CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
966 vulnerabilities reference this CWE, most recent first.
GHSA-489P-VFCX-X55R
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-27 15:30In the Linux kernel, the following vulnerability has been resolved:
vfio/pci: Fix double free in dma-buf feature
The error path through vfio_pci_core_feature_dma_buf() ignores its own advice to only use dma_buf_put() after dma_buf_export(), instead falling through the entire unwind chain. In the unlikely event that we encounter file descriptor exhaustion, this can result in an unbalanced refcount on the vfio device and double free of allocated objects.
Avoid this by moving the "put" directly into the error path and return the errno rather than entering the unwind chain.
{
"affected": [],
"aliases": [
"CVE-2026-31468"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Fix double free in dma-buf feature\n\nThe error path through vfio_pci_core_feature_dma_buf() ignores its\nown advice to only use dma_buf_put() after dma_buf_export(), instead\nfalling through the entire unwind chain. In the unlikely event that\nwe encounter file descriptor exhaustion, this can result in an\nunbalanced refcount on the vfio device and double free of allocated\nobjects.\n\nAvoid this by moving the \"put\" directly into the error path and return\nthe errno rather than entering the unwind chain.",
"id": "GHSA-489p-vfcx-x55r",
"modified": "2026-04-27T15:30:38Z",
"published": "2026-04-22T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31468"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/83ad334afc9a645cef1062f5346526b1e36d6516"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e98137f0a874ab36d0946de4707aa48cb7137d1c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-497X-JCXF-M478
Vulnerability from github – Published: 2026-05-07 21:30 – Updated: 2026-07-16 12:32When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
{
"affected": [],
"aliases": [
"CVE-2026-33811"
],
"database_specific": {
"cwe_ids": [
"CWE-1341",
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-07T20:16:42Z",
"severity": "HIGH"
},
"details": "When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.",
"id": "GHSA-497x-jcxf-m478",
"modified": "2026-07-16T12:32:12Z",
"published": "2026-05-07T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23262"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36776"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36796"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36797"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38504"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39266"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39272"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39573"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39810"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40118"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:40119"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-33811"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467822"
},
{
"type": "WEB",
"url": "https://go.dev/cl/767860"
},
{
"type": "WEB",
"url": "https://go.dev/issue/78803"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4981"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33811.json"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23264"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33120"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33123"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33142"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33150"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33574"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34357"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34359"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34364"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35832"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35993"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35994"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:35995"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36207"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36617"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36625"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36648"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36651"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4987-X432-F9P7
Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-30 03:30In Confirmation of keystore_cli_v2.cpp, there is a possible way to corrupt memory due to a double free. This could lead to local escalation of privilege in an unprivileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-226234140
{
"affected": [],
"aliases": [
"CVE-2023-21030"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T20:15:00Z",
"severity": "HIGH"
},
"details": "In Confirmation of keystore_cli_v2.cpp, there is a possible way to corrupt memory due to a double free. This could lead to local escalation of privilege in an unprivileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-226234140",
"id": "GHSA-4987-x432-f9p7",
"modified": "2023-03-30T03:30:38Z",
"published": "2023-03-24T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21030"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-49C2-3PPG-7626
Vulnerability from github – Published: 2024-10-17 09:31 – Updated: 2024-10-17 09:31This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag is enabled, a remote attacker with the privileges to modify JavaScript template (JST) files could exploit this by providing malicious templates. This may lead to memory corruption, potentially causing a Denial of Service (DoS) or, in rare cases, code execution, though the latter is highly context-dependent.
{
"affected": [],
"aliases": [
"CVE-2024-3187"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-17T08:15:02Z",
"severity": "MODERATE"
},
"details": "This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions \u003c= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag is enabled, a remote attacker with the privileges to modify JavaScript template (JST) files could exploit this by providing malicious templates. This may lead to memory corruption, potentially causing a Denial of Service (DoS) or, in rare cases, code execution, though the latter is highly context-dependent.",
"id": "GHSA-49c2-3ppg-7626",
"modified": "2024-10-17T09:31:46Z",
"published": "2024-10-17T09:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3187"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-3187"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4C57-27G6-54WG
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-23 00:00Memory corruption in video due to double free while parsing 3gp clip with invalid meta data atoms in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
{
"affected": [],
"aliases": [
"CVE-2022-22086"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-14T10:15:00Z",
"severity": "CRITICAL"
},
"details": "Memory corruption in video due to double free while parsing 3gp clip with invalid meta data atoms in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
"id": "GHSA-4c57-27g6-54wg",
"modified": "2022-06-23T00:00:29Z",
"published": "2022-06-15T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22086"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/june-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4CGM-M7VX-9PXR
Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30SQL Server Native Client Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-49014"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T18:15:40Z",
"severity": "HIGH"
},
"details": "SQL Server Native Client Remote Code Execution Vulnerability",
"id": "GHSA-4cgm-m7vx-9pxr",
"modified": "2024-11-12T18:30:59Z",
"published": "2024-11-12T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49014"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4FVF-CVGM-9HVC
Vulnerability from github – Published: 2026-05-16 18:31 – Updated: 2026-05-16 18:31libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_free() twice on the same pointer without triggering detection, as libc's malloc metadata overwrites babl's signature field upon freeing, enabling potential memory corruption and code execution.
{
"affected": [],
"aliases": [
"CVE-2020-37239"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-16T16:16:20Z",
"severity": "CRITICAL"
},
"details": "libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_free() twice on the same pointer without triggering detection, as libc\u0027s malloc metadata overwrites babl\u0027s signature field upon freeing, enabling potential memory corruption and code execution.",
"id": "GHSA-4fvf-cvgm-9hvc",
"modified": "2026-05-16T18:31:37Z",
"published": "2026-05-16T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37239"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49259"
},
{
"type": "WEB",
"url": "https://www.gegl.org"
},
{
"type": "WEB",
"url": "https://www.gegl.org/babl"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/libbabl-broken-double-free-detection-memory-safety"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4G3M-89JH-2MRF
Vulnerability from github – Published: 2023-08-16 21:31 – Updated: 2023-12-22 18:30A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information.
{
"affected": [],
"aliases": [
"CVE-2023-4389"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-16T19:15:10Z",
"severity": "HIGH"
},
"details": "A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the btrfs filesystem in the Linux Kernel due to a double decrement of the reference count. This issue may allow a local attacker with user privilege to crash the system or may lead to leaked internal kernel information.",
"id": "GHSA-4g3m-89jh-2mrf",
"modified": "2023-12-22T18:30:29Z",
"published": "2023-08-16T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4389"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-4389"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219271"
},
{
"type": "WEB",
"url": "https://patchwork.kernel.org/project/linux-btrfs/patch/20220324134454.15192-1-baijiaju1990@gmail.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4GRV-WGVH-8X82
Vulnerability from github – Published: 2023-08-16 15:30 – Updated: 2026-02-25 18:31kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.
{
"affected": [],
"aliases": [
"CVE-2023-39975"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-16T15:15:11Z",
"severity": "HIGH"
},
"details": "kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2 has a double free that is reachable if an authenticated user can trigger an authorization-data handling failure. Incorrect data is copied from one ticket to another.",
"id": "GHSA-4grv-wgvh-8x82",
"modified": "2026-02-25T18:31:23Z",
"published": "2023-08-16T15:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39975"
},
{
"type": "WEB",
"url": "https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840"
},
{
"type": "WEB",
"url": "https://github.com/krb5/krb5/compare/krb5-1.21.1-final...krb5-1.21.2-final"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230915-0014"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240201-0005"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240201-0008"
},
{
"type": "WEB",
"url": "https://web.mit.edu/kerberos/www/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4JJC-3VRV-4VCC
Vulnerability from github – Published: 2022-01-04 00:00 – Updated: 2022-01-14 00:03There is a Double free vulnerability in Smartphone.Successful exploitation of this vulnerability may cause a kernel crash or privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2021-37120"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-03T22:15:00Z",
"severity": "CRITICAL"
},
"details": "There is a Double free vulnerability in Smartphone.Successful exploitation of this vulnerability may cause a kernel crash or privilege escalation.",
"id": "GHSA-4jjc-3vrv-4vcc",
"modified": "2022-01-14T00:03:27Z",
"published": "2022-01-04T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37120"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/10"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.