CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
967 vulnerabilities reference this CWE, most recent first.
GHSA-93X7-VVJ8-98XR
Vulnerability from github – Published: 2022-06-27 00:00 – Updated: 2022-07-09 00:00rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
{
"affected": [],
"aliases": [
"CVE-2022-34494"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-26T16:15:00Z",
"severity": "MODERATE"
},
"details": "rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.",
"id": "GHSA-93x7-vvj8-98xr",
"modified": "2022-07-09T00:00:27Z",
"published": "2022-06-27T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34494"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/1680939e9ecf7764fba8689cfb3429c2fe2bb23c"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.18.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-948P-P2C6-64Q4
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-09-03 00:00In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression.
{
"affected": [],
"aliases": [
"CVE-2020-17498"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-13T16:15:00Z",
"severity": "MODERATE"
},
"details": "In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression.",
"id": "GHSA-948p-p2c6-64q4",
"modified": "2022-09-03T00:00:23Z",
"published": "2022-05-24T17:25:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17498"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16672"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=76afda963de4f0b9be24f2d8e873990a5cbf221b"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AII7UYDPNKYE75AZL45M6HAV2COP7F6S"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G7LO7DAPN33FL4JQ7DDPB76SIEFGMZSQ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202008-14"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2020-10.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00035.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00038.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-955P-RC5H-HG6H
Vulnerability from github – Published: 2021-08-25 20:55 – Updated: 2023-06-13 16:52Affected versions of this crate did not guard against potential panics that may happen from user-provided functions T::default() and T::drop().
Panic within T::default() leads to dropping uninitialized T, when it is invoked from common::Slice::::new(). Panic within T::drop() leads to double drop of T, when it is invoked either from common::SliceVec::::resize_with() or common::SliceVec::::resize()
Either case causes memory corruption in the heap memory.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "arenavec"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29931"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T17:08:56Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of this crate did not guard against potential panics that may happen from user-provided functions T::default() and T::drop().\n\nPanic within T::default() leads to dropping uninitialized T, when it is invoked from common::Slice::\u003cT, H\u003e::new(). Panic within T::drop() leads to double drop of T, when it is invoked either from common::SliceVec::\u003cT, H\u003e::resize_with() or common::SliceVec::\u003cT, H\u003e::resize()\n\nEither case causes memory corruption in the heap memory.",
"id": "GHSA-955p-rc5h-hg6h",
"modified": "2023-06-13T16:52:27Z",
"published": "2021-08-25T20:55:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29931"
},
{
"type": "WEB",
"url": "https://github.com/ibabushkin/arenavec/issues/1"
},
{
"type": "PACKAGE",
"url": "https://github.com/ibabushkin/arenavec"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0040.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Double free in arenavec"
}
GHSA-955P-XVQ6-XGGJ
Vulnerability from github – Published: 2022-05-14 01:49 – Updated: 2025-10-22 03:30Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.
{
"affected": [],
"aliases": [
"CVE-2014-0502"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-02-21T05:07:00Z",
"severity": "HIGH"
},
"details": "Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK \u0026 Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.",
"id": "GHSA-955p-xvq6-xggj",
"modified": "2025-10-22T03:30:36Z",
"published": "2022-05-14T01:49:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0502"
},
{
"type": "WEB",
"url": "https://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0502"
},
{
"type": "WEB",
"url": "http://helpx.adobe.com/security/products/flash-player/apsb14-07.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00014.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00015.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00017.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0196.html"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201405-04.xml"
},
{
"type": "WEB",
"url": "http://www.alienvault.com/open-threat-exchange/blog/analysis-of-an-attack-exploiting-the-adobe-zero-day-cve-2014-0502"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-959P-RFMC-J2W3
Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-26640"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T18:15:47Z",
"severity": "HIGH"
},
"details": "Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-959p-rfmc-j2w3",
"modified": "2025-04-08T18:34:45Z",
"published": "2025-04-08T18:34:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26640"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26640"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95GV-2PV7-Q366
Vulnerability from github – Published: 2022-05-17 02:30 – Updated: 2022-05-17 02:30An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "SecurityFoundation" component. A double free vulnerability allows remote attackers to execute arbitrary code via a crafted certificate.
{
"affected": [],
"aliases": [
"CVE-2017-2425"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-02T01:59:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the \"SecurityFoundation\" component. A double free vulnerability allows remote attackers to execute arbitrary code via a crafted certificate.",
"id": "GHSA-95gv-2pv7-q366",
"modified": "2022-05-17T02:30:38Z",
"published": "2022-05-17T02:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2425"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207615"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97140"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038138"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-966J-FC7P-8925
Vulnerability from github – Published: 2022-05-14 03:01 – Updated: 2022-05-14 03:01** DISPUTED ** The libfsntfs_security_descriptor_values_free function in libfsntfs_security_descriptor_values.c in libfsntfs through 2018-04-20 allows remote attackers to cause a denial of service (double-free) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.
{
"affected": [],
"aliases": [
"CVE-2018-11730"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-19T21:29:00Z",
"severity": "MODERATE"
},
"details": "** DISPUTED ** The libfsntfs_security_descriptor_values_free function in libfsntfs_security_descriptor_values.c in libfsntfs through 2018-04-20 allows remote attackers to cause a denial of service (double-free) via a crafted ntfs file. NOTE: the vendor has disputed this as described in libyal/libfsntfs issue 8 on GitHub.",
"id": "GHSA-966j-fc7p-8925",
"modified": "2022-05-14T03:01:53Z",
"published": "2022-05-14T03:01:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11730"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/148115/libfsntfs-20180420-Information-Disclosure.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Jun/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-96Q6-8HJQ-2Q63
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-01-31 18:31In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix warning when unbinding
If there is an error during some initialization related to firmware, the buffers dp->tx_ring[i].tx_status are released. However this is released again when the device is unbinded (ath12k_pci), and we get: WARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmalloc+0x4d/0x80 Call Trace: free_large_kmalloc ath12k_dp_free ath12k_core_deinit ath12k_pci_remove ...
The issue is always reproducible from a VM because the MSI addressing initialization is failing.
In order to fix the issue, just set the buffers to NULL after releasing in order to avoid the double free.
{
"affected": [],
"aliases": [
"CVE-2024-53191"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T14:15:26Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix warning when unbinding\n\nIf there is an error during some initialization related to firmware,\nthe buffers dp-\u003etx_ring[i].tx_status are released.\nHowever this is released again when the device is unbinded (ath12k_pci),\nand we get:\nWARNING: CPU: 0 PID: 2098 at mm/slub.c:4689 free_large_kmalloc+0x4d/0x80\nCall Trace:\nfree_large_kmalloc\nath12k_dp_free\nath12k_core_deinit\nath12k_pci_remove\n...\n\nThe issue is always reproducible from a VM because the MSI addressing\ninitialization is failing.\n\nIn order to fix the issue, just set the buffers to NULL after releasing in\norder to avoid the double free.",
"id": "GHSA-96q6-8hjq-2q63",
"modified": "2025-01-31T18:31:04Z",
"published": "2024-12-27T15:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53191"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/223b546c6222d42147eff034433002ca5e2e7e09"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90556b96338aa6037cd26dac857327fda7c19732"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94c9100b600f05a36b33f9ed76dbd6fb0eb25386"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca68ce0d9f4bcd032fd1334441175ae399642a06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-978X-427C-QCQH
Vulnerability from github – Published: 2022-05-17 02:56 – Updated: 2022-05-17 02:56The plist_free_data function in plist.c in libplist allows attackers to cause a denial of service (crash) via vectors involving an integer node that is treated as a PLIST_KEY and then triggers an invalid free.
{
"affected": [],
"aliases": [
"CVE-2017-5836"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-03T15:59:00Z",
"severity": "HIGH"
},
"details": "The plist_free_data function in plist.c in libplist allows attackers to cause a denial of service (crash) via vectors involving an integer node that is treated as a PLIST_KEY and then triggers an invalid free.",
"id": "GHSA-978x-427c-qcqh",
"modified": "2022-05-17T02:56:44Z",
"published": "2022-05-17T02:56:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5836"
},
{
"type": "WEB",
"url": "https://github.com/libimobiledevice/libplist/issues/86"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/01/31/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/02/02/4"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-97Q5-M7RF-RP7V
Vulnerability from github – Published: 2022-05-17 00:32 – Updated: 2022-05-17 00:32In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, two concurrent threads/processes can write the value of "0" to the debugfs file that controls ipa ipc log which will lead to the double-free in ipc_log_context_destroy(). Another issue is the Use-After-Free which can happen due to the race condition when the ipc log is deallocated via the debugfs call during a log print.
{
"affected": [],
"aliases": [
"CVE-2017-9687"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-10T20:29:00Z",
"severity": "HIGH"
},
"details": "In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, two concurrent threads/processes can write the value of \"0\" to the debugfs file that controls ipa ipc log which will lead to the double-free in ipc_log_context_destroy(). Another issue is the Use-After-Free which can happen due to the race condition when the ipc log is deallocated via the debugfs call during a log print.",
"id": "GHSA-97q5-m7rf-rp7v",
"modified": "2022-05-17T00:32:29Z",
"published": "2022-05-17T00:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9687"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2017-10-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101160"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.