CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
967 vulnerabilities reference this CWE, most recent first.
GHSA-C3F5-89CX-RXG5
Vulnerability from github – Published: 2025-09-23 06:30 – Updated: 2026-01-20 21:31In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Fix double free in idxd_setup_wqs()
The clean up in idxd_setup_wqs() has had a couple bugs because the error handling is a bit subtle. It's simpler to just re-write it in a cleaner way. The issues here are:
1) If "idxd->max_wqs" is <= 0 then we call put_device(conf_dev) when "conf_dev" hasn't been initialized. 2) If kzalloc_node() fails then again "conf_dev" is invalid. It's either uninitialized or it points to the "conf_dev" from the previous iteration so it leads to a double free.
It's better to free partial loop iterations within the loop and then the unwinding at the end can handle whole loop iterations. I also renamed the labels to describe what the goto does and not where the goto was located.
{
"affected": [],
"aliases": [
"CVE-2025-39870"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-23T06:15:46Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix double free in idxd_setup_wqs()\n\nThe clean up in idxd_setup_wqs() has had a couple bugs because the error\nhandling is a bit subtle. It\u0027s simpler to just re-write it in a cleaner\nway. The issues here are:\n\n1) If \"idxd-\u003emax_wqs\" is \u003c= 0 then we call put_device(conf_dev) when\n \"conf_dev\" hasn\u0027t been initialized.\n2) If kzalloc_node() fails then again \"conf_dev\" is invalid. It\u0027s\n either uninitialized or it points to the \"conf_dev\" from the\n previous iteration so it leads to a double free.\n\nIt\u0027s better to free partial loop iterations within the loop and then\nthe unwinding at the end can handle whole loop iterations. I also\nrenamed the labels to describe what the goto does and not where the goto\nwas located.",
"id": "GHSA-c3f5-89cx-rxg5",
"modified": "2026-01-20T21:31:30Z",
"published": "2025-09-23T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39870"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25e6146c2812487a88f619d5ff6efbdcd5b2bc31"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39aaa337449e71a41d4813be0226a722827ba606"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f0e225635475b2285b966271d5e82cba74295b1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df82c7901513fd0fc738052a8e6a330d92cc8ec9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec5430d090d0b6ace8fefa290fc37e88930017d2"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C3X3-CQCQ-2R5X
Vulnerability from github – Published: 2024-07-29 15:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: lantiq_etop: fix double free in detach
The number of the currently released descriptor is never incremented which results in the same skb being released multiple times.
{
"affected": [],
"aliases": [
"CVE-2024-41046"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T15:15:12Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix double free in detach\n\nThe number of the currently released descriptor is never incremented\nwhich results in the same skb being released multiple times.",
"id": "GHSA-c3x3-cqcq-2r5x",
"modified": "2025-11-04T00:31:00Z",
"published": "2024-07-29T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41046"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1fba964f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1533b6319ab9c3a97dad314dd88b3783bc41b69"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C423-R73F-CV75
Vulnerability from github – Published: 2022-05-14 03:36 – Updated: 2022-05-14 03:36The mad_decoder_run() function in decoder.c in Underbit libmad through 0.15.1b allows remote attackers to cause a denial of service (SIGABRT because of double free or corruption) or possibly have unspecified other impact via a crafted file. NOTE: this may overlap CVE-2017-11552.
{
"affected": [],
"aliases": [
"CVE-2018-7263"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-20T21:29:00Z",
"severity": "CRITICAL"
},
"details": "The mad_decoder_run() function in decoder.c in Underbit libmad through 0.15.1b allows remote attackers to cause a denial of service (SIGABRT because of double free or corruption) or possibly have unspecified other impact via a crafted file. NOTE: this may overlap CVE-2017-11552.",
"id": "GHSA-c423-r73f-cv75",
"modified": "2022-05-14T03:36:43Z",
"published": "2022-05-14T03:36:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7263"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1081784"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C7CH-MQ2W-RH37
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.
{
"affected": [],
"aliases": [
"CVE-2018-15518"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-26T21:29:00Z",
"severity": "HIGH"
},
"details": "QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.",
"id": "GHSA-c7ch-mq2w-rh37",
"modified": "2022-05-13T01:16:05Z",
"published": "2022-05-13T01:16:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15518"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2135"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3390"
},
{
"type": "WEB",
"url": "https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/#/c/236691"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00004.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00023.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4003-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4374"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00066.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00057.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00071.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00073.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00090.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C7FF-R8W3-GX9Q
Vulnerability from github – Published: 2025-08-06 15:31 – Updated: 2025-08-06 15:31NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where multiple requests could cause a double free when a stream is cancelled before it is processed. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2025-23322"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T13:15:39Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where multiple requests could cause a double free when a stream is cancelled before it is processed. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-c7ff-r8w3-gx9q",
"modified": "2025-08-06T15:31:25Z",
"published": "2025-08-06T15:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23322"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5687"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23322"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C83G-5QWQ-VRFJ
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
driver core: bus: Fix double free in driver API bus_register()
For bus_register(), any error which happens after kset_register() will cause that @priv are freed twice, fixed by setting @priv with NULL after the first free.
{
"affected": [],
"aliases": [
"CVE-2024-50055"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:17Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: bus: Fix double free in driver API bus_register()\n\nFor bus_register(), any error which happens after kset_register() will\ncause that @priv are freed twice, fixed by setting @priv with NULL after\nthe first free.",
"id": "GHSA-c83g-5qwq-vrfj",
"modified": "2025-11-03T21:31:28Z",
"published": "2024-10-21T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50055"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4797953712214ea57a437443bb0ad6d1e0646d70"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5be4bc1c73ca389a96d418a52054d897c6fe6d21"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87bc3cb23c56de2c5e14a58d87cf953e7a2508f8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9ce15f68abedfae7ae0a35e95895aeddfd0f0c6a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bfa54a793ba77ef696755b66f3ac4ed00c7d1248"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d885c464c25018b81a6b58f5d548fc2e3ef87dd1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc1f391a71a3ee88291e205cffd673fe24d99266"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8HQ-X4MM-P6Q6
Vulnerability from github – Published: 2021-08-25 20:50 – Updated: 2023-02-13 16:58An issue was discovered in the xcb crate through 2020-12-10 for Rust. base::Error does not have soundness. Because of the public ptr field, a use-after-free or double-free can occur.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "xcb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36205"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T18:50:43Z",
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the xcb crate through 2020-12-10 for Rust. base::Error does not have soundness. Because of the public ptr field, a use-after-free or double-free can occur.",
"id": "GHSA-c8hq-x4mm-p6q6",
"modified": "2023-02-13T16:58:12Z",
"published": "2021-08-25T20:50:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36205"
},
{
"type": "WEB",
"url": "https://github.com/rtbo/rust-xcb/issues/93"
},
{
"type": "WEB",
"url": "https://github.com/rust-x-bindings/rust-xcb/issues/93"
},
{
"type": "PACKAGE",
"url": "https://github.com/rtbo/rust-xcb"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0097.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Memory handling issues in xcb"
}
GHSA-CCM8-J9M5-H2CW
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46Two threads call one or both functions concurrently leading to corruption of pointers and reference counters which in turn can lead to heap corruption in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile
{
"affected": [],
"aliases": [
"CVE-2020-11231"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-07T08:15:00Z",
"severity": "MODERATE"
},
"details": "Two threads call one or both functions concurrently leading to corruption of pointers and reference counters which in turn can lead to heap corruption in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile",
"id": "GHSA-ccm8-j9m5-h2cw",
"modified": "2022-05-24T17:46:42Z",
"published": "2022-05-24T17:46:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11231"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/april-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CFWF-8WX8-588C
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2023-01-19 18:30In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.
{
"affected": [],
"aliases": [
"CVE-2018-20961"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-07T15:15:00Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel before 4.16.4, a double free vulnerability in the f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the f_midi driver may allow attackers to cause a denial of service or possibly have unspecified other impact.",
"id": "GHSA-cfwf-8wx8-588c",
"modified": "2023-01-19T18:30:22Z",
"published": "2022-05-24T16:52:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20961"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/7fafcfdf6377b18b2a726ea554d6e593ba44349f"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7fafcfdf6377b18b2a726ea554d6e593ba44349f"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Aug/48"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190905-0002"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K58502654"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K58502654?utm_source=f5support\u0026amp;utm_medium=RSS"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4145-1"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154228/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CGHH-45GX-84F7
Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-31 18:30In the Linux kernel, the following vulnerability has been resolved:
iio: core: fix ioctl handlers removal
Currently ioctl handlers are removed twice. For the first time during iio_device_unregister() then later on inside iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask(). Double free leads to kernel panic.
Fix this by not touching ioctl handlers list directly but rather letting code responsible for registration call the matching cleanup routine itself.
{
"affected": [],
"aliases": [
"CVE-2021-46979"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-28T09:15:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: fix ioctl handlers removal\n\nCurrently ioctl handlers are removed twice. For the first time during\niio_device_unregister() then later on inside\niio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().\nDouble free leads to kernel panic.\n\nFix this by not touching ioctl handlers list directly but rather\nletting code responsible for registration call the matching cleanup\nroutine itself.",
"id": "GHSA-cghh-45gx-84f7",
"modified": "2024-12-31T18:30:50Z",
"published": "2024-02-28T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46979"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/11e1cae5da4096552f7c091476cbadbc0d1817da"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/901f84de0e16bde10a72d7eb2f2eb73fcde8fa1a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab6c935ba3a04317632f3b8b68675bdbaf395303"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.