CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
965 vulnerabilities reference this CWE, most recent first.
GHSA-P9GF-GMFV-398M
Vulnerability from github – Published: 2021-08-25 20:54 – Updated: 2023-03-30 23:01An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "slice-deque"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29938"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T17:14:58Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An issue was discovered in the slice-deque crate through 2021-02-19 for Rust. A double drop can occur in SliceDeque::drain_filter upon a panic in a predicate function.",
"id": "GHSA-p9gf-gmfv-398m",
"modified": "2023-03-30T23:01:08Z",
"published": "2021-08-25T20:54:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29938"
},
{
"type": "WEB",
"url": "https://github.com/gnzlbg/slice_deque/issues/90"
},
{
"type": "PACKAGE",
"url": "https://github.com/gnzlbg/slice_deque"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0047.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Double free in slice-deque"
}
GHSA-PCWC-3RJ4-GJ54
Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2025-03-07 18:30A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.
{
"affected": [],
"aliases": [
"CVE-2022-3707"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-460"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-06T23:15:00Z",
"severity": "MODERATE"
},
"details": "A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.",
"id": "GHSA-pcwc-3rj4-gj54",
"modified": "2025-03-07T18:30:58Z",
"published": "2023-03-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3707"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137979"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz%40163.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz@163.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFH4-6F3V-4MWM
Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2025-01-14 15:30In the Linux kernel, the following vulnerability has been resolved:
tun: avoid double free in tun_free_netdev
Avoid double free in tun_free_netdev() by moving the dev->tstats and tun->security allocs to a new ndo_init routine (tun_net_init()) that will be called by register_netdevice(). ndo_init is paired with the desctructor (tun_free_netdev()), so if there's an error in register_netdevice() the destructor will handle the frees.
BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372 _kasanslab_free mm/kasan/common.c:346 [inline] kasan_slab_free+0x107/0x120 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook mm/slub.c:1749 [inline] slab_free mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605 security_tun_dev_free_security+0x4f/0x90 security/security.c:2342 tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215 netdev_run_todo+0x4df/0x840 net/core/dev.c:10627 rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112 __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302 tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
{
"affected": [],
"aliases": [
"CVE-2021-47082"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T18:15:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: avoid double free in tun_free_netdev\n\nAvoid double free in tun_free_netdev() by moving the\ndev-\u003etstats and tun-\u003esecurity allocs to a new ndo_init routine\n(tun_net_init()) that will be called by register_netdevice().\nndo_init is paired with the desctructor (tun_free_netdev()),\nso if there\u0027s an error in register_netdevice() the destructor\nwill handle the frees.\n\nBUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\n\nCPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1\nHardware name: Red Hat KVM, BIOS\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106\nprint_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247\nkasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372\n____kasan_slab_free mm/kasan/common.c:346 [inline]\n__kasan_slab_free+0x107/0x120 mm/kasan/common.c:374\nkasan_slab_free include/linux/kasan.h:235 [inline]\nslab_free_hook mm/slub.c:1723 [inline]\nslab_free_freelist_hook mm/slub.c:1749 [inline]\nslab_free mm/slub.c:3513 [inline]\nkfree+0xac/0x2d0 mm/slub.c:4561\nselinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605\nsecurity_tun_dev_free_security+0x4f/0x90 security/security.c:2342\ntun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215\nnetdev_run_todo+0x4df/0x840 net/core/dev.c:10627\nrtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112\n__tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302\ntun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:874 [inline]\n__se_sys_ioctl fs/ioctl.c:860 [inline]\n__x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae",
"id": "GHSA-pfh4-6f3v-4mwm",
"modified": "2025-01-14T15:30:47Z",
"published": "2024-03-04T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47082"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c0e566f0387490d16f166808c72e9c772027681"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/158b515f703e75e7d68289bf4d98c664e1d632df"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8eb43d635950e27c29f1e9e49a23b31637f37757"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a01a4e9f5dc93335c716fa4023b1901956e8c904"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFJW-R4VX-PMFW
Vulnerability from github – Published: 2026-07-02 21:32 – Updated: 2026-07-02 21:32A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2026-58381"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T20:17:06Z",
"severity": "MODERATE"
},
"details": "A flaw was found in GIMP\u0027s PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.",
"id": "GHSA-pfjw-r4vx-pmfw",
"modified": "2026-07-02T21:32:12Z",
"published": "2026-07-02T21:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58381"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-58381"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496166"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/b22e147b"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/16207"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQF-MV4P-9J4R
Vulnerability from github – Published: 2025-07-04 09:31 – Updated: 2026-05-19 15:31A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.
{
"affected": [],
"aliases": [
"CVE-2025-5351"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T09:15:37Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.",
"id": "GHSA-pfqf-mv4p-9j4r",
"modified": "2026-05-19T15:31:18Z",
"published": "2025-07-04T09:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5351"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18683"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-5351"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PG9C-CVP2-XX3J
Vulnerability from github – Published: 2026-01-14 03:30 – Updated: 2026-01-14 03:30Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function.
{
"affected": [],
"aliases": [
"CVE-2025-68968"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-14T03:15:51Z",
"severity": "HIGH"
},
"details": "Double free vulnerability in the multi-mode input module.\nImpact: Successful exploitation of this vulnerability may affect the input function.",
"id": "GHSA-pg9c-cvp2-xx3j",
"modified": "2026-01-14T03:30:26Z",
"published": "2026-01-14T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68968"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/1"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PG9F-39PC-QF8G
Vulnerability from github – Published: 2025-04-10 14:30 – Updated: 2025-09-25 21:13The internal Channel type's Drop method has a race
which could, in some circumstances, lead to a double-free.
This could result in memory corruption.
Quoting from the upstream description in merge request #1187:
The problem lies in the fact that
dicard_all_messagescontained two paths that could lead tohead.blockbeing read but only one of them would swap the value. This meant thatdicard_all_messagescould end up observing a non-null block pointer (and therefore attempting to free it) without settinghead.blockto null. This would then lead toChannel::dropmaking a second attempt at dropping the same pointer.
The bug was introduced while fixing a memory leak, in upstream MR #1084, first published in 0.5.12.
The fix is in upstream MR #1187 and has been published in 0.5.15
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "crossbeam-channel"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.12"
},
{
"fixed": "0.5.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4574"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T14:30:39Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The internal `Channel` type\u0027s `Drop` method has a race\nwhich could, in some circumstances, lead to a double-free.\nThis could result in memory corruption.\n\nQuoting from the\n[upstream description in merge request \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187#issue-2980761131):\n\n\u003e The problem lies in the fact that `dicard_all_messages` contained two paths that could lead to `head.block` being read but only one of them would swap the value. This meant that `dicard_all_messages` could end up observing a non-null block pointer (and therefore attempting to free it) without setting `head.block` to null. This would then lead to `Channel::drop` making a second attempt at dropping the same pointer.\n\nThe bug was introduced while fixing a memory leak, in\nupstream [MR \\#1084](https://github.com/crossbeam-rs/crossbeam/pull/1084),\nfirst published in 0.5.12.\n\nThe fix is in\nupstream [MR \\#1187](https://github.com/crossbeam-rs/crossbeam/pull/1187)\nand has been published in 0.5.15",
"id": "GHSA-pg9f-39pc-qf8g",
"modified": "2025-09-25T21:13:01Z",
"published": "2025-04-10T14:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4574"
},
{
"type": "WEB",
"url": "https://github.com/crossbeam-rs/crossbeam/pull/1187"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-4574"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358890"
},
{
"type": "PACKAGE",
"url": "https://github.com/crossbeam-rs/crossbeam"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "crossbeam-channel Vulnerable to Double Free on Drop"
}
GHSA-PGH3-M69X-G87P
Vulnerability from github – Published: 2023-06-06 09:30 – Updated: 2024-04-04 04:33Memory corruption in Linux android due to double free while calling unregister provider after register call.
{
"affected": [],
"aliases": [
"CVE-2022-33227"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T08:15:10Z",
"severity": "HIGH"
},
"details": "Memory corruption in Linux android due to double free while calling unregister provider after register call.",
"id": "GHSA-pgh3-m69x-g87p",
"modified": "2024-04-04T04:33:37Z",
"published": "2023-06-06T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33227"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PGMH-HMFG-8GWJ
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2023-09-20 00:30A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
{
"affected": [],
"aliases": [
"CVE-2019-20394"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-22T22:15:00Z",
"severity": "MODERATE"
},
"details": "A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.",
"id": "GHSA-pgmh-hmfg-8gwj",
"modified": "2023-09-20T00:30:15Z",
"published": "2022-05-24T17:07:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20394"
},
{
"type": "WEB",
"url": "https://github.com/CESNET/libyang/issues/769"
},
{
"type": "WEB",
"url": "https://github.com/CESNET/libyang/commit/6cc51b1757dfbb7cff92de074ada65e8523289a6"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793932"
},
{
"type": "WEB",
"url": "https://github.com/CESNET/libyang/compare/v1.0-r2...v1.0-r3"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHFR-35GX-VF86
Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-18 15:30In the Linux kernel, the following vulnerability has been resolved:
drm/xe/nvm: Fix double-free on aux add failure
After a successful auxiliary_device_init(), aux_dev->dev.release (xe_nvm_release_dev()) is responsible for the kfree(nvm). When there is failure with auxiliary_device_add(), driver will call auxiliary_device_uninit(), which call put_device(). So that the .release callback will be triggered to free the memory associated with the auxiliary_device.
Move the kfree(nvm) into the auxiliary_device_init() failure path and remove the err goto path to fix below error.
" [ 13.232905] ================================================================== [ 13.232911] BUG: KASAN: double-free in xe_nvm_init+0x751/0xf10 [xe] [ 13.233112] Free of addr ffff888120635000 by task systemd-udevd/273
[ 13.233120] CPU: 8 UID: 0 PID: 273 Comm: systemd-udevd Not tainted 6.19.0-rc2-lgci-xe-kernel+ #225 PREEMPT(voluntary) ... [ 13.233125] Call Trace: [ 13.233126] [ 13.233127] dump_stack_lvl+0x7f/0xc0 [ 13.233132] print_report+0xce/0x610 [ 13.233136] ? kasan_complete_mode_report_info+0x5d/0x1e0 [ 13.233139] ? xe_nvm_init+0x751/0xf10 [xe] ... "
v2: drop err goto path. (Alexander)
(cherry picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215)
{
"affected": [],
"aliases": [
"CVE-2026-23162"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-14T16:15:56Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/nvm: Fix double-free on aux add failure\n\nAfter a successful auxiliary_device_init(), aux_dev-\u003edev.release\n(xe_nvm_release_dev()) is responsible for the kfree(nvm). When\nthere is failure with auxiliary_device_add(), driver will call\nauxiliary_device_uninit(), which call put_device(). So that the\n.release callback will be triggered to free the memory associated\nwith the auxiliary_device.\n\nMove the kfree(nvm) into the auxiliary_device_init() failure path\nand remove the err goto path to fix below error.\n\n\"\n[ 13.232905] ==================================================================\n[ 13.232911] BUG: KASAN: double-free in xe_nvm_init+0x751/0xf10 [xe]\n[ 13.233112] Free of addr ffff888120635000 by task systemd-udevd/273\n\n[ 13.233120] CPU: 8 UID: 0 PID: 273 Comm: systemd-udevd Not tainted 6.19.0-rc2-lgci-xe-kernel+ #225 PREEMPT(voluntary)\n...\n[ 13.233125] Call Trace:\n[ 13.233126] \u003cTASK\u003e\n[ 13.233127] dump_stack_lvl+0x7f/0xc0\n[ 13.233132] print_report+0xce/0x610\n[ 13.233136] ? kasan_complete_mode_report_info+0x5d/0x1e0\n[ 13.233139] ? xe_nvm_init+0x751/0xf10 [xe]\n...\n\"\n\nv2: drop err goto path. (Alexander)\n\n(cherry picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215)",
"id": "GHSA-phfr-35gx-vf86",
"modified": "2026-03-18T15:30:40Z",
"published": "2026-02-14T18:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23162"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/32887d8e4bc0696b3cb6c5915a42b39cfd3434f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8a44241b0b83a6047c5448da1fff03fcc29496b5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.