Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

965 vulnerabilities reference this CWE, most recent first.

GHSA-W6PP-P9R9-CVM4

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-26 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: core: Fix double-free of fwnode in i2c_unregister_device()

Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct device"), i2c_unregister_device() only called fwnode_handle_put() on of_node-s in the form of calling of_node_put(client->dev.of_node).

But after this commit the i2c_client's fwnode now unconditionally gets fwnode_handle_put() on it.

When the i2c_client has no primary (ACPI / OF) fwnode but it does have a software fwnode, the software-node will be the primary node and fwnode_handle_put() will put() it.

But for the software fwnode device_remove_software_node() will also put() it leading to a double free:

[ 82.665598] ------------[ cut here ]------------ [ 82.665609] refcount_t: underflow; use-after-free. [ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11 ... [ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110 ... [ 82.666962] [ 82.666971] i2c_unregister_device+0x60/0x90

Fix this by not calling fwnode_handle_put() when the primary fwnode is a software-node.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T16:15:35Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: core: Fix double-free of fwnode in i2c_unregister_device()\n\nBefore commit df6d7277e552 (\"i2c: core: Do not dereference fwnode in struct\ndevice\"), i2c_unregister_device() only called fwnode_handle_put() on\nof_node-s in the form of calling of_node_put(client-\u003edev.of_node).\n\nBut after this commit the i2c_client\u0027s fwnode now unconditionally gets\nfwnode_handle_put() on it.\n\nWhen the i2c_client has no primary (ACPI / OF) fwnode but it does have\na software fwnode, the software-node will be the primary node and\nfwnode_handle_put() will put() it.\n\nBut for the software fwnode device_remove_software_node() will also put()\nit leading to a double free:\n\n[   82.665598] ------------[ cut here ]------------\n[   82.665609] refcount_t: underflow; use-after-free.\n[   82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11\n...\n[   82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110\n...\n[   82.666962]  \u003cTASK\u003e\n[   82.666971]  i2c_unregister_device+0x60/0x90\n\nFix this by not calling fwnode_handle_put() when the primary fwnode is\na software-node.",
  "id": "GHSA-w6pp-p9r9-cvm4",
  "modified": "2025-11-26T00:30:16Z",
  "published": "2025-09-05T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38682"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c24e5fc0c7096e00c202a6a3e0c342c1afb47c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ffe02f7c4e36090154646612e67d331832f92037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W6RG-W5MQ-2RVV

Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30
VLAI
Details

Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T18:15:36Z",
    "severity": "HIGH"
  },
  "details": "Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-w6rg-w5mq-2rvv",
  "modified": "2025-11-11T18:30:20Z",
  "published": "2025-11-11T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59505"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59505"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7C8-V5H2-32FF

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47
VLAI
Details

In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-11T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.",
  "id": "GHSA-w7c8-v5h2-32ff",
  "modified": "2022-05-24T17:47:04Z",
  "published": "2022-05-24T17:47:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36318"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-lang/rust/issues/79808"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-lang/rust/pull/79814"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W88P-XVMW-FXGG

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12
VLAI
Details

GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-25T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.",
  "id": "GHSA-w88p-xvmw-fxgg",
  "modified": "2022-05-24T17:12:37Z",
  "published": "2022-05-24T17:12:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20633"
    },
    {
      "type": "WEB",
      "url": "https://savannah.gnu.org/bugs/index.php?56683"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W8WP-RV4W-H5PP

Vulnerability from github – Published: 2023-02-28 18:30 – Updated: 2025-03-21 21:31
VLAI
Details

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-28T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Sudo before 1.9.13p2 has a double free in the per-command chroot feature.",
  "id": "GHSA-w8wp-rv4w-h5pp",
  "modified": "2025-03-21T21:31:33Z",
  "published": "2023-02-28T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27320"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202309-12"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230413-0009"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2023/02/28/1"
    },
    {
      "type": "WEB",
      "url": "https://www.sudo.ws/releases/stable/#1.9.13p2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/03/01/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8XW-FCH8-G9JQ

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix double uncharge the mem of sk_msg

If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed.

tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free()

The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error.

This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:57Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix double uncharge the mem of sk_msg\n\nIf tcp_bpf_sendmsg is running during a tear down operation, psock may be\nfreed.\n\ntcp_bpf_sendmsg()\n tcp_bpf_send_verdict()\n  sk_msg_return()\n  tcp_bpf_sendmsg_redir()\n   unlikely(!psock))\n     sk_msg_free()\n\nThe mem of msg has been uncharged in tcp_bpf_send_verdict() by\nsk_msg_return(), and would be uncharged by sk_msg_free() again. When psock\nis null, we can simply returning an error code, this would then trigger\nthe sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have\nthe side effect of throwing an error up to user space. This would be a\nslight change in behavior from user side but would look the same as an\nerror if the redirect on the socket threw an error.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \u003cTASK\u003e\n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e",
  "id": "GHSA-w8xw-fch8-g9jq",
  "modified": "2025-09-22T21:30:15Z",
  "published": "2025-09-22T21:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49205"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/223f3c51ab163852dd4819d357dcf33039929434"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2486ab434b2c2a14e9237296db00b1e1b7ae3273"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94c6ac22abcdede72bfaa0f4c22fb370891f4002"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac3ecb7760c750c8e4fc09c719241d8e6e88028c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb6f141ae705af0101e819065a79e6d029f6e393"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd84ea3920aef936c559b63099ef0013ce6b2325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W945-7MFQ-G3P5

Vulnerability from github – Published: 2022-05-17 00:32 – Updated: 2022-05-17 00:32
VLAI
Details

In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a possible double free/use after free in the SPS driver when debugfs logging is used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-10T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a possible double free/use after free in the SPS driver when debugfs logging is used.",
  "id": "GHSA-w945-7mfq-g3p5",
  "modified": "2022-05-17T00:32:28Z",
  "published": "2022-05-17T00:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9686"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2017-10-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101160"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC7F-HJQ2-JVV5

Vulnerability from github – Published: 2023-07-04 06:30 – Updated: 2024-04-04 05:22
VLAI
Details

Memory Corruption in Modem due to double free while parsing the PKCS15 sim files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-04T05:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Memory Corruption in Modem due to double free while parsing the PKCS15 sim files.",
  "id": "GHSA-wc7f-hjq2-jvv5",
  "modified": "2024-04-04T05:22:07Z",
  "published": "2023-07-04T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21629"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/july-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC89-RHM4-P2GC

Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02
VLAI
Details

In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-3845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-26T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.",
  "id": "GHSA-wc89-rhm4-p2gc",
  "modified": "2022-05-13T01:02:08Z",
  "published": "2022-05-13T01:02:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3845"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0528"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCCM-7WFC-H3W3

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Double free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-55132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:18:19Z",
    "severity": "HIGH"
  },
  "details": "Double free in Microsoft Office Word allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-wccm-7wfc-h3w3",
  "modified": "2026-07-14T18:32:35Z",
  "published": "2026-07-14T18:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55132"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55132"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.