Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

965 vulnerabilities reference this CWE, most recent first.

GHSA-J9F5-MV8W-78QJ

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-07 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: zfcp: Fix double free of FSF request when qdio send fails

We used to use the wrong type of integer in 'zfcp_fsf_req_send()' to cache the FSF request ID when sending a new FSF request. This is used in case the sending fails and we need to remove the request from our internal hash table again (so we don't keep an invalid reference and use it when we free the request again).

In 'zfcp_fsf_req_send()' we used to cache the ID as 'int' (signed and 32 bit wide), but the rest of the zfcp code (and the firmware specification) handles the ID as 'unsigned long'/'u64' (unsigned and 64 bit wide [s390x ELF ABI]). For one this has the obvious problem that when the ID grows past 32 bit (this can happen reasonably fast) it is truncated to 32 bit when storing it in the cache variable and so doesn't match the original ID anymore. The second less obvious problem is that even when the original ID has not yet grown past 32 bit, as soon as the 32nd bit is set in the original ID (0x80000000 = 2'147'483'648) we will have a mismatch when we cast it back to 'unsigned long'. As the cached variable is of a signed type, the compiler will choose a sign-extending instruction to load the 32 bit variable into a 64 bit register (e.g.: 'lgf %r11,188(%r15)'). So once we pass the cached variable into 'zfcp_reqlist_find_rm()' to remove the request again all the leading zeros will be flipped to ones to extend the sign and won't match the original ID anymore (this has been observed in practice).

If we can't successfully remove the request from the hash table again after 'zfcp_qdio_send()' fails (this happens regularly when zfcp cannot notify the adapter about new work because the adapter is already gone during e.g. a ChpID toggle) we will end up with a double free. We unconditionally free the request in the calling function when 'zfcp_fsf_req_send()' fails, but because the request is still in the hash table we end up with a stale memory reference, and once the zfcp adapter is either reset during recovery or shutdown we end up freeing the same memory twice.

The resulting stack traces vary depending on the kernel and have no direct correlation to the place where the bug occurs. Here are three examples that have been seen in practice:

list_del corruption. next->prev should be 00000001b9d13800, but was 00000000dead4ead. (next=00000001bd131a00) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:62! monitor event: 0040 ilc:2 [#1] PREEMPT SMP Modules linked in: ... CPU: 9 PID: 1617 Comm: zfcperp0.0.1740 Kdump: loaded Hardware name: ... Krnl PSW : 0704d00180000000 00000003cbeea1f8 (__list_del_entry_valid+0x98/0x140) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 Krnl GPRS: 00000000916d12f1 0000000080000000 000000000000006d 00000003cb665cd6 0000000000000001 0000000000000000 0000000000000000 00000000d28d21e8 00000000d3844000 00000380099efd28 00000001bd131a00 00000001b9d13800 00000000d3290100 0000000000000000 00000003cbeea1f4 00000380099efc70 Krnl Code: 00000003cbeea1e8: c020004f68a7 larl %r2,00000003cc8d7336 00000003cbeea1ee: c0e50027fd65 brasl %r14,00000003cc3e9cb8 #00000003cbeea1f4: af000000 mc 0,0 >00000003cbeea1f8: c02000920440 larl %r2,00000003cd12aa78 00000003cbeea1fe: c0e500289c25 brasl %r14,00000003cc3fda48 00000003cbeea204: b9040043 lgr %r4,%r3 00000003cbeea208: b9040051 lgr %r5,%r1 00000003cbeea20c: b9040032 lgr %r3,%r2 Call Trace: [<00000003cbeea1f8>] __list_del_entry_valid+0x98/0x140 ([<00000003cbeea1f4>] __list_del_entry_valid+0x94/0x140) [<000003ff7ff502fe>] zfcp_fsf_req_dismiss_all+0xde/0x150 [zfcp] [<000003ff7ff49cd0>] zfcp_erp_strategy_do_action+0x160/0x280 [zfcp] ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:02Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: zfcp: Fix double free of FSF request when qdio send fails\n\nWe used to use the wrong type of integer in \u0027zfcp_fsf_req_send()\u0027 to cache\nthe FSF request ID when sending a new FSF request. This is used in case the\nsending fails and we need to remove the request from our internal hash\ntable again (so we don\u0027t keep an invalid reference and use it when we free\nthe request again).\n\nIn \u0027zfcp_fsf_req_send()\u0027 we used to cache the ID as \u0027int\u0027 (signed and 32\nbit wide), but the rest of the zfcp code (and the firmware specification)\nhandles the ID as \u0027unsigned long\u0027/\u0027u64\u0027 (unsigned and 64 bit wide [s390x\nELF ABI]).  For one this has the obvious problem that when the ID grows\npast 32 bit (this can happen reasonably fast) it is truncated to 32 bit\nwhen storing it in the cache variable and so doesn\u0027t match the original ID\nanymore.  The second less obvious problem is that even when the original ID\nhas not yet grown past 32 bit, as soon as the 32nd bit is set in the\noriginal ID (0x80000000 = 2\u0027147\u0027483\u0027648) we will have a mismatch when we\ncast it back to \u0027unsigned long\u0027. As the cached variable is of a signed\ntype, the compiler will choose a sign-extending instruction to load the 32\nbit variable into a 64 bit register (e.g.: \u0027lgf %r11,188(%r15)\u0027). So once\nwe pass the cached variable into \u0027zfcp_reqlist_find_rm()\u0027 to remove the\nrequest again all the leading zeros will be flipped to ones to extend the\nsign and won\u0027t match the original ID anymore (this has been observed in\npractice).\n\nIf we can\u0027t successfully remove the request from the hash table again after\n\u0027zfcp_qdio_send()\u0027 fails (this happens regularly when zfcp cannot notify\nthe adapter about new work because the adapter is already gone during\ne.g. a ChpID toggle) we will end up with a double free.  We unconditionally\nfree the request in the calling function when \u0027zfcp_fsf_req_send()\u0027 fails,\nbut because the request is still in the hash table we end up with a stale\nmemory reference, and once the zfcp adapter is either reset during recovery\nor shutdown we end up freeing the same memory twice.\n\nThe resulting stack traces vary depending on the kernel and have no direct\ncorrelation to the place where the bug occurs. Here are three examples that\nhave been seen in practice:\n\n  list_del corruption. next-\u003eprev should be 00000001b9d13800, but was 00000000dead4ead. (next=00000001bd131a00)\n  ------------[ cut here ]------------\n  kernel BUG at lib/list_debug.c:62!\n  monitor event: 0040 ilc:2 [#1] PREEMPT SMP\n  Modules linked in: ...\n  CPU: 9 PID: 1617 Comm: zfcperp0.0.1740 Kdump: loaded\n  Hardware name: ...\n  Krnl PSW : 0704d00180000000 00000003cbeea1f8 (__list_del_entry_valid+0x98/0x140)\n             R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3\n  Krnl GPRS: 00000000916d12f1 0000000080000000 000000000000006d 00000003cb665cd6\n             0000000000000001 0000000000000000 0000000000000000 00000000d28d21e8\n             00000000d3844000 00000380099efd28 00000001bd131a00 00000001b9d13800\n             00000000d3290100 0000000000000000 00000003cbeea1f4 00000380099efc70\n  Krnl Code: 00000003cbeea1e8: c020004f68a7        larl    %r2,00000003cc8d7336\n             00000003cbeea1ee: c0e50027fd65        brasl   %r14,00000003cc3e9cb8\n            #00000003cbeea1f4: af000000            mc      0,0\n            \u003e00000003cbeea1f8: c02000920440        larl    %r2,00000003cd12aa78\n             00000003cbeea1fe: c0e500289c25        brasl   %r14,00000003cc3fda48\n             00000003cbeea204: b9040043            lgr     %r4,%r3\n             00000003cbeea208: b9040051            lgr     %r5,%r1\n             00000003cbeea20c: b9040032            lgr     %r3,%r2\n  Call Trace:\n   [\u003c00000003cbeea1f8\u003e] __list_del_entry_valid+0x98/0x140\n  ([\u003c00000003cbeea1f4\u003e] __list_del_entry_valid+0x94/0x140)\n   [\u003c000003ff7ff502fe\u003e] zfcp_fsf_req_dismiss_all+0xde/0x150 [zfcp]\n   [\u003c000003ff7ff49cd0\u003e] zfcp_erp_strategy_do_action+0x160/0x280 [zfcp]\n---truncated---",
  "id": "GHSA-j9f5-mv8w-78qj",
  "modified": "2025-11-07T21:31:17Z",
  "published": "2025-05-01T15:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49789"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0954256e970ecf371b03a6c9af2cf91b9c4085ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/11edbdee4399401f533adda9bffe94567aa08b96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1bf8ed585501bb2dd0b5f67c824eab45adfbdccd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/90a49a6b015fa439cd62e45121390284c125a91f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d2c7d8f58e9cde8ac8d1f75e9d66c2a813ffe0ab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC77-R77V-VCQH

Vulnerability from github – Published: 2022-05-14 03:48 – Updated: 2022-05-14 03:48
VLAI
Details

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, concurrent rx notifications and read() operations in the G-Link PKT driver can result in a double free condition due to missing locking resulting in list_del() and list_add() overlapping and corrupting the next and previous pointers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-10T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, concurrent rx notifications and read() operations in the G-Link PKT driver can result in a double free condition due to missing locking resulting in list_del() and list_add() overlapping and corrupting the next and previous pointers.",
  "id": "GHSA-jc77-r77v-vcqh",
  "modified": "2022-05-14T03:48:33Z",
  "published": "2022-05-14T03:48:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9705"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-01-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCJ9-H5MG-PR5C

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details

Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-20T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.",
  "id": "GHSA-jcj9-h5mg-pr5c",
  "modified": "2022-05-13T01:27:30Z",
  "published": "2022-05-13T01:27:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libgd/libgd/issues/447"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201903-18"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3755-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCM3-CQ3V-4492

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2022-09-22 00:00
VLAI
Details

Double free vulnerability in the storage module. Successful exploitation of this vulnerability will cause the memory to be freed twice.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-16T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Double free vulnerability in the storage module. Successful exploitation of this vulnerability will cause the memory to be freed twice.",
  "id": "GHSA-jcm3-cq3v-4492",
  "modified": "2022-09-22T00:00:31Z",
  "published": "2022-09-17T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39002"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/9"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202210-0000001416095697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JFP4-PV53-RV88

Vulnerability from github – Published: 2024-11-07 12:30 – Updated: 2024-11-13 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix possible double free in smb2_set_ea()

Clang static checker(scan-build) warning: fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory. 1304 | kfree(ea); | ^~~~~~~~~

There is a double free in such case: 'ea is initialized to NULL' -> 'first successful memory allocation for ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea' -> 'goto replay_again' -> 'second goto sea_exit before allocate memory for ea' -> 'second memory release for ea resulted in double free'.

Re-initialie 'ea' to NULL near to the replay_again label, it can fix this double free problem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-07T10:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix possible double free in smb2_set_ea()\n\nClang static checker(scan-build) warning\uff1a\nfs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.\n 1304 |         kfree(ea);\n      |         ^~~~~~~~~\n\nThere is a double free in such case:\n\u0027ea is initialized to NULL\u0027 -\u003e \u0027first successful memory allocation for\nea\u0027 -\u003e \u0027something failed, goto sea_exit\u0027 -\u003e \u0027first memory release for ea\u0027\n-\u003e \u0027goto replay_again\u0027 -\u003e \u0027second goto sea_exit before allocate memory\nfor ea\u0027 -\u003e \u0027second memory release for ea resulted in double free\u0027.\n\nRe-initialie \u0027ea\u0027 to NULL near to the replay_again label, it can fix this\ndouble free problem.",
  "id": "GHSA-jfp4-pv53-rv88",
  "modified": "2024-11-13T15:31:37Z",
  "published": "2024-11-07T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50152"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/19ebc1e6cab334a8193398d4152deb76019b5d34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b1813c220b76f60b1727984794377c4aa849d4c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c9f758ecf2562dfdd4adf12c22921b5de8366123"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JFRH-W252-Q2H4

Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-06-22 18:34
VLAI
Details

The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 contains a double-free vulnerability in parse_def() in src/conf.c that allows attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. When parsing nested compound or array configuration blocks, parse_def() fails to check return values before continuing, causing snd_config_delete() to be called twice on the same already-freed node, resulting in a NULL-pointer write or invalid memory read.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T18:16:48Z",
    "severity": "HIGH"
  },
  "details": "The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 contains a double-free vulnerability in parse_def() in src/conf.c that allows attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. When parsing nested compound or array configuration blocks, parse_def() fails to check return values before continuing, causing snd_config_delete() to be called twice on the same already-freed node, resulting in a NULL-pointer write or invalid memory read.",
  "id": "GHSA-jfrh-w252-q2h4",
  "modified": "2026-06-22T18:34:18Z",
  "published": "2026-06-22T18:34:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56109"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alsa-project/alsa-lib/commit/536dd6f8affdf5197c12a63a71c92a70b2833cc0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alsa-project/alsa-lib/releases/tag/v1.2.16.1"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/alsa-devel/CAGt8pqBU0p2voB+qHxWGcNJrKHAcBhAyHUUBPLBN-Yj_SiV6MQ@mail.gmail.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/alsa-library-double-free-via-parse-def-in-conf-c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JFRX-9667-J4W3

Vulnerability from github – Published: 2025-09-16 18:31 – Updated: 2025-12-02 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: fec: Better handle pm_runtime_get() failing in .remove()

In the (unlikely) event that pm_runtime_get() (disguised as pm_runtime_resume_and_get()) fails, the remove callback returned an error early. The problem with this is that the driver core ignores the error value and continues removing the device. This results in a resource leak. Worse the devm allocated resources are freed and so if a callback of the driver is called later the register mapping is already gone which probably results in a crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T17:15:36Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Better handle pm_runtime_get() failing in .remove()\n\nIn the (unlikely) event that pm_runtime_get() (disguised as\npm_runtime_resume_and_get()) fails, the remove callback returned an\nerror early. The problem with this is that the driver core ignores the\nerror value and continues removing the device. This results in a\nresource leak. Worse the devm allocated resources are freed and so if a\ncallback of the driver is called later the register mapping is already\ngone which probably results in a crash.",
  "id": "GHSA-jfrx-9667-j4w3",
  "modified": "2025-12-02T00:31:11Z",
  "published": "2025-09-16T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53308"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83996d317b1deddc85006376082e8886f55aa709"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9407454a9b18bbeff216e8ecde87ffb2171e9ccf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b22b514209ff8c4287abb853399890ab97e1b5ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be85912c36ddca3e8b2eef1b5392cd8db6bdb730"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1bc2870f14e526a01897e14c747a0a0ca125231"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d52a0cca591e899d4e5c8ab19e067b4c6b7d104f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e02d8d5b1602689b98d9b91550a11b9b57baedbe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f816b9829b19394d318e01953aa3b2721bca040d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGW3-WF4R-4F7M

Vulnerability from github – Published: 2022-05-14 03:33 – Updated: 2022-05-14 03:33
VLAI
Details

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a Double Free vulnerability exists in Audio Driver while opening a sound compression device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-16T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a Double Free vulnerability exists in Audio Driver while opening a sound compression device.",
  "id": "GHSA-jgw3-wf4r-4f7m",
  "modified": "2022-05-14T03:33:41Z",
  "published": "2022-05-14T03:33:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3560"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH37-772X-4HPW

Vulnerability from github – Published: 2021-08-25 21:01 – Updated: 2021-08-24 19:12
VLAI
Summary
Double free in algorithmica
Details

An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. In the affected versions of this crate, merge_sort::merge() wildly duplicates and drops ownership of T without guarding against double-free. Due to such implementation, simply invoking merge_sort::merge() on Vec<T: Drop> can cause double free bugs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "algorithmica"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-31996"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-25T20:52:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. In the affected versions of this crate, `merge_sort::merge()` wildly duplicates and drops ownership of `T` without guarding against double-free. Due to such implementation, simply invoking `merge_sort::merge()` on `Vec\u003cT: Drop\u003e` can cause **double free** bugs.\n",
  "id": "GHSA-jh37-772x-4hpw",
  "modified": "2021-08-24T19:12:12Z",
  "published": "2021-08-25T21:01:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31996"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AbrarNitk/algorithmica/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0053.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Double free in algorithmica"
}

GHSA-JH5H-88QQ-M547

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2024-03-25 03:31
VLAI
Details

hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-21T15:16:00Z",
    "severity": "HIGH"
  },
  "details": "hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.",
  "id": "GHSA-jh5h-88qq-m547",
  "modified": "2024-03-25T03:31:43Z",
  "published": "2022-05-24T19:08:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37159"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1188601"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a6ecfb39ba9d7316057cea823b196b734f6b18ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dcb713d53e2eadf42b878c12a471e74dc6ed3145"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210819-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.spinics.net/lists/linux-usb/msg202228.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.