Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

967 vulnerabilities reference this CWE, most recent first.

GHSA-4JMJ-7WJP-8959

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

An issue was discovered in Softing Industrial Automation OPC UA C++ SDK before 5.66, and uaToolkit Embedded before 1.40. Remote attackers to cause a denial of service (DoS) by sending crafted messages to a client or server. The server process may crash unexpectedly because of a double free, and must be restarted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-10T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Softing Industrial Automation OPC UA C++ SDK before 5.66, and uaToolkit Embedded before 1.40. Remote attackers to cause a denial of service (DoS) by sending crafted messages to a client or server. The server process may crash unexpectedly because of a double free, and must be restarted.",
  "id": "GHSA-4jmj-7wjp-8959",
  "modified": "2022-05-24T19:20:27Z",
  "published": "2022-05-24T19:20:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40873"
    },
    {
      "type": "WEB",
      "url": "https://industrial.softing.com"
    },
    {
      "type": "WEB",
      "url": "https://industrial.softing.com/fileadmin/sof-files/pdf/ia/support/Security_Bulletin_CVE-2021-40873.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4M42-39C8-PX5P

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-18 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: ipc3-topology: Prevent double freeing of ipc_control_data via load_bytes

We have sanity checks for byte controls and if any of the fail the locally allocated scontrol->ipc_control_data is freed up, but not set to NULL.

On a rollback path of the error the higher level code will also try to free the scontrol->ipc_control_data which will eventually going to lead to memory corruption as double freeing memory is not a good thing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:41Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc3-topology: Prevent double freeing of ipc_control_data via load_bytes\n\nWe have sanity checks for byte controls and if any of the fail the locally\nallocated scontrol-\u003eipc_control_data is freed up, but not set to NULL.\n\nOn a rollback path of the error the higher level code will also try to free\nthe scontrol-\u003eipc_control_data which will eventually going to lead to\nmemory corruption as double freeing memory is not a good thing.",
  "id": "GHSA-4m42-39c8-px5p",
  "modified": "2025-11-18T18:32:45Z",
  "published": "2025-06-18T12:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50115"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8463986b54295e6b65ddf2b7c65627d01ce7643b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2eddfcafcffaf1b9245ea0dde9143bbfb47d5d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5bd47f3ca124058a8e87eae4508afeda2132611"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4M7V-4FW7-9HCH

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix double free in create_space_info() error path

When kobject_init_and_add() fails, the call chain is:

create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)

Then control returns to create_space_info():

btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)

This causes a double free.

Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free in create_space_info() error path\n\nWhen kobject_init_and_add() fails, the call chain is:\n\ncreate_space_info()\n-\u003e btrfs_sysfs_add_space_info_type()\n-\u003e kobject_init_and_add()\n-\u003e failure\n-\u003e kobject_put(\u0026space_info-\u003ekobj)\n-\u003e space_info_release()\n-\u003e kfree(space_info)\n\nThen control returns to create_space_info():\n\nbtrfs_sysfs_add_space_info_type() returns error\n-\u003e goto out_free\n-\u003e kfree(space_info)\n\nThis causes a double free.\n\nKeep the direct kfree(space_info) for the earlier failure path, but\nafter btrfs_sysfs_add_space_info_type() has called kobject_put(), let\nthe kobject release callback handle the cleanup.",
  "id": "GHSA-4m7v-4fw7-9hch",
  "modified": "2026-06-01T18:31:37Z",
  "published": "2026-05-28T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46129"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f487be81292702a59ea9dbc4088b3360a50e837"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a060970fd7b5e1c561e4ce73cb9949e4269a738"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2670ec4aa49ca226bce9776601e0da37502be07"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd6ade0fdd59218d71a981ae7c937a304e49209c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4M88-FHX6-92J5

Vulnerability from github – Published: 2023-12-31 06:30 – Updated: 2024-01-08 21:30
VLAI
Details

Bytecode Alliance wasm-micro-runtime (aka WebAssembly Micro Runtime or WAMR) before 1.3.0 can have an "double free or corruption" error for a valid WebAssembly module because push_pop_frame_ref_offset is mishandled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-31T06:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Bytecode Alliance wasm-micro-runtime (aka WebAssembly Micro Runtime or WAMR) before 1.3.0 can have an \"double free or corruption\" error for a valid WebAssembly module because push_pop_frame_ref_offset is mishandled.",
  "id": "GHSA-4m88-fhx6-92j5",
  "modified": "2024-01-08T21:30:26Z",
  "published": "2023-12-31T06:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52284"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasm-micro-runtime/issues/2586"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasm-micro-runtime/pull/2590"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasm-micro-runtime/compare/WAMR-1.2.3...WAMR-1.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PJV-PHCW-V7CC

Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times

device_add shall not be called multiple times as stated in its documentation:

'Do not call this routine or device_register() more than once for any device structure'

Syzkaller reports a bug as follows [1]: ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:33! invalid opcode: 0000 [#1] PREEMPT SMP KASAN [...] Call Trace: __list_add include/linux/list.h:69 [inline] list_add_tail include/linux/list.h:102 [inline] kobj_kset_join lib/kobject.c:164 [inline] kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214 kobject_add_varg lib/kobject.c:358 [inline] kobject_add+0x150/0x1c0 lib/kobject.c:410 device_add+0x368/0x1e90 drivers/base/core.c:3452 hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53 hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799 hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110 hci_event_func net/bluetooth/hci_event.c:7440 [inline] hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495 hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T16:15:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sysfs: Fix attempting to call device_add multiple times\n\ndevice_add shall not be called multiple times as stated in its\ndocumentation:\n\n \u0027Do not call this routine or device_register() more than once for\n any device structure\u0027\n\nSyzkaller reports a bug as follows [1]:\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:33!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\n[...]\nCall Trace:\n \u003cTASK\u003e\n __list_add include/linux/list.h:69 [inline]\n list_add_tail include/linux/list.h:102 [inline]\n kobj_kset_join lib/kobject.c:164 [inline]\n kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214\n kobject_add_varg lib/kobject.c:358 [inline]\n kobject_add+0x150/0x1c0 lib/kobject.c:410\n device_add+0x368/0x1e90 drivers/base/core.c:3452\n hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53\n hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799\n hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110\n hci_event_func net/bluetooth/hci_event.c:7440 [inline]\n hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495\n hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007\n process_one_work+0x991/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e4/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n \u003c/TASK\u003e",
  "id": "GHSA-4pjv-phcw-v7cc",
  "modified": "2025-12-12T21:31:31Z",
  "published": "2025-09-18T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50419"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b6c89571f453101251201f0fad1c26f7256e937"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3423a50fa018e88aed4c900d59c3c8334d8ad583"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/448a496f760664d3e2e79466aa1787e6abc922b5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bcefec3636208b4c97536b26014d5935d5c10a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6144423712d570247b8ca26e50a277c30dd13702"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/671fee73e08ff415d36a7c16bdf238927df83884"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6e85d2ad958c6f034b1b158d904019869dbb3c81"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b674dce4162bb46d396586e30e4653427023875"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef055094df4c10b73cfe67c8d43f9de1fb608a8b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PQP-9QR3-H8VG

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-12-31 21:30
VLAI
Details

Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17064, CVE-2020-17065, CVE-2020-17066.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-17019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-11T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Excel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2020-17064, CVE-2020-17065, CVE-2020-17066.",
  "id": "GHSA-4pqp-9qr3-h8vg",
  "modified": "2023-12-31T21:30:25Z",
  "published": "2022-05-24T17:33:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17019"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PR7-H3P8-C732

Vulnerability from github – Published: 2024-12-28 12:30 – Updated: 2025-09-26 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

s390/pci: Fix potential double remove of hotplug slot

In commit 6ee600bfbe0f ("s390/pci: remove hotplug slot when releasing the device") the zpci_exit_slot() was moved from zpci_device_reserved() to zpci_release_device() with the intention of keeping the hotplug slot around until the device is actually removed.

Now zpci_release_device() is only called once all references are dropped. Since the zPCI subsystem only drops its reference once the device is in the reserved state it follows that zpci_release_device() must only deal with devices in the reserved state. Despite that it contains code to tear down from both configured and standby state. For the standby case this already includes the removal of the hotplug slot so would cause a double removal if a device was ever removed in either configured or standby state.

Instead of causing a potential double removal in a case that should never happen explicitly WARN_ON() if a device in non-reserved state is released and get rid of the dead code cases.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-28T10:15:17Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/pci: Fix potential double remove of hotplug slot\n\nIn commit 6ee600bfbe0f (\"s390/pci: remove hotplug slot when releasing the\ndevice\") the zpci_exit_slot() was moved from zpci_device_reserved() to\nzpci_release_device() with the intention of keeping the hotplug slot\naround until the device is actually removed.\n\nNow zpci_release_device() is only called once all references are\ndropped. Since the zPCI subsystem only drops its reference once the\ndevice is in the reserved state it follows that zpci_release_device()\nmust only deal with devices in the reserved state. Despite that it\ncontains code to tear down from both configured and standby state. For\nthe standby case this already includes the removal of the hotplug slot\nso would cause a double removal if a device was ever removed in\neither configured or standby state.\n\nInstead of causing a potential double removal in a case that should\nnever happen explicitly WARN_ON() if a device in non-reserved state is\nreleased and get rid of the dead code cases.",
  "id": "GHSA-4pr7-h3p8-c732",
  "modified": "2025-09-26T21:30:26Z",
  "published": "2024-12-28T12:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56699"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/371bd905599d18da62d75e3974acbf6a41e315c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1489651071ab1be46d2af1da8adb15c9fc3c069"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c4a585e952ca403a370586d3f16e8331a7564901"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PXG-G29H-QQFC

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

In ytnef 1.9.3, the TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-04T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "In ytnef 1.9.3, the TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a crafted file.",
  "id": "GHSA-4pxg-g29h-qqfc",
  "modified": "2022-05-24T17:43:42Z",
  "published": "2022-05-24T17:43:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Yeraze/ytnef/issues/85"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1926967"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4Q9G-GJC2-2PF4

Vulnerability from github – Published: 2022-05-17 01:17 – Updated: 2025-04-20 03:44
VLAI
Details

Double-free vulnerability in the sPLT chunk structure and png.c in pngcrush before 1.7.87 allows attackers to have unspecified impact via unknown vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-7700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-31T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Double-free vulnerability in the sPLT chunk structure and png.c in pngcrush before 1.7.87 allows attackers to have unspecified impact via unknown vectors.",
  "id": "GHSA-4q9g-gjc2-2pf4",
  "modified": "2025-04-20T03:44:15Z",
  "published": "2022-05-17T01:17:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7700"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/pmt/news/2015/10/pngcrush-1787-released"
    },
    {
      "type": "WEB",
      "url": "http://pmt.sourceforge.net/pngcrush/changelog.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4R5P-HFFQ-CGF5

Vulnerability from github – Published: 2022-05-14 03:56 – Updated: 2022-05-14 03:56
VLAI
Details

Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-07T10:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception.",
  "id": "GHSA-4r5p-hffq-cgf5",
  "modified": "2022-05-14T03:56:22Z",
  "published": "2022-05-14T03:56:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5768"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=72402"
    },
    {
      "type": "WEB",
      "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207170"
    },
    {
      "type": "WEB",
      "url": "http://github.com/php/php-src/commit/5b597a2e5b28e2d5a52fc1be13f425f08f47cb62?w=1"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://php.net/ChangeLog-5.php"
    },
    {
      "type": "WEB",
      "url": "http://php.net/ChangeLog-7.php"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2598.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-2750.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3618"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/06/23/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91396"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.