CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
966 vulnerabilities reference this CWE, most recent first.
GHSA-4V4W-685Q-CQMX
Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-12-11 21:31In the Linux kernel, the following vulnerability has been resolved:
NFSv4.2: Rework scratch handling for READ_PLUS (again)
I found that the read code might send multiple requests using the same nfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is how we ended up occasionally double-freeing the scratch buffer, but also means we set a NULL pointer but non-zero length to the xdr scratch buffer. This results in an oops the first time decoding needs to copy something to scratch, which frequently happens when decoding READ_PLUS hole segments.
I fix this by moving scratch handling into the pageio read code. I provide a function to allocate scratch space for decoding read replies, and free the scratch buffer when the nfs_pgio_header is freed.
{
"affected": [],
"aliases": [
"CVE-2023-53360"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T15:15:40Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: Rework scratch handling for READ_PLUS (again)\n\nI found that the read code might send multiple requests using the same\nnfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is\nhow we ended up occasionally double-freeing the scratch buffer, but also\nmeans we set a NULL pointer but non-zero length to the xdr scratch\nbuffer. This results in an oops the first time decoding needs to copy\nsomething to scratch, which frequently happens when decoding READ_PLUS\nhole segments.\n\nI fix this by moving scratch handling into the pageio read code. I\nprovide a function to allocate scratch space for decoding read replies,\nand free the scratch buffer when the nfs_pgio_header is freed.",
"id": "GHSA-4v4w-685q-cqmx",
"modified": "2025-12-11T21:31:25Z",
"published": "2025-09-17T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53360"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/303a78052091c81e9003915c521fdca1c7e117af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a2f4cb206bd94b3f4a7bb05fcdce9525283b5681"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/adac9f0ddd2b291c7ce41f549fdb27a13616cff5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ae5d5672f1db711e91db6f52df5cb16ecd8f5692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V66-3JC4-3XM5
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30Double free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-32074"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:17:08Z",
"severity": "HIGH"
},
"details": "Double free in Windows Projected File System allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-4v66-3jc4-3xm5",
"modified": "2026-04-14T18:30:39Z",
"published": "2026-04-14T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32074"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32074"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4VVW-XXG7-3QFJ
Vulnerability from github – Published: 2024-10-07 15:31 – Updated: 2024-10-07 15:31Memory corruption while unmapping the fastrpc map when two threads can free the same map in concurrent scenario.
{
"affected": [],
"aliases": [
"CVE-2024-23379"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-07T13:15:12Z",
"severity": "MODERATE"
},
"details": "Memory corruption while unmapping the fastrpc map when two threads can free the same map in concurrent scenario.",
"id": "GHSA-4vvw-xxg7-3qfj",
"modified": "2024-10-07T15:31:39Z",
"published": "2024-10-07T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23379"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4VWX-P2G9-HR37
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-09-03 00:00In NASM 2.15.04rc3, there is a double-free vulnerability in pp_tokline asm/preproc.c. This is fixed in commit 8806c3ca007b84accac21dd88b900fb03614ceb7.
{
"affected": [],
"aliases": [
"CVE-2020-24978"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-04T00:15:00Z",
"severity": "HIGH"
},
"details": "In NASM 2.15.04rc3, there is a double-free vulnerability in pp_tokline asm/preproc.c. This is fixed in commit 8806c3ca007b84accac21dd88b900fb03614ceb7.",
"id": "GHSA-4vwx-p2g9-hr37",
"modified": "2022-09-03T00:00:18Z",
"published": "2022-05-24T17:27:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24978"
},
{
"type": "WEB",
"url": "https://bugzilla.nasm.us/show_bug.cgi?id=3392712"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4W3J-4M96-C92X
Vulnerability from github – Published: 2024-01-02 06:30 – Updated: 2024-01-02 06:30Memory corruption when IPv6 prefix timer object`s lifetime expires which are created while Netmgr daemon gets an IPv6 address.
{
"affected": [],
"aliases": [
"CVE-2023-28583"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T06:15:08Z",
"severity": "MODERATE"
},
"details": "Memory corruption when IPv6 prefix timer object`s lifetime expires which are created while Netmgr daemon gets an IPv6 address.",
"id": "GHSA-4w3j-4m96-c92x",
"modified": "2024-01-02T06:30:30Z",
"published": "2024-01-02T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28583"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4WC7-FQ9J-GX9P
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-05-12 15:31In the Linux kernel, the following vulnerability has been resolved:
scsi: bfa: Double-free fix
When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL.
Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, it attempts to free the memory pointed to by bfad->im again, thereby triggering a double-free vulnerability.
Set bfad->im to NULL if probing fails.
{
"affected": [],
"aliases": [
"CVE-2025-38699"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:38Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: bfa: Double-free fix\n\nWhen the bfad_im_probe() function fails during initialization, the memory\npointed to by bfad-\u003eim is freed without setting bfad-\u003eim to NULL.\n\nSubsequently, during driver uninstallation, when the state machine enters\nthe bfad_sm_stopping state and calls the bfad_im_probe_undo() function,\nit attempts to free the memory pointed to by bfad-\u003eim again, thereby\ntriggering a double-free vulnerability.\n\nSet bfad-\u003eim to NULL if probing fails.",
"id": "GHSA-4wc7-fq9j-gx9p",
"modified": "2026-05-12T15:31:00Z",
"published": "2025-09-05T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38699"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/13f613228cf3c96a038424cd97aa4d6aadc66294"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39cfe2c83146aad956318f866d0ee471b7a61fa5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/50d9bd48321038bd6e15af5a454bbcd180cf6f80"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/684c92bb08a25ed3c0356bc7eb532ed5b19588dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8456f862cb95bcc3a831e1ba87c0c17068be0f3f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e03dd9fadf76db5b9799583074a1a2a54f787f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9337c2affbaebe00b75fdf84ea0e2fcf93c140af"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba024d92564580bb90ec367248ace8efe16ce815"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4WJ3-P7HJ-CVX8
Vulnerability from github – Published: 2021-08-25 20:48 – Updated: 2023-06-13 20:13An issue was discovered in the ordnung crate through version 0.0.1 for Rust. compact::Vec violates memory safety via a remove() double free.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "ordnung"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35891"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:06:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An issue was discovered in the ordnung crate through version 0.0.1 for Rust. compact::Vec violates memory safety via a remove() double free.",
"id": "GHSA-4wj3-p7hj-cvx8",
"modified": "2023-06-13T20:13:30Z",
"published": "2021-08-25T20:48:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35891"
},
{
"type": "WEB",
"url": "https://github.com/maciejhirsz/ordnung/issues/8"
},
{
"type": "PACKAGE",
"url": "https://github.com/maciejhirsz/ordnung"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0038.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Double free in ordnung"
}
GHSA-4XQJ-6G2R-4GGR
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-20 21:31In the Linux kernel, the following vulnerability has been resolved:
spi: rockchip-sfc: Fix double-free in remove() callback
The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free.
And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe().
{
"affected": [],
"aliases": [
"CVE-2026-43460"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:58Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: rockchip-sfc: Fix double-free in remove() callback\n\nThe driver uses devm_spi_register_controller() for registration, which\nautomatically unregisters the controller via devm cleanup when the\ndevice is removed. The manual call to spi_unregister_controller() in\nthe remove() callback can lead to a double-free.\n\nAnd to make sure controller is unregistered before DMA buffer is\nunmapped, switch to use spi_register_controller() in probe().",
"id": "GHSA-4xqj-6g2r-4ggr",
"modified": "2026-05-20T21:31:28Z",
"published": "2026-05-08T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43460"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/111e2863372c322e836e0c896f6dd9cf4ee08c71"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85fb53351e6a3b921357a2178671e847a087e400"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b6051f2bdd4bd3dde85b68558edd3a6843489221"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4XR8-WP6V-66Q2
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10A component of the Huawei smartphone has a Double Free vulnerability. Local attackers may exploit this vulnerability to cause Root Elevation of Privileges.
{
"affected": [],
"aliases": [
"CVE-2021-22386"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-10T14:15:00Z",
"severity": "HIGH"
},
"details": "A component of the Huawei smartphone has a Double Free vulnerability. Local attackers may exploit this vulnerability to cause Root Elevation of Privileges.",
"id": "GHSA-4xr8-wp6v-66q2",
"modified": "2022-05-24T19:10:36Z",
"published": "2022-05-24T19:10:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22386"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/oem_security_update_phone_202106-0000001165452077"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4XRX-36PV-43R3
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops
Fix a kernel oops found while testing the stm32_pcie Endpoint driver with handling of PERST# deassertion:
During EP initialization, pci_epf_test_alloc_space() allocates all BARs, which are further freed if epc_set_bar() fails (for instance, due to no free inbound window).
However, when pci_epc_set_bar() fails, the error path:
pci_epc_set_bar() -> pci_epf_free_space()
does not clear the previous assignment to epf_test->reg[bar].
Then, if the host reboots, the PERST# deassertion restarts the BAR allocation sequence with the same allocation failure (no free inbound window), creating a double free situation since epf_test->reg[bar] was deallocated and is still non-NULL.
Thus, make sure that pci_epf_alloc_space() and pci_epf_free_space() invocations are symmetric, and as such, set epf_test->reg[bar] to NULL when memory is freed.
[kwilczynski: commit log]
{
"affected": [],
"aliases": [
"CVE-2025-38069"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T10:15:40Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops\n\nFix a kernel oops found while testing the stm32_pcie Endpoint driver\nwith handling of PERST# deassertion:\n\nDuring EP initialization, pci_epf_test_alloc_space() allocates all BARs,\nwhich are further freed if epc_set_bar() fails (for instance, due to no\nfree inbound window).\n\nHowever, when pci_epc_set_bar() fails, the error path:\n\n pci_epc_set_bar() -\u003e\n pci_epf_free_space()\n\ndoes not clear the previous assignment to epf_test-\u003ereg[bar].\n\nThen, if the host reboots, the PERST# deassertion restarts the BAR\nallocation sequence with the same allocation failure (no free inbound\nwindow), creating a double free situation since epf_test-\u003ereg[bar] was\ndeallocated and is still non-NULL.\n\nThus, make sure that pci_epf_alloc_space() and pci_epf_free_space()\ninvocations are symmetric, and as such, set epf_test-\u003ereg[bar] to NULL\nwhen memory is freed.\n\n[kwilczynski: commit log]",
"id": "GHSA-4xrx-36pv-43r3",
"modified": "2025-11-14T18:31:22Z",
"published": "2025-06-18T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38069"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b83893d1f6c6061a7d58169ecdf9d5ee9f306ee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/934e9d137d937706004c325fa1474f9e3f1ba10a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe2329eff5bee461ebcafadb6ca1df0cbf5945fd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.