CWE-401
AllowedMissing Release of Memory after Effective Lifetime
Abstraction: Variant · Status: Draft
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
2002 vulnerabilities reference this CWE, most recent first.
GHSA-589Q-VFC2-J9CG
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-09 21:32In the Linux kernel, the following vulnerability has been resolved:
usb: usblp: fix heap leak in IEEE 1284 device ID via short response
usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.
usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.
That stale data is then exposed: - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated at the first NUL in the stale heap), and - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device.
Fix this up by just zapping the buffer with zeros before each request sent to the device.
{
"affected": [],
"aliases": [
"CVE-2026-46151"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:30Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usblp: fix heap leak in IEEE 1284 device ID via short response\n\nusblp_ctrl_msg() collapses the usb_control_msg() return value to\n0/-errno, discarding the actual number of bytes transferred. A broken\nprinter can complete the GET_DEVICE_ID control transfer short and the\ndriver has no way to know.\n\nusblp_cache_device_id_string() reads the 2-byte big-endian length prefix\nfrom the response and trusts it (clamped only to the buffer bounds).\nThe buffer is kmalloc(1024) at probe time. A device that sends exactly\ntwo bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves\ndevice_id_string[2..1022] holding stale kmalloc heap.\n\nThat stale data is then exposed:\n - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated\n at the first NUL in the stale heap), and\n - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full\n claimed length regardless of NULs, up to 1021 bytes of uninitialized\n heap, with the leak size chosen by the device.\n\nFix this up by just zapping the buffer with zeros before each request\nsent to the device.",
"id": "GHSA-589q-vfc2-j9cg",
"modified": "2026-06-09T21:32:19Z",
"published": "2026-05-28T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46151"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4220d4dd062ea3d3eb056a6cbe0b568e740d20b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4650cce898fcd0bb8c33e529984687a8caed10c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/612640abbd9e0947fe8f37aaf0cf324265d7caa4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5978-36F5-C92V
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2022-05-24 16:49ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
{
"affected": [],
"aliases": [
"CVE-2019-13133"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-01T20:15:00Z",
"severity": "MODERATE"
},
"details": "ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.",
"id": "GHSA-5978-36f5-c92v",
"modified": "2022-05-24T16:49:08Z",
"published": "2022-05-24T16:49:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13133"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/1600"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/fe3066122ef72c82415811d25e9e3fad622c0a99"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00069.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-59M5-88PM-RMCF
Vulnerability from github – Published: 2025-08-14 18:31 – Updated: 2025-08-14 18:31A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition.
This vulnerability is due to improper parsing of IKEv2 packets. An attacker could exploit this vulnerability by sending a continuous stream of crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to partially exhaust system memory, causing system instability like being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition.
{
"affected": [],
"aliases": [
"CVE-2025-20224"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T17:15:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition.\n\n This vulnerability is due to improper parsing of IKEv2 packets. An attacker could exploit this vulnerability by sending a continuous stream of crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to partially exhaust system memory, causing system instability like being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition.",
"id": "GHSA-59m5-88pm-rmcf",
"modified": "2025-08-14T18:31:29Z",
"published": "2025-08-14T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20224"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ios-dos-DOESHWHy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-59QG-QCPJ-8HF9
Vulnerability from github – Published: 2022-10-11 12:00 – Updated: 2025-04-08 09:31A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions), Nucleus Source Code (Versions including affected FTP server). The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server.
{
"affected": [],
"aliases": [
"CVE-2022-38371"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-11T11:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions), Nucleus Source Code (Versions including affected FTP server). The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server.",
"id": "GHSA-59qg-qcpj-8hf9",
"modified": "2025-04-08T09:31:08Z",
"published": "2022-10-11T12:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38371"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-313313.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-935500.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-313313.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-935500.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5C8M-GJ2J-M6JW
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-12-03 18:30In the Linux kernel, the following vulnerability has been resolved:
drm/client: Fix memory leak in drm_client_modeset_probe
When a new mode is set to modeset->mode, the previous mode should be freed. This fixes the following kmemleak report:
drm_mode_duplicate+0x45/0x220 [drm] drm_client_modeset_probe+0x944/0xf50 [drm] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] drm_client_register+0x169/0x240 [drm] ast_pci_probe+0x142/0x190 [ast] local_pci_probe+0xdc/0x180 work_for_cpu_fn+0x4e/0xa0 process_one_work+0x8b7/0x1540 worker_thread+0x70a/0xed0 kthread+0x29f/0x340 ret_from_fork+0x1f/0x30
{
"affected": [],
"aliases": [
"CVE-2023-53288"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T08:15:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fix memory leak in drm_client_modeset_probe\n\nWhen a new mode is set to modeset-\u003emode, the previous mode should be freed.\nThis fixes the following kmemleak report:\n\ndrm_mode_duplicate+0x45/0x220 [drm]\ndrm_client_modeset_probe+0x944/0xf50 [drm]\n__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper]\ndrm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper]\ndrm_client_register+0x169/0x240 [drm]\nast_pci_probe+0x142/0x190 [ast]\nlocal_pci_probe+0xdc/0x180\nwork_for_cpu_fn+0x4e/0xa0\nprocess_one_work+0x8b7/0x1540\nworker_thread+0x70a/0xed0\nkthread+0x29f/0x340\nret_from_fork+0x1f/0x30",
"id": "GHSA-5c8m-gj2j-m6jw",
"modified": "2025-12-03T18:30:20Z",
"published": "2025-09-16T15:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53288"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1369d0c586ad44f2d18fe2f4cbc5bcb24132fa71"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2329cc7a101af1a844fbf706c0724c0baea38365"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d580017bdb9b3e930b6009e467e5e1589f8ca8a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f2a12f64347f535c6ef55fa7eb36a2874d69b59"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8108a494639e56aea77e7196a1d6ea89792b9d4a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/917bef37cfaca07781c6fbaf6cd9404d27e64e6f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CFF-2GQ4-5CV9
Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-03-12 15:32A memory leak issue discovered in parseSWF_FILLSTYLEARRAY in libming v0.4.8 allows attackers to cause s denial of service via a crafted SWF file.
{
"affected": [],
"aliases": [
"CVE-2024-24147"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T01:44:11Z",
"severity": "MODERATE"
},
"details": "A memory leak issue discovered in parseSWF_FILLSTYLEARRAY in libming v0.4.8 allows attackers to cause s denial of service via a crafted SWF file.",
"id": "GHSA-5cff-2gq4-5cv9",
"modified": "2024-03-12T15:32:15Z",
"published": "2024-02-29T03:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24147"
},
{
"type": "WEB",
"url": "https://github.com/libming/libming/issues/311"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CG2-HFC8-XX57
Vulnerability from github – Published: 2025-09-24 12:30 – Updated: 2025-12-12 21:31In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event
Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps is not freed in the failure case, causing a memory leak. The following trace is observed in kmemleak:
unreferenced object 0xffff8b3eb5789c00 (size 1024): comm "softirq", pid 0, jiffies 4294942577 hex dump (first 32 bytes): 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{... 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8.. backtrace (crc 44e1c357): __kmalloc_noprof+0x30b/0x410 ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k] ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k] ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k] ath12k_ce_recv_process_cb+0x218/0x300 [ath12k] ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k] process_one_work+0x219/0x680 bh_worker+0x198/0x1f0 tasklet_action+0x13/0x30 handle_softirqs+0xca/0x460 __irq_exit_rcu+0xbe/0x110 irq_exit_rcu+0x9/0x30
Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
{
"affected": [],
"aliases": [
"CVE-2025-39890"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-24T11:15:32Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix memory leak in ath12k_service_ready_ext_event\n\nCurrently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps\nis not freed in the failure case, causing a memory leak. The following\ntrace is observed in kmemleak:\n\nunreferenced object 0xffff8b3eb5789c00 (size 1024):\n comm \"softirq\", pid 0, jiffies 4294942577\n hex dump (first 32 bytes):\n 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{...\n 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8..\n backtrace (crc 44e1c357):\n __kmalloc_noprof+0x30b/0x410\n ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k]\n ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]\n ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k]\n ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]\n ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k]\n ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k]\n ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k]\n ath12k_ce_recv_process_cb+0x218/0x300 [ath12k]\n ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k]\n process_one_work+0x219/0x680\n bh_worker+0x198/0x1f0\n tasklet_action+0x13/0x30\n handle_softirqs+0xca/0x460\n __irq_exit_rcu+0xbe/0x110\n irq_exit_rcu+0x9/0x30\n\nFree svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1",
"id": "GHSA-5cg2-hfc8-xx57",
"modified": "2025-12-12T21:31:32Z",
"published": "2025-09-24T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39890"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1089f65b2de78c7837ef6b4f26146a5a5b0b9749"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a392f874ac83a77ad0e53eb8aafdbeb787c9298"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89142d34d5602c7447827beb181fa06eb08b9d5c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/99dbad1b01d3b2f361a9db55c1af1212be497a3d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CMC-7W2J-JPJ5
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access.
{
"affected": [],
"aliases": [
"CVE-2019-14559"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-23T16:15:00Z",
"severity": "HIGH"
},
"details": "Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access.",
"id": "GHSA-5cmc-7w2j-jpj5",
"modified": "2022-05-24T17:34:47Z",
"published": "2022-05-24T17:34:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14559"
},
{
"type": "WEB",
"url": "https://bugzilla.tianocore.org/show_bug.cgi?id=2031"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00032.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5CMQ-7JHJ-36R8
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-02-26 21:31In the Linux kernel, the following vulnerability has been resolved:
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak.
The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked.
Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails.
{
"affected": [],
"aliases": [
"CVE-2025-71154"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T15:16:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix memory leak on usb_submit_urb() failure\n\nIn async_set_registers(), when usb_submit_urb() fails, the allocated\n async_req structure and URB are not freed, causing a memory leak.\n\n The completion callback async_set_reg_cb() is responsible for freeing\n these allocations, but it is only called after the URB is successfully\n submitted and completes (successfully or with error). If submission\n fails, the callback never runs and the memory is leaked.\n\n Fix this by freeing both the URB and the request structure in the error\n path when usb_submit_urb() fails.",
"id": "GHSA-5cmq-7jhj-36r8",
"modified": "2026-02-26T21:31:27Z",
"published": "2026-01-23T15:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71154"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CP3-HG96-HVR9
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-24 21:31In the Linux kernel, the following vulnerability has been resolved:
net: mdiobus: fix unbalanced node reference count
I got the following report while doing device(mscc-miim) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0
If the 'fwnode' is not an acpi node, the refcount is get in fwnode_mdiobus_phy_device_register(), but it has never been put when the device is freed in the normal path. So call fwnode_handle_put() in phy_device_release() to avoid leak.
If it's an acpi node, it has never been get, but it's put in the error path, so call fwnode_handle_get() before phy_device_register() to keep get/put operation balanced.
{
"affected": [],
"aliases": [
"CVE-2022-49016"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdiobus: fix unbalanced node reference count\n\nI got the following report while doing device(mscc-miim) load test\nwith CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 2,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0\n\nIf the \u0027fwnode\u0027 is not an acpi node, the refcount is get in\nfwnode_mdiobus_phy_device_register(), but it has never been\nput when the device is freed in the normal path. So call\nfwnode_handle_put() in phy_device_release() to avoid leak.\n\nIf it\u0027s an acpi node, it has never been get, but it\u0027s put\nin the error path, so call fwnode_handle_get() before\nphy_device_register() to keep get/put operation balanced.",
"id": "GHSA-5cp3-hg96-hvr9",
"modified": "2024-10-24T21:31:02Z",
"published": "2024-10-21T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49016"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2708b357440427d6a9fee667eb7b8307f4625adc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/543d917f691ab06885ee779c862065899eaa4251"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cdde1560118f82498fc9e9a7c1ef7f0ef7755891"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-41
Strategy: Libraries or Frameworks
- Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
- For example, glibc in Linux provides protection against free of invalid pointers.
- When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
- To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Consider using the Boehm-Demers-Weiser garbage collector (bdwgc), which can help avoid leaks.
No CAPEC attack patterns related to this CWE.