mean that the wq is empty (all its resources were released).\n\nOnly set the wq type to NONE after its resources are released.",
"id": "GHSA-46fr-3c87-qq5v",
"modified": "2026-07-14T15:31:51Z",
"published": "2026-04-22T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31441"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c3d3ac57e3c52b570b8c695903306bff07e04c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39c1504e0e76bcfb93991fd94288a83e05d13b51"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54d77cc0c40ca2f894859dc7b3c52997574f1a2a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a16098a2f0c11ee5e04e23aa7478ca1fcfb0f658"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a9e7815d38629bcf59d3005001f1f315424a58de"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-46G4-87Q8-H7HC
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_buf_new in rec-buf.c when called from rec_parse_rset in rec-parser.c in librec.a.
{
"affected": [],
"aliases": [
"CVE-2019-6458"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-16T18:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_buf_new in rec-buf.c when called from rec_parse_rset in rec-parser.c in librec.a.",
"id": "GHSA-46g4-87q8-h7hc",
"modified": "2022-05-13T01:22:42Z",
"published": "2022-05-13T01:22:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6458"
},
{
"type": "WEB",
"url": "https://github.com/TeamSeri0us/pocs/tree/master/recutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-46Q9-G5HQ-XPGM
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-23 03:30In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix possible memleak when register 'hctx' failed
There's issue as follows when do fault injection test: unreferenced object 0xffff888132a9f400 (size 512): comm "insmod", pid 308021, jiffies 4324277909 (age 509.733s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2.... 08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............ backtrace: [<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0 [<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0 [<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230 [<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910 [<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0 [<00000000a2a34657>] 0xffffffffa2ad310f [<00000000b173f718>] 0xffffffffa2af824a [<0000000095a1dabb>] do_one_initcall+0x87/0x2a0 [<00000000f32fdf93>] do_init_module+0xdf/0x320 [<00000000cbe8541e>] load_module+0x3006/0x3390 [<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0 [<00000000a1a29ae8>] do_syscall_64+0x35/0x80 [<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fault injection context as follows: kobject_add blk_mq_register_hctx blk_mq_sysfs_register blk_register_queue device_add_disk null_add_dev.part.0 [null_blk]
As 'blk_mq_register_hctx' may already add some objects when failed halfway, but there isn't do fallback, caller don't know which objects add failed. To solve above issue just do fallback when add objects failed halfway in 'blk_mq_register_hctx'.
{
"affected": [],
"aliases": [
"CVE-2022-50434"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:35Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix possible memleak when register \u0027hctx\u0027 failed\n\nThere\u0027s issue as follows when do fault injection test:\nunreferenced object 0xffff888132a9f400 (size 512):\n comm \"insmod\", pid 308021, jiffies 4324277909 (age 509.733s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2....\n 08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............\n backtrace:\n [\u003c00000000e8952bb4\u003e] kmalloc_node_trace+0x22/0xa0\n [\u003c00000000f9980e0f\u003e] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0\n [\u003c000000002e719efa\u003e] blk_mq_realloc_hw_ctxs+0x1e6/0x230\n [\u003c000000004f1fda40\u003e] blk_mq_init_allocated_queue+0x27e/0x910\n [\u003c00000000287123ec\u003e] __blk_mq_alloc_disk+0x67/0xf0\n [\u003c00000000a2a34657\u003e] 0xffffffffa2ad310f\n [\u003c00000000b173f718\u003e] 0xffffffffa2af824a\n [\u003c0000000095a1dabb\u003e] do_one_initcall+0x87/0x2a0\n [\u003c00000000f32fdf93\u003e] do_init_module+0xdf/0x320\n [\u003c00000000cbe8541e\u003e] load_module+0x3006/0x3390\n [\u003c0000000069ed1bdb\u003e] __do_sys_finit_module+0x113/0x1b0\n [\u003c00000000a1a29ae8\u003e] do_syscall_64+0x35/0x80\n [\u003c000000009cd878b0\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nFault injection context as follows:\n kobject_add\n blk_mq_register_hctx\n blk_mq_sysfs_register\n blk_register_queue\n device_add_disk\n null_add_dev.part.0 [null_blk]\n\nAs \u0027blk_mq_register_hctx\u0027 may already add some objects when failed halfway,\nbut there isn\u0027t do fallback, caller don\u0027t know which objects add failed.\nTo solve above issue just do fallback when add objects failed halfway in\n\u0027blk_mq_register_hctx\u0027.",
"id": "GHSA-46q9-g5hq-xpgm",
"modified": "2026-01-23T03:30:29Z",
"published": "2025-10-01T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50434"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/02bc8bc6eab03c84373281b85cb6e98747172ff7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/33e8a3f61814ea30615d0fafaf50477975d6c1ca"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b7a21c57b14fbcd0e1729150189e5933f5088e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b7fafa5f39b15c3a6ca3b95e534d05d6904cc95"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/654870789c3c1b9763316ef1c71d7a449127b175"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87fd18016a47ea8ae12641377a390172c4aa97a7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb186eb47fb9dd327bdefa15f0c5fc55c53a40dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e8022da1fa2fdf2fa204b445dd3354e7a66d085a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eff45bfbc25a2509a6362dea6e699e14083c693c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-46VM-5748-8G36
Vulnerability from github – Published: 2025-03-12 00:31 – Updated: 2025-04-10 15:31In the Linux kernel, the following vulnerability has been resolved:
vlan: fix memory leak in vlan_newlink()
Blamed commit added back a bug I fixed in commit 9bbd917e0bec ("vlan: fix memory leak in vlan_dev_set_egress_priority")
If a memory allocation fails in vlan_changelink() after other allocations succeeded, we need to call vlan_dev_free_egress_priority() to free all allocated memory because after a failed ->newlink() we do not call any methods like ndo_uninit() or dev->priv_destructor().
In following example, if the allocation for last element 2000:2001 fails, we need to free eight prior allocations:
ip link add link dummy0 dummy0.100 type vlan id 100 \ egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001
syzbot report was:
BUG: memory leak unreferenced object 0xffff888117bd1060 (size 32): comm "syz-executor408", pid 3759, jiffies 4294956555 (age 34.090s) hex dump (first 32 bytes): 09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc include/linux/slab.h:600 [inline] [] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193 [] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128 [] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185 [] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline] [] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580 [] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593 [] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089 [] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501 [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345 [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921 [] sock_sendmsg_nosec net/socket.c:714 [inline] [] sock_sendmsg+0x56/0x80 net/socket.c:734 [] _syssendmsg+0x36c/0x390 net/socket.c:2488 [] _sys_sendmsg+0x8b/0xd0 net/socket.c:2542 [] __sys_sendmsg net/socket.c:2571 [inline] [] __do_sys_sendmsg net/socket.c:2580 [inline] [] __se_sys_sendmsg net/socket.c:2578 [inline] [] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x46/0xb0
{
"affected": [],
"aliases": [
"CVE-2022-49636"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:38Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvlan: fix memory leak in vlan_newlink()\n\nBlamed commit added back a bug I fixed in commit 9bbd917e0bec\n(\"vlan: fix memory leak in vlan_dev_set_egress_priority\")\n\nIf a memory allocation fails in vlan_changelink() after other allocations\nsucceeded, we need to call vlan_dev_free_egress_priority()\nto free all allocated memory because after a failed -\u003enewlink()\nwe do not call any methods like ndo_uninit() or dev-\u003epriv_destructor().\n\nIn following example, if the allocation for last element 2000:2001 fails,\nwe need to free eight prior allocations:\n\nip link add link dummy0 dummy0.100 type vlan id 100 \\\n\tegress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001\n\nsyzbot report was:\n\nBUG: memory leak\nunreferenced object 0xffff888117bd1060 (size 32):\ncomm \"syz-executor408\", pid 3759, jiffies 4294956555 (age 34.090s)\nhex dump (first 32 bytes):\n09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[\u003cffffffff83fc60ad\u003e] kmalloc include/linux/slab.h:600 [inline]\n[\u003cffffffff83fc60ad\u003e] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193\n[\u003cffffffff83fc6628\u003e] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128\n[\u003cffffffff83fc67c8\u003e] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185\n[\u003cffffffff838b1278\u003e] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]\n[\u003cffffffff838b1278\u003e] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580\n[\u003cffffffff838b1629\u003e] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593\n[\u003cffffffff838ac66c\u003e] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089\n[\u003cffffffff839f9c37\u003e] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501\n[\u003cffffffff839f8da7\u003e] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n[\u003cffffffff839f8da7\u003e] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n[\u003cffffffff839f9266\u003e] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n[\u003cffffffff8384dbf6\u003e] sock_sendmsg_nosec net/socket.c:714 [inline]\n[\u003cffffffff8384dbf6\u003e] sock_sendmsg+0x56/0x80 net/socket.c:734\n[\u003cffffffff8384e15c\u003e] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488\n[\u003cffffffff838523cb\u003e] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542\n[\u003cffffffff838525b8\u003e] __sys_sendmsg net/socket.c:2571 [inline]\n[\u003cffffffff838525b8\u003e] __do_sys_sendmsg net/socket.c:2580 [inline]\n[\u003cffffffff838525b8\u003e] __se_sys_sendmsg net/socket.c:2578 [inline]\n[\u003cffffffff838525b8\u003e] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578\n[\u003cffffffff845ad8d5\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[\u003cffffffff845ad8d5\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n[\u003cffffffff8460006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0",
"id": "GHSA-46vm-5748-8g36",
"modified": "2025-04-10T15:31:41Z",
"published": "2025-03-12T00:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49636"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/549de58dba4bf1b2adc72e9948b9c76fa88be9d2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72a0b329114b1caa8e69dfa7cdad1dd3c69b8602"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df27729a4fe0002dfd80c96fe1c142829c672728"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f5dc10b910bdac523e5947336445a77066c51bf9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.