CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
965 vulnerabilities reference this CWE, most recent first.
GHSA-VC8W-W49C-4JGJ
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-11 00:32Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path.
Impact summary: Successful exploitation allows an attacker to corrupt heap memory via a double-free, potentially leading to a Denial of Service or possibly an attacker controlled code execution or other undefined behavior.
If OCSP stapling is enabled and the TLS client connects to a malicious server, a crafted OCSP stapled response can trigger a double free in the TLS client when the stapled response is checked.
The OCSP stapling is not enabled by default. Reliable code execution through a double-free is technically complex and highly environment-dependent but the Denial of Service impact is straightforward to achieve, warranting Moderate severity.
No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.
{
"affected": [],
"aliases": [
"CVE-2026-35188"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:05Z",
"severity": "MODERATE"
},
"details": "Issue summary: A malicious server can exploit TLS OCSP stapling by delivering\na crafted response through the status_request extension, triggering a\ndouble-free in the client\u0027s certificate verification path.\n\nImpact summary: Successful exploitation allows an attacker to corrupt heap\nmemory via a double-free, potentially leading to a Denial of Service or\npossibly an attacker controlled code execution or other undefined behavior.\n\nIf OCSP stapling is enabled and the TLS client connects to a malicious server,\na crafted OCSP stapled response can trigger a double free in the TLS client\nwhen the stapled response is checked.\n\nThe OCSP stapling is not enabled by default. Reliable code execution\nthrough a double-free is technically complex and highly environment-dependent\nbut the Denial of Service impact is straightforward to achieve, warranting\nModerate severity.\n\nNo FIPS modules are affected by this issue as the affected code is outside\nthe OpenSSL FIPS module boundary.",
"id": "GHSA-vc8w-w49c-4jgj",
"modified": "2026-06-11T00:32:04Z",
"published": "2026-06-09T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35188"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/131145d25659e8749a9ed1afb383484854cffb78"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/78d0154cffda03aaaac63a087cc523a6b35fa8fd"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/131145d25659e8749a9ed1afb383484854cffb78"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/78d0154cffda03aaaac63a087cc523a6b35fa8fd"
},
{
"type": "WEB",
"url": "https://openssl-library.org/news/secadv/20260609.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VFGJ-WGWR-RG52
Vulnerability from github – Published: 2022-05-14 01:49 – Updated: 2022-05-14 01:49In driver_override_store and driver_override_show of bus.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69129004 References: Upstream kernel.
{
"affected": [],
"aliases": [
"CVE-2018-9415"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-06T17:29:00Z",
"severity": "HIGH"
},
"details": "In driver_override_store and driver_override_show of bus.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-69129004 References: Upstream kernel.",
"id": "GHSA-vfgj-wgwr-rg52",
"modified": "2022-05-14T01:49:49Z",
"published": "2022-05-14T01:49:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9415"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2018-07-01"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3752-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3752-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3752-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VFQX-HV88-F9CV
Vulnerability from github – Published: 2021-08-25 20:55 – Updated: 2023-06-13 18:19A double free can occur in get_or_insert upon a panic of a user-provided f function. get_or_insert reserves space for a value, before calling the user provided insertion function f. If the function f panics then uninitialized or previously freed memory can be dropped.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "id-map"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-30456"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T17:04:13Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "A double free can occur in get_or_insert upon a panic of a user-provided f function. get_or_insert reserves space for a value, before calling the user provided insertion function f. If the function f panics then uninitialized or previously freed memory can be dropped.",
"id": "GHSA-vfqx-hv88-f9cv",
"modified": "2023-06-13T18:19:49Z",
"published": "2021-08-25T20:55:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30456"
},
{
"type": "WEB",
"url": "https://github.com/andrewhickman/id-map/issues/3"
},
{
"type": "PACKAGE",
"url": "https://github.com/andrewhickman/id-map"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0052.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Double-free in id-map"
}
GHSA-VFVV-C25P-M7MM
Vulnerability from github – Published: 2026-05-15 18:09 – Updated: 2026-05-15 18:09InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value.
A subsequent invocation of clear() on the same container then re-visits the already-freed elements:
InlineVec::clear()is called again fromInlineVec's ownDropimplementation when the value is later dropped.SerVec::clear()is called again bySerVec::with_capacity()after the user closure returns.
Technical Impact
- CWE-415 (Double Free): Heap corruption when element type holds
Box<T> - CWE-416 (Use-After-Free): Memory corruption when element reads from heap during
Drop
Both vulnerabilities are triggerable entirely from safe Rust via std::panic::catch_unwind and require no special privileges.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rkyv"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-15T18:09:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe. Both functions iterate over their elements and call `drop_in_place` on each, updating `self.len` only *after* the loop. If an element\u0027s `Drop` implementation panics during the loop, `self.len` is left at its original value.\n\nA subsequent invocation of `clear()` on the same container then re-visits the already-freed elements:\n\n- `InlineVec::clear()` is called again from `InlineVec`\u0027s own `Drop` implementation when the value is later dropped.\n- `SerVec::clear()` is called again by `SerVec::with_capacity()` after the user closure returns.\n\n\n## Technical Impact\n\n- **CWE-415 (Double Free):** Heap corruption when element type holds `Box\u003cT\u003e` \n- **CWE-416 (Use-After-Free):** Memory corruption when element reads from heap during `Drop`\n\nBoth vulnerabilities are triggerable entirely from safe Rust via `std::panic::catch_unwind` and require no special privileges.",
"id": "GHSA-vfvv-c25p-m7mm",
"modified": "2026-05-15T18:09:10Z",
"published": "2026-05-15T18:09:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rkyv/rkyv/commit/5828cf5c27b664eb4432c4a93d4769e12e5e42fb"
},
{
"type": "PACKAGE",
"url": "https://github.com/rkyv/rkyv"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0122.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution"
}
GHSA-VG9C-MRP6-2MH9
Vulnerability from github – Published: 2025-12-02 03:31 – Updated: 2025-12-02 15:30In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833.
{
"affected": [],
"aliases": [
"CVE-2025-20765"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-02T03:16:17Z",
"severity": "MODERATE"
},
"details": "In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833.",
"id": "GHSA-vg9c-mrp6-2mh9",
"modified": "2025-12-02T15:30:30Z",
"published": "2025-12-02T03:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20765"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/December-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VHPG-M2R9-345P
Vulnerability from github – Published: 2024-04-03 15:30 – Updated: 2025-01-07 21:30In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: fix double-free bug
The storage for the TLV PC register data wasn't done like all the other storage in the drv->fw area, which is cleared at the end of deallocation. Therefore, the freeing must also be done differently, explicitly NULL'ing it out after the free, since otherwise there's a nasty double-free bug here if a file fails to load after this has been parsed, and we get another free later (e.g. because no other file exists.) Fix that by adding the missing NULL assignment.
{
"affected": [],
"aliases": [
"CVE-2024-26694"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T15:15:52Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: fix double-free bug\n\nThe storage for the TLV PC register data wasn\u0027t done like all\nthe other storage in the drv-\u003efw area, which is cleared at the\nend of deallocation. Therefore, the freeing must also be done\ndifferently, explicitly NULL\u0027ing it out after the free, since\notherwise there\u0027s a nasty double-free bug here if a file fails\nto load after this has been parsed, and we get another free\nlater (e.g. because no other file exists.) Fix that by adding\nthe missing NULL assignment.",
"id": "GHSA-vhpg-m2r9-345p",
"modified": "2025-01-07T21:30:54Z",
"published": "2024-04-03T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26694"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/353d321f63f7dbfc9ef58498cc732c9fe886a596"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab9d4bb9a1892439b3123fc52b19e32b9cdf80ad"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d24eb9a27bea8fe5237fa71be274391d9d51eff2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ5H-R2W5-X428
Vulnerability from github – Published: 2023-10-02 03:30 – Updated: 2024-04-04 07:59In rpmb , there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07912966; Issue ID: ALPS07912961.
{
"affected": [],
"aliases": [
"CVE-2023-32824"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-02T03:15:10Z",
"severity": "MODERATE"
},
"details": "In rpmb , there is a possible double free due to improper locking. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07912966; Issue ID: ALPS07912961.",
"id": "GHSA-vj5h-r2w5-x428",
"modified": "2024-04-04T07:59:45Z",
"published": "2023-10-02T03:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32824"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/October-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ9C-27HG-W432
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-02-03 18:30In the Linux kernel, the following vulnerability has been resolved:
clk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe()
'clk_data' is allocated with mtk_devm_alloc_clk_data(). So calling mtk_free_clk_data() explicitly in the remove function would lead to a double-free.
Remove the redundant call.
{
"affected": [],
"aliases": [
"CVE-2024-27433"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T13:15:57Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: mt7622-apmixedsys: Fix an error handling path in clk_mt8135_apmixed_probe()\n\n\u0027clk_data\u0027 is allocated with mtk_devm_alloc_clk_data(). So calling\nmtk_free_clk_data() explicitly in the remove function would lead to a\ndouble-free.\n\nRemove the redundant call.",
"id": "GHSA-vj9c-27hg-w432",
"modified": "2025-02-03T18:30:36Z",
"published": "2024-05-17T15:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27433"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a32e88f2b20259f5fe4f8eed598bbc85dc4879ed"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de3340533bd68a7b3d6be1841b8eb3fa6c762fe6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f3633fed984f1db106ff737a0bb52fadb2d89ac7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fa761ce7a1d15cca1a306b3635f81a22b15fee5b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP3H-9CW2-WJF4
Vulnerability from github – Published: 2025-10-15 21:31 – Updated: 2025-10-15 21:31A double free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, watchOS 11.6, tvOS 18.6, visionOS 2.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7, iPadOS 17.7.9. An app may be able to cause unexpected system termination.
{
"affected": [],
"aliases": [
"CVE-2025-43282"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T20:15:35Z",
"severity": "MODERATE"
},
"details": "A double free issue was addressed with improved memory management. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, watchOS 11.6, tvOS 18.6, visionOS 2.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7, iPadOS 17.7.9. An app may be able to cause unexpected system termination.",
"id": "GHSA-vp3h-9cw2-wjf4",
"modified": "2025-10-15T21:31:40Z",
"published": "2025-10-15T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43282"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124147"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124148"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124149"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124150"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124151"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124153"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124154"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/124155"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPQ6-J9HP-2H3W
Vulnerability from github – Published: 2025-06-04 15:30 – Updated: 2025-06-04 21:31An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. A Double Free in the mobile processor leads to privilege escalation.
{
"affected": [],
"aliases": [
"CVE-2025-23096"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-04T15:15:23Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400. A Double Free in the mobile processor leads to privilege escalation.",
"id": "GHSA-vpq6-j9hp-2h3w",
"modified": "2025-06-04T21:31:14Z",
"published": "2025-06-04T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23096"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-23096"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.