CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
966 vulnerabilities reference this CWE, most recent first.
GHSA-J54F-72M2-VVMR
Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
pstore: inode: Only d_invalidate() is needed
Unloading a modular pstore backend with records in pstorefs would trigger the dput() double-drop warning:
WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410
Using the combo of d_drop()/dput() (as mentioned in Documentation/filesystems/vfs.rst) isn't the right approach here, and leads to the reference counting problem seen above. Use d_invalidate() and update the code to not bother checking for error codes that can never happen.
{
"affected": [],
"aliases": [
"CVE-2024-27389"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T13:15:51Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn\u0027t the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---",
"id": "GHSA-j54f-72m2-vvmr",
"modified": "2026-06-01T18:31:18Z",
"published": "2024-05-01T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27389"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d0ee2a8adb6673382cce8a4280e1ca0849b3b783"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5M3-PF7Q-9CVF
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30In MasteringMetadata::Parse of mkvparser.cc there is a possible double free due to an insecure default value. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-116615297.
{
"affected": [],
"aliases": [
"CVE-2018-9553"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-06T14:29:00Z",
"severity": "HIGH"
},
"details": "In MasteringMetadata::Parse of mkvparser.cc there is a possible double free due to an insecure default value. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-116615297.",
"id": "GHSA-j5m3-pf7q-9cvf",
"modified": "2022-05-13T01:30:36Z",
"published": "2022-05-13T01:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9553"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-12-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106137"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5P4-42CC-2J44
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2026-01-24 21:30A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over malloc.
{
"affected": [],
"aliases": [
"CVE-2022-0699"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T16:15:00Z",
"severity": "CRITICAL"
},
"details": "A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over malloc.",
"id": "GHSA-j5p4-42cc-2j44",
"modified": "2026-01-24T21:30:23Z",
"published": "2022-10-17T19:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0699"
},
{
"type": "WEB",
"url": "https://github.com/OSGeo/shapelib/issues/39"
},
{
"type": "WEB",
"url": "https://github.com/OSGeo/shapelib/commit/c75b9281a5b9452d92e1682bdfe6019a13ed819f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00023.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5R3-PWR2-9CQJ
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-05-24 17:07In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerablity was introduced when attempting to fix a memory leak identified by static analysis.
{
"affected": [],
"aliases": [
"CVE-2020-8432"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-29T19:15:00Z",
"severity": "HIGH"
},
"details": "In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerablity was introduced when attempting to fix a memory leak identified by static analysis.",
"id": "GHSA-j5r3-pwr2-9cqj",
"modified": "2022-05-24T17:07:43Z",
"published": "2022-05-24T17:07:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8432"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/u-boot@lists.denx.de/msg354060.html"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/u-boot@lists.denx.de/msg354114.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00030.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J5R6-FGQ5-9WCX
Vulnerability from github – Published: 2025-05-08 09:30 – Updated: 2025-11-13 00:30In the Linux kernel, the following vulnerability has been resolved:
mcb: fix a double free bug in chameleon_parse_gdd()
In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' would be released in mcb_device_register() via put_device(). Thus, goto 'err' label and free 'mdev' again causes a double free. Just return if mcb_device_register() fails.
{
"affected": [],
"aliases": [
"CVE-2025-37817"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-08T07:15:52Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmcb: fix a double free bug in chameleon_parse_gdd()\n\nIn chameleon_parse_gdd(), if mcb_device_register() fails, \u0027mdev\u0027\nwould be released in mcb_device_register() via put_device().\nThus, goto \u0027err\u0027 label and free \u0027mdev\u0027 again causes a double free.\nJust return if mcb_device_register() fails.",
"id": "GHSA-j5r6-fgq5-9wcx",
"modified": "2025-11-13T00:30:16Z",
"published": "2025-05-08T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37817"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ffe8c9fb561e4427dd1a3056cd5b3685b74f78d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59f993cd36b6e28a394ba3d977e8ffe5c9884e3b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c7f1bfdb2249f854a736d9b79778c7e5a29a150"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/96838eb1836fd372e42be5db84f0b333b65146a6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bcc7d58ee5173e34306026bd01e1fbf75e169d37"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c5b8a549ef1fcc6066b037a3962c79d60465ba0b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d70184958b0ea8c0fd52e2b456654b503e769fc8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df1a5d5c6134224f9298e5189230f9d29ae50cac"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J642-RP5Q-W8W9
Vulnerability from github – Published: 2024-03-15 21:30 – Updated: 2025-01-14 15:30In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix ltout double free on completion race
Always remove linked timeout on io_link_timeout_fn() from the master request link list, otherwise we may get use-after-free when first io_link_timeout_fn() puts linked timeout in the fail path, and then will be found and put on master's free.
{
"affected": [],
"aliases": [
"CVE-2021-47123"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-15T21:15:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix ltout double free on completion race\n\nAlways remove linked timeout on io_link_timeout_fn() from the master\nrequest link list, otherwise we may get use-after-free when first\nio_link_timeout_fn() puts linked timeout in the fail path, and then\nwill be found and put on master\u0027s free.",
"id": "GHSA-j642-rp5q-w8w9",
"modified": "2025-01-14T15:30:48Z",
"published": "2024-03-15T21:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47123"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f64f5e903b9d1d157875721e02adadc9d6f0a5d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/447c19f3b5074409c794b350b10306e1da1ef4ba"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J6PM-8M22-4PX5
Vulnerability from github – Published: 2024-06-19 15:30 – Updated: 2024-08-27 03:30In the Linux kernel, the following vulnerability has been resolved:
igbvf: fix double free in igbvf_probe
In igbvf_probe, if register_netdev() fails, the program will go to
label err_hw_init, and then to label err_ioremap. In free_netdev() which
is just below label err_ioremap, there is list_for_each_entry_safe and
netif_napi_del which aims to delete all entries in dev->napi_list.
The program has added an entry adapter->rx_ring->napi which is added by
netif_napi_add in igbvf_alloc_queues(). However, adapter->rx_ring has
been freed below label err_hw_init. So this a UAF.
In terms of how to patch the problem, we can refer to igbvf_remove() and
delete the entry before adapter->rx_ring.
The KASAN logs are as follows:
[ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] _kasankmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] __kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0
{
"affected": [],
"aliases": [
"CVE-2021-47589"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T15:15:53Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nigbvf: fix double free in `igbvf_probe`\n\nIn `igbvf_probe`, if register_netdev() fails, the program will go to\nlabel err_hw_init, and then to label err_ioremap. In free_netdev() which\nis just below label err_ioremap, there is `list_for_each_entry_safe` and\n`netif_napi_del` which aims to delete all entries in `dev-\u003enapi_list`.\nThe program has added an entry `adapter-\u003erx_ring-\u003enapi` which is added by\n`netif_napi_add` in igbvf_alloc_queues(). However, adapter-\u003erx_ring has\nbeen freed below label err_hw_init. So this a UAF.\n\nIn terms of how to patch the problem, we can refer to igbvf_remove() and\ndelete the entry before `adapter-\u003erx_ring`.\n\nThe KASAN logs are as follows:\n\n[ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450\n[ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366\n[ 35.128360]\n[ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14\n[ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[ 35.131749] Call Trace:\n[ 35.132199] dump_stack_lvl+0x59/0x7b\n[ 35.132865] print_address_description+0x7c/0x3b0\n[ 35.133707] ? free_netdev+0x1fd/0x450\n[ 35.134378] __kasan_report+0x160/0x1c0\n[ 35.135063] ? free_netdev+0x1fd/0x450\n[ 35.135738] kasan_report+0x4b/0x70\n[ 35.136367] free_netdev+0x1fd/0x450\n[ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf]\n[ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf]\n[ 35.138751] local_pci_probe+0x13c/0x1f0\n[ 35.139461] pci_device_probe+0x37e/0x6c0\n[ 35.165526]\n[ 35.165806] Allocated by task 366:\n[ 35.166414] ____kasan_kmalloc+0xc4/0xf0\n[ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf]\n[ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf]\n[ 35.168866] local_pci_probe+0x13c/0x1f0\n[ 35.169565] pci_device_probe+0x37e/0x6c0\n[ 35.179713]\n[ 35.179993] Freed by task 366:\n[ 35.180539] kasan_set_track+0x4c/0x80\n[ 35.181211] kasan_set_free_info+0x1f/0x40\n[ 35.181942] ____kasan_slab_free+0x103/0x140\n[ 35.182703] kfree+0xe3/0x250\n[ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf]\n[ 35.184040] local_pci_probe+0x13c/0x1f0",
"id": "GHSA-j6pm-8m22-4px5",
"modified": "2024-08-27T03:30:45Z",
"published": "2024-06-19T15:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47589"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74a16e062b23332d8db017ff4a41e16279c44411"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/79d9b092035dcdbe636b70433149df9cc6db1e49"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8addba6cab94ce01686ea2e80ed1530f9dc33a9a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d0c927a9fb2b4065230936b77b54f857a3754fc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/944b8be08131f5faf2cd2440aa1c24a39a163a54"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b6d335a60dc624c0d279333b22c737faa765b028"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cc9b655bb84f1be283293dfea94dff9a31b106ac"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffe1695b678729edec04037e691007900a2b2beb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J77R-52JV-WG32
Vulnerability from github – Published: 2022-04-23 00:03 – Updated: 2022-05-04 00:00There is a pointer double free vulnerability in Some MIUI Services. When a function is called, the memory pointer is copied to two function modules, and an attacker can cause the pointer to be repeatedly released through malicious operations, resulting in the affected module crashing and affecting normal functionality, and if successfully exploited the vulnerability can cause elevation of privileges.
{
"affected": [],
"aliases": [
"CVE-2020-14123"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-22T16:15:00Z",
"severity": "HIGH"
},
"details": "There is a pointer double free vulnerability in Some MIUI Services. When a function is called, the memory pointer is copied to two function modules, and an attacker can cause the pointer to be repeatedly released through malicious operations, resulting in the affected module crashing and affecting normal functionality, and if successfully exploited the vulnerability can cause elevation of privileges.",
"id": "GHSA-j77r-52jv-wg32",
"modified": "2022-05-04T00:00:36Z",
"published": "2022-04-23T00:03:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14123"
},
{
"type": "WEB",
"url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=134"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J8CJ-HW74-64JV
Vulnerability from github – Published: 2026-02-28 02:48 – Updated: 2026-02-28 02:48Drop implementation for Hive did perform free, but so did Hive::close, which, at the end of the scope performed Drop, therefore triggering double-free.
Additionally, function Hive::from_handle was not marked as unsafe, making it, in combination with as_handle easy to clone and trigger double-free in safe code or triggering UB when using invalid pointer.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "hivex"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.2.0"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-28T02:48:45Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`Drop` implementation for `Hive` did perform free, but so did `Hive::close`, which, at the end of the scope performed `Drop`, therefore triggering double-free.\n\nAdditionally, function `Hive::from_handle` was not marked as unsafe, making it, in combination with `as_handle` easy to clone and trigger double-free in safe code or triggering UB when using invalid pointer.",
"id": "GHSA-j8cj-hw74-64jv",
"modified": "2026-02-28T02:48:45Z",
"published": "2026-02-28T02:48:45Z",
"references": [
{
"type": "WEB",
"url": "https://codeberg.org/1millibyte/toolsnt/commit/f4c7a0d1fc4a08ce40bb76e447a69a6f383a916e"
},
{
"type": "WEB",
"url": "https://codeberg.org/1millibyte/toolsnt/issues/18"
},
{
"type": "WEB",
"url": "https://docs.rs/crate/hivex"
},
{
"type": "WEB",
"url": "https://docs.rs/crate/hivex/0.2.1/source"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0029.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Hive has Double-free and Use After Free Vulnerabilities"
}
GHSA-J8PJ-VHJM-P7G6
Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-11-17 18:30In the Linux kernel, the following vulnerability has been resolved:
net_sched: drr: Fix double list add in class with netem as child qdisc
As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of drr, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption.
In addition to checking for qlen being zero, this patch checks whether the class was already added to the active_list (cl_is_active) before adding to the list to cover for the reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
{
"affected": [],
"aliases": [
"CVE-2025-37915"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-20T16:15:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: drr: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard\u0027s report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc\u0027s enqueue callback reentrant.\nIn the case of drr, there won\u0027t be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nIn addition to checking for qlen being zero, this patch checks whether the\nclass was already added to the active_list (cl_is_active) before adding\nto the list to cover for the reentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/",
"id": "GHSA-j8pj-vhjm-p7g6",
"modified": "2025-11-17T18:30:23Z",
"published": "2025-05-20T18:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37915"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26e75716b94d6ff9be5ea07d63675c4d189f30b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2968632880f1792007eedd12eeedf7f6e2b7e9f3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4b07ac06b0a712923255aaf2691637693fc7100d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4f0ecf50cdf76da95828578a92f130b653ac2fcf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5da3aad1a13e7edb8ff0778a444ccf49930313e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab2248110738d4429668140ad22f530a9ee730e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db205b92dfe0501e5b92fb7cf00971d0e44ba3eb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f99a3fbf023e20b626be4b0f042463d598050c9a"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.