Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

965 vulnerabilities reference this CWE, most recent first.

GHSA-34H4-H6V3-W52H

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:35
VLAI
Details

Huawei smart phones Emily-L29C with versions of 8.1.0.132a(C432), 8.1.0.135(C782), 8.1.0.154(C10), 8.1.0.154(C461), 8.1.0.154(C635), 8.1.0.156(C185), 8.1.0.156(C605), 8.1.0.159(C636) have a double free vulnerability. An attacker can trick a user to click a URL to exploit this vulnerability. Successful exploitation may cause the affected phone abnormal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-08T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Huawei smart phones Emily-L29C with versions of 8.1.0.132a(C432), 8.1.0.135(C782), 8.1.0.154(C10), 8.1.0.154(C461), 8.1.0.154(C635), 8.1.0.156(C185), 8.1.0.156(C605), 8.1.0.159(C636) have a double free vulnerability. An attacker can trick a user to click a URL to exploit this vulnerability. Successful exploitation may cause the affected phone abnormal.",
  "id": "GHSA-34h4-h6v3-w52h",
  "modified": "2024-04-04T01:35:47Z",
  "published": "2022-05-24T16:52:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5236"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190807-01-smartphone-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-35GV-G55R-237W

Vulnerability from github – Published: 2022-05-14 01:07 – Updated: 2025-04-20 03:46
VLAI
Details

Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-16T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a \"redundant UVector entry clean up function call\" issue.",
  "id": "GHSA-35gv-g55r-237w",
  "modified": "2025-04-20T03:46:51Z",
  "published": "2022-05-14T01:07:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14952"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "type": "WEB",
      "url": "http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp"
    },
    {
      "type": "WEB",
      "url": "http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-362Q-J64X-4GGR

Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2024-12-30 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btusb: mediatek: Fix double free of skb in coredump

hci_devcd_append() would free the skb on error so the caller don't have to free it again otherwise it would cause the double free of skb.

Reported-by : Dan Carpenter dan.carpenter@linaro.org

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T15:15:22Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Fix double free of skb in coredump\n\nhci_devcd_append() would free the skb on error so the caller don\u0027t\nhave to free it again otherwise it would cause the double free of skb.\n\nReported-by : Dan Carpenter \u003cdan.carpenter@linaro.org\u003e",
  "id": "GHSA-362q-j64x-4ggr",
  "modified": "2024-12-30T18:30:40Z",
  "published": "2024-05-17T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35856"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18bdb386a1a30e7a3d7732a98e45e69cf6b5710d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80dfef128cb9f1b1ef67c0fe8c8deb4ea7ad30c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e20093c741d8da9f6390dd45d75b779861547035"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3632-54Q8-M96X

Vulnerability from github – Published: 2025-09-02 17:22 – Updated: 2025-09-02 17:22
VLAI
Summary
arenavec has multiple memory corruption vulnerabilities in safe APIs
Details

The crate has the following vulnerabilities:

  • The public trait arenavec::common::AllocHandle allows the return of raw pointers through its methods allocate and allocate_or_extend. However, the trait is not marked as unsafe, meaning users of the crate may implement it under the assumption that the library safely handles the returned raw pointers. These raw pointers can later be dereferenced within safe APIs of the crate-such as arenavec::common::SliceVec::push-potentially leading to arbitrary memory access.

  • The safe API arenavec::common::SliceVec::reserve can reach the private function arenavec::common::allocate_inner. Incorrect behavior in allocate_inner may result in a SliceVec with an increased capacity, even though the underlying memory has not actually been expanded. This mismatch between SliceVec.capacity and the actual reserved memory can lead to a heap buffer overflow.

  • The safe API arenavec::common::SliceVec::split_off can duplicate the ownership of the elements in self (of type SliceVec) if they implement the Drop trait. Specifically, when at == 0, the method returns a new SliceVec with the same length as self. Since both self and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "arenavec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-415",
      "CWE-822"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-02T17:22:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The crate has the following vulnerabilities:\n\n- The public trait `arenavec::common::AllocHandle` allows the return of raw pointers through its methods `allocate` and `allocate_or_extend`. However, the trait is not marked as unsafe, meaning users of the crate may implement it under the assumption that the library safely handles the returned raw pointers. These raw pointers can later be dereferenced within safe APIs of the crate-such as `arenavec::common::SliceVec::push`-potentially leading to arbitrary memory access.\n\n- The safe API `arenavec::common::SliceVec::reserve` can reach the private function `arenavec::common::allocate_inner`. Incorrect behavior in `allocate_inner` may result in a `SliceVec` with an increased capacity, even though the underlying memory has not actually been expanded. This mismatch between `SliceVec.capacity` and the actual reserved memory can lead to a heap buffer overflow.\n\n- The safe API `arenavec::common::SliceVec::split_off` can duplicate the ownership of the elements in `self` (of type `SliceVec`) if they implement the `Drop` trait. Specifically, when `at == 0`, the method returns a new `SliceVec` with the same length as `self`. Since both `self` and the returned object point to the same heap memory, dropping one will deallocate the shared memory. When the other is subsequently dropped, it will attempt to free the same memory again, resulting in a double free violation.",
  "id": "GHSA-3632-54q8-m96x",
  "modified": "2025-09-02T17:22:36Z",
  "published": "2025-09-02T17:22:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ibabushkin/arenavec/issues/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ibabushkin/arenavec/issues/5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ibabushkin/arenavec/issues/6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ibabushkin/arenavec"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0053.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "arenavec has multiple memory corruption vulnerabilities in safe APIs"
}

GHSA-364F-VPC5-CG4X

Vulnerability from github – Published: 2022-05-14 01:19 – Updated: 2022-05-14 01:19
VLAI
Details

Double free in Intel(R) SGX SDK for Linux before version 2.2 and Intel(R) SGX SDK for Windows before version 2.1 may allow an authenticated user to potentially enable information disclosure or denial of service via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-14T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Double free in Intel(R) SGX SDK for Linux before version 2.2 and Intel(R) SGX SDK for Windows before version 2.1 may allow an authenticated user to potentially enable information disclosure or denial of service via local access.",
  "id": "GHSA-364f-vpc5-cg4x",
  "modified": "2022-05-14T01:19:56Z",
  "published": "2022-05-14T01:19:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0122"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00217.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3696-VCMQ-4G83

Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-18 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()

Sometimes, when a file was read while it was being truncated by another NFS client, the kernel could deadlock because folio_unlock() was called twice, and the second call would XOR back the PG_locked flag.

Most of the time (depending on the timing of the truncation), nobody notices the problem because folio_unlock() gets called three times, which flips PG_locked back off:

  1. vfs_read, nfs_read_folio, ... nfs_read_add_folio, nfs_return_empty_folio
  2. vfs_read, nfs_read_folio, ... netfs_read_collection, netfs_unlock_abandoned_read_pages
  3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio, nfs_return_empty_folio

The problem is that nfs_read_add_folio() is not supposed to unlock the folio if fscache is enabled, and a nfs_netfs_folio_unlock() check is missing in nfs_return_empty_folio().

Rarely this leads to a warning in netfs_read_collection():

------------[ cut here ]------------ R=0000031c: folio 10 is not locked WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00 [...] Workqueue: events_unbound netfs_read_collection_worker RIP: 0010:netfs_read_collection+0x7c0/0xf00 [...] Call Trace: netfs_read_collection_worker+0x67/0x80 process_one_work+0x12e/0x2c0 worker_thread+0x295/0x3a0

Most of the time, however, processes just get stuck forever in folio_wait_bit_common(), waiting for PG_locked to disappear, which never happens because nobody is really holding the folio lock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T09:15:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()\n\nSometimes, when a file was read while it was being truncated by\nanother NFS client, the kernel could deadlock because folio_unlock()\nwas called twice, and the second call would XOR back the `PG_locked`\nflag.\n\nMost of the time (depending on the timing of the truncation), nobody\nnotices the problem because folio_unlock() gets called three times,\nwhich flips `PG_locked` back off:\n\n 1. vfs_read, nfs_read_folio, ... nfs_read_add_folio,\n    nfs_return_empty_folio\n 2. vfs_read, nfs_read_folio, ... netfs_read_collection,\n    netfs_unlock_abandoned_read_pages\n 3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio,\n    nfs_return_empty_folio\n\nThe problem is that nfs_read_add_folio() is not supposed to unlock the\nfolio if fscache is enabled, and a nfs_netfs_folio_unlock() check is\nmissing in nfs_return_empty_folio().\n\nRarely this leads to a warning in netfs_read_collection():\n\n ------------[ cut here ]------------\n R=0000031c: folio 10 is not locked\n WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00\n [...]\n Workqueue: events_unbound netfs_read_collection_worker\n RIP: 0010:netfs_read_collection+0x7c0/0xf00\n [...]\n Call Trace:\n  \u003cTASK\u003e\n  netfs_read_collection_worker+0x67/0x80\n  process_one_work+0x12e/0x2c0\n  worker_thread+0x295/0x3a0\n\nMost of the time, however, processes just get stuck forever in\nfolio_wait_bit_common(), waiting for `PG_locked` to disappear, which\nnever happens because nobody is really holding the folio lock.",
  "id": "GHSA-3696-vcmq-4g83",
  "modified": "2025-11-18T15:30:41Z",
  "published": "2025-07-10T09:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38338"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14f5549ad163be2c018abc1bb38370fff617a243"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e93b61d3eaa14bfebcc2716ac09d43f3845d420"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c10fa44bc5f700e2ea21de2fbae520ba21f19d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5bf0b9eeb0174686f22c2e5b8fb9f47ad25da6f5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-36JJ-P27H-FH24

Vulnerability from github – Published: 2022-05-14 02:00 – Updated: 2022-05-14 02:00
VLAI
Details

The libcurl API function called curl_maprintf() before version 7.51.0 can be tricked into doing a double-free due to an unsafe size_t multiplication, on systems using 32 bit size_t variables.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.",
  "id": "GHSA-36jj-p27h-fh24",
  "modified": "2022-05-14T02:00:03Z",
  "published": "2022-05-14T02:00:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8618"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2486"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3558"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8618"
    },
    {
      "type": "WEB",
      "url": "https://curl.haxx.se/docs/adv_20161102D.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-47"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2016-21"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94098"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037192"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3854-9JQ2-J856

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure

On error situation clp->cl_cb_conn.cb_xprt should not be given a reference to the xprt otherwise both client cleanup and the error handling path of the caller call to put it. Better to delay handing over the reference to a later branch.

[ 72.530665] refcount_t: underflow; use-after-free. [ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120 [ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc] [ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1 [ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014 [ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd] [ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120 [ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48 [ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286 [ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000 [ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0 [ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff [ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180 [ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0 [ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000 [ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0 [ 72.554874] Call Trace: [ 72.555278] [ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc] [ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd] [ 72.557087] ? update_load_avg+0x82/0x610 [ 72.557652] ? cpuacct_charge+0x60/0x70 [ 72.558212] ? dequeue_entity+0xdb/0x3e0 [ 72.558765] ? queued_spin_unlock+0x9/0x20 [ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd] [ 72.560031] process_one_work+0x1df/0x390 [ 72.560600] worker_thread+0x37/0x3b0 [ 72.561644] ? process_one_work+0x390/0x390 [ 72.562247] kthread+0x12f/0x150 [ 72.562710] ? set_kthread_struct+0x50/0x50 [ 72.563309] ret_from_fork+0x22/0x30 [ 72.563818] [ 72.564189] ---[ end trace 031117b1c72ec616 ]--- [ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018). [ 72.567647] ------------[ cut here ]------------

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:42Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure\n\nOn error situation `clp-\u003ecl_cb_conn.cb_xprt` should not be given\na reference to the xprt otherwise both client cleanup and the\nerror handling path of the caller call to put it. Better to\ndelay handing over the reference to a later branch.\n\n[   72.530665] refcount_t: underflow; use-after-free.\n[   72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120\n[   72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]\n[   72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G           OE     5.15.82-dan #1\n[   72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014\n[   72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]\n[   72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120\n[   72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 \u003c0f\u003e 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48\n[   72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286\n[   72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000\n[   72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0\n[   72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff\n[   72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180\n[   72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0\n[   72.552089] FS:  0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000\n[   72.553175] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0\n[   72.554874] Call Trace:\n[   72.555278]  \u003cTASK\u003e\n[   72.555614]  svc_xprt_put+0xaf/0xe0 [sunrpc]\n[   72.556276]  nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]\n[   72.557087]  ? update_load_avg+0x82/0x610\n[   72.557652]  ? cpuacct_charge+0x60/0x70\n[   72.558212]  ? dequeue_entity+0xdb/0x3e0\n[   72.558765]  ? queued_spin_unlock+0x9/0x20\n[   72.559358]  nfsd4_run_cb_work+0xfc/0x270 [nfsd]\n[   72.560031]  process_one_work+0x1df/0x390\n[   72.560600]  worker_thread+0x37/0x3b0\n[   72.561644]  ? process_one_work+0x390/0x390\n[   72.562247]  kthread+0x12f/0x150\n[   72.562710]  ? set_kthread_struct+0x50/0x50\n[   72.563309]  ret_from_fork+0x22/0x30\n[   72.563818]  \u003c/TASK\u003e\n[   72.564189] ---[ end trace 031117b1c72ec616 ]---\n[   72.566019] list_add corruption. next-\u003eprev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).\n[   72.567647] ------------[ cut here ]------------",
  "id": "GHSA-3854-9jq2-j856",
  "modified": "2025-12-11T15:30:30Z",
  "published": "2025-09-18T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50401"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/15fc60aa5bdcf6d5f93000d3d00579fc67632ee0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3bc8edc98bd43540dbe648e4ef91f443d6d20a24"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/707bcca9616002d204091ca7c4d1d91151104332"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9b4ae8c42d2ff09ed7c5832ccce5684c55e5ed23"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a472f069ced8601979f53c13c0cf20236074ed46"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1207219a4bfa50121c9345d5d165470d0a82531"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d843ebd860c58a38e45527e8ec6516059f4c97f3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e2f9f03e4537f3fcc8fd2bdd3248530c3477a371"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fddac3b4578d302ac9e51e7f03a9aae6254ae2a3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-387W-9MX8-66CC

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

9p/xen: protect xen_9pfs_front_free against concurrent calls

The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash.

This is a fix for the following double-free:

[ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none) [ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150 [ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42 [ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246 [ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000 [ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000 [ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000 [ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68 [ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040 [ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000 [ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660 [ 27.052418] Call Trace: [ 27.052420] [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720 [ 27.052426] ? xenbus_otherend_changed+0x72/0x140 [ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10 [ 27.052434] xenwatch_thread+0x94/0x1c0 [ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10 [ 27.052442] kthread+0xf8/0x240 [ 27.052445] ? __pfx_kthread+0x10/0x10 [ 27.052449] ? __pfx_kthread+0x10/0x10 [ 27.052452] ret_from_fork+0x16b/0x1a0 [ 27.052456] ? __pfx_kthread+0x10/0x10 [ 27.052459] ret_from_fork_asm+0x1a/0x30 [ 27.052463] [ 27.052465] Modules linked in: [ 27.052471] ---[ end trace 0000000000000000 ]---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p/xen: protect xen_9pfs_front_free against concurrent calls\n\nThe xenwatch thread can race with other back-end change notifications\nand call xen_9pfs_front_free() twice, hitting the observed general\nprotection fault due to a double-free. Guard the teardown path so only\none caller can release the front-end state at a time, preventing the\ncrash.\n\nThis is a fix for the following double-free:\n\n[   27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[   27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)\n[   27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150\n[   27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 \u003c48\u003e 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42\n[   27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246\n[   27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000\n[   27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000\n[   27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000\n[   27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68\n[   27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040\n[   27.052404] FS:  0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000\n[   27.052408] CS:  e030 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660\n[   27.052418] Call Trace:\n[   27.052420]  \u003cTASK\u003e\n[   27.052422]  xen_9pfs_front_changed+0x5d5/0x720\n[   27.052426]  ? xenbus_otherend_changed+0x72/0x140\n[   27.052430]  ? __pfx_xenwatch_thread+0x10/0x10\n[   27.052434]  xenwatch_thread+0x94/0x1c0\n[   27.052438]  ? __pfx_autoremove_wake_function+0x10/0x10\n[   27.052442]  kthread+0xf8/0x240\n[   27.052445]  ? __pfx_kthread+0x10/0x10\n[   27.052449]  ? __pfx_kthread+0x10/0x10\n[   27.052452]  ret_from_fork+0x16b/0x1a0\n[   27.052456]  ? __pfx_kthread+0x10/0x10\n[   27.052459]  ret_from_fork_asm+0x1a/0x30\n[   27.052463]  \u003c/TASK\u003e\n[   27.052465] Modules linked in:\n[   27.052471] ---[ end trace 0000000000000000 ]---",
  "id": "GHSA-387w-9mx8-66cc",
  "modified": "2026-05-08T15:31:18Z",
  "published": "2026-05-06T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43249"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-39P9-G2PQ-Q8R7

Vulnerability from github – Published: 2026-02-06 18:30 – Updated: 2026-02-24 21:31
VLAI
Details

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-06T17:16:27Z",
    "severity": "MODERATE"
  },
  "details": "MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes.",
  "id": "GHSA-39p9-g2pq-q8r7",
  "modified": "2026-02-24T21:31:30Z",
  "published": "2026-02-06T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25556"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=709029"
    },
    {
      "type": "WEB",
      "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1"
    },
    {
      "type": "WEB",
      "url": "https://mupdf.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/mupdf-barcode-decoding-double-free"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.