Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

967 vulnerabilities reference this CWE, most recent first.

GHSA-93X7-VVJ8-98XR

Vulnerability from github – Published: 2022-06-27 00:00 – Updated: 2022-07-09 00:00
VLAI
Details

rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-26T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.",
  "id": "GHSA-93x7-vvj8-98xr",
  "modified": "2022-07-09T00:00:27Z",
  "published": "2022-06-27T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34494"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/1680939e9ecf7764fba8689cfb3429c2fe2bb23c"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.18.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-948P-P2C6-64Q4

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-09-03 00:00
VLAI
Details

In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-17498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression.",
  "id": "GHSA-948p-p2c6-64q4",
  "modified": "2022-09-03T00:00:23Z",
  "published": "2022-05-24T17:25:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17498"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16672"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=76afda963de4f0b9be24f2d8e873990a5cbf221b"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AII7UYDPNKYE75AZL45M6HAV2COP7F6S"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7LO7DAPN33FL4JQ7DDPB76SIEFGMZSQ"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202008-14"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2020-10.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00038.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-955P-RC5H-HG6H

Vulnerability from github – Published: 2021-08-25 20:55 – Updated: 2023-06-13 16:52
VLAI
Summary
Double free in arenavec
Details

Affected versions of this crate did not guard against potential panics that may happen from user-provided functions T::default() and T::drop().

Panic within T::default() leads to dropping uninitialized T, when it is invoked from common::Slice::::new(). Panic within T::drop() leads to double drop of T, when it is invoked either from common::SliceVec::::resize_with() or common::SliceVec::::resize()

Either case causes memory corruption in the heap memory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "arenavec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T17:08:56Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of this crate did not guard against potential panics that may happen from user-provided functions T::default() and T::drop().\n\nPanic within T::default() leads to dropping uninitialized T, when it is invoked from common::Slice::\u003cT, H\u003e::new(). Panic within T::drop() leads to double drop of T, when it is invoked either from common::SliceVec::\u003cT, H\u003e::resize_with() or common::SliceVec::\u003cT, H\u003e::resize()\n\nEither case causes memory corruption in the heap memory.",
  "id": "GHSA-955p-rc5h-hg6h",
  "modified": "2023-06-13T16:52:27Z",
  "published": "2021-08-25T20:55:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29931"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ibabushkin/arenavec/issues/1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ibabushkin/arenavec"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0040.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Double free in arenavec"
}

GHSA-955P-XVQ6-XGGJ

Vulnerability from github – Published: 2022-05-14 01:49 – Updated: 2025-10-22 03:30
VLAI
Details

Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-0502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-02-21T05:07:00Z",
    "severity": "HIGH"
  },
  "details": "Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK \u0026 Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.",
  "id": "GHSA-955p-xvq6-xggj",
  "modified": "2025-10-22T03:30:36Z",
  "published": "2022-05-14T01:49:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0502"
    },
    {
      "type": "WEB",
      "url": "https://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0502"
    },
    {
      "type": "WEB",
      "url": "http://helpx.adobe.com/security/products/flash-player/apsb14-07.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0196.html"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201405-04.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.alienvault.com/open-threat-exchange/blog/analysis-of-an-attack-exploiting-the-adobe-zero-day-cve-2014-0502"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-959P-RFMC-J2W3

Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34
VLAI
Details

Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T18:15:47Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-959p-rfmc-j2w3",
  "modified": "2025-04-08T18:34:45Z",
  "published": "2025-04-08T18:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26640"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26640"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-95GV-2PV7-Q366

Vulnerability from github – Published: 2022-05-17 02:30 – Updated: 2022-05-17 02:30
VLAI
Details

An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "SecurityFoundation" component. A double free vulnerability allows remote attackers to execute arbitrary code via a crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-02T01:59:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the \"SecurityFoundation\" component. A double free vulnerability allows remote attackers to execute arbitrary code via a crafted certificate.",
  "id": "GHSA-95gv-2pv7-q366",
  "modified": "2022-05-17T02:30:38Z",
  "published": "2022-05-17T02:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2425"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207615"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97140"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-966J-FC7P-8925

Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01
VLAI
Details

** DISPUTED ** The libfsntfs_security_descriptor_values_free function in libfsntfs_security_descriptor_values.c in libfsntfs through 2018-04-20 allows remote attackers to cause a denial of service (double-free) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11730"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-19T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "** DISPUTED ** The libfsntfs_security_descriptor_values_free function in libfsntfs_security_descriptor_values.c in libfsntfs through 2018-04-20 allows remote attackers to cause a denial of service (double-free) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.",
  "id": "GHSA-966j-fc7p-8925",
  "modified": "2022-05-14T03:01:53Z",
  "published": "2022-05-14T03:01:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11730"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/148115/libfsntfs-20180420-Information-Disclosure.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/Jun/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96Q6-8HJQ-2Q63

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-31 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix warning when unbinding

If there is an error during some initialization related to firmware, the buffers dp->tx_ring[i].tx_status are released. However this is released again when the device is unbinded (ath12k_pci), and we get: WARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmalloc+0x4d/0x80 Call Trace: free_large_kmalloc ath12k_dp_free ath12k_core_deinit ath12k_pci_remove ...

The issue is always reproducible from a VM because the MSI addressing initialization is failing.

In order to fix the issue, just set the buffers to NULL after releasing in order to avoid the double free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:26Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix warning when unbinding\n\nIf there is an error during some initialization related to firmware,\nthe buffers dp-\u003etx_ring[i].tx_status are released.\nHowever this is released again when the device is unbinded (ath12k_pci),\nand we get:\nWARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmalloc+0x4d/0x80\nCall Trace:\nfree_large_kmalloc\nath12k_dp_free\nath12k_core_deinit\nath12k_pci_remove\n...\n\nThe issue is always reproducible from a VM because the MSI addressing\ninitialization is failing.\n\nIn order to fix the issue, just set the buffers to NULL after releasing in\norder to avoid the double free.",
  "id": "GHSA-96q6-8hjq-2q63",
  "modified": "2025-01-31T18:31:04Z",
  "published": "2024-12-27T15:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53191"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/223b546c6222d42147eff034433002ca5e2e7e09"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/90556b96338aa6037cd26dac857327fda7c19732"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94c9100b600f05a36b33f9ed76dbd6fb0eb25386"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ca68ce0d9f4bcd032fd1334441175ae399642a06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-978X-427C-QCQH

Vulnerability from github – Published: 2022-05-17 02:56 – Updated: 2022-05-17 02:56
VLAI
Details

The plist_free_data function in plist.c in libplist allows attackers to cause a denial of service (crash) via vectors involving an integer node that is treated as a PLIST_KEY and then triggers an invalid free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-03T15:59:00Z",
    "severity": "HIGH"
  },
  "details": "The plist_free_data function in plist.c in libplist allows attackers to cause a denial of service (crash) via vectors involving an integer node that is treated as a PLIST_KEY and then triggers an invalid free.",
  "id": "GHSA-978x-427c-qcqh",
  "modified": "2022-05-17T02:56:44Z",
  "published": "2022-05-17T02:56:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libimobiledevice/libplist/issues/86"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/01/31/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/02/02/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97Q5-M7RF-RP7V

Vulnerability from github – Published: 2022-05-17 00:32 – Updated: 2022-05-17 00:32
VLAI
Details

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, two concurrent threads/processes can write the value of "0" to the debugfs file that controls ipa ipc log which will lead to the double-free in ipc_log_context_destroy(). Another issue is the Use-After-Free which can happen due to the race condition when the ipc log is deallocated via the debugfs call during a log print.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-10T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, two concurrent threads/processes can write the value of \"0\" to the debugfs file that controls ipa ipc log which will lead to the double-free in ipc_log_context_destroy(). Another issue is the Use-After-Free which can happen due to the race condition when the ipc log is deallocated via the debugfs call during a log print.",
  "id": "GHSA-97q5-m7rf-rp7v",
  "modified": "2022-05-17T00:32:29Z",
  "published": "2022-05-17T00:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9687"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2017-10-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101160"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.