CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
965 vulnerabilities reference this CWE, most recent first.
GHSA-W6PP-P9R9-CVM4
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-26 00:30In the Linux kernel, the following vulnerability has been resolved:
i2c: core: Fix double-free of fwnode in i2c_unregister_device()
Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct device"), i2c_unregister_device() only called fwnode_handle_put() on of_node-s in the form of calling of_node_put(client->dev.of_node).
But after this commit the i2c_client's fwnode now unconditionally gets fwnode_handle_put() on it.
When the i2c_client has no primary (ACPI / OF) fwnode but it does have a software fwnode, the software-node will be the primary node and fwnode_handle_put() will put() it.
But for the software fwnode device_remove_software_node() will also put() it leading to a double free:
[ 82.665598] ------------[ cut here ]------------ [ 82.665609] refcount_t: underflow; use-after-free. [ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11 ... [ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110 ... [ 82.666962] [ 82.666971] i2c_unregister_device+0x60/0x90
Fix this by not calling fwnode_handle_put() when the primary fwnode is a software-node.
{
"affected": [],
"aliases": [
"CVE-2025-38682"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T16:15:35Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: core: Fix double-free of fwnode in i2c_unregister_device()\n\nBefore commit df6d7277e552 (\"i2c: core: Do not dereference fwnode in struct\ndevice\"), i2c_unregister_device() only called fwnode_handle_put() on\nof_node-s in the form of calling of_node_put(client-\u003edev.of_node).\n\nBut after this commit the i2c_client\u0027s fwnode now unconditionally gets\nfwnode_handle_put() on it.\n\nWhen the i2c_client has no primary (ACPI / OF) fwnode but it does have\na software fwnode, the software-node will be the primary node and\nfwnode_handle_put() will put() it.\n\nBut for the software fwnode device_remove_software_node() will also put()\nit leading to a double free:\n\n[ 82.665598] ------------[ cut here ]------------\n[ 82.665609] refcount_t: underflow; use-after-free.\n[ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11\n...\n[ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110\n...\n[ 82.666962] \u003cTASK\u003e\n[ 82.666971] i2c_unregister_device+0x60/0x90\n\nFix this by not calling fwnode_handle_put() when the primary fwnode is\na software-node.",
"id": "GHSA-w6pp-p9r9-cvm4",
"modified": "2025-11-26T00:30:16Z",
"published": "2025-09-05T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38682"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c24e5fc0c7096e00c202a6a3e0c342c1afb47c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ffe02f7c4e36090154646612e67d331832f92037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6RG-W5MQ-2RVV
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-59505"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T18:15:36Z",
"severity": "HIGH"
},
"details": "Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-w6rg-w5mq-2rvv",
"modified": "2025-11-11T18:30:20Z",
"published": "2025-11-11T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59505"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59505"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W7C8-V5H2-32FF
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
{
"affected": [],
"aliases": [
"CVE-2020-36318"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-11T20:15:00Z",
"severity": "CRITICAL"
},
"details": "In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.",
"id": "GHSA-w7c8-v5h2-32ff",
"modified": "2022-05-24T17:47:04Z",
"published": "2022-05-24T17:47:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36318"
},
{
"type": "WEB",
"url": "https://github.com/rust-lang/rust/issues/79808"
},
{
"type": "WEB",
"url": "https://github.com/rust-lang/rust/pull/79814"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W88P-XVMW-FXGG
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.
{
"affected": [],
"aliases": [
"CVE-2019-20633"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-25T17:15:00Z",
"severity": "MODERATE"
},
"details": "GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.",
"id": "GHSA-w88p-xvmw-fxgg",
"modified": "2022-05-24T17:12:37Z",
"published": "2022-05-24T17:12:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20633"
},
{
"type": "WEB",
"url": "https://savannah.gnu.org/bugs/index.php?56683"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W8WP-RV4W-H5PP
Vulnerability from github – Published: 2023-02-28 18:30 – Updated: 2025-03-21 21:31Sudo before 1.9.13p2 has a double free in the per-command chroot feature.
{
"affected": [],
"aliases": [
"CVE-2023-27320"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-28T18:15:00Z",
"severity": "HIGH"
},
"details": "Sudo before 1.9.13p2 has a double free in the per-command chroot feature.",
"id": "GHSA-w8wp-rv4w-h5pp",
"modified": "2025-03-21T21:31:33Z",
"published": "2023-02-28T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27320"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/332KN4QI6QXB7NI7SWSJ2EQJKWIILFN6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPLXMRAMXC3BYL4DNKVTK3V6JDMUXZ7B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6VW24YGXJYI4NZ5HZPQCF4MCE7766AU"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-12"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230413-0009"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/02/28/1"
},
{
"type": "WEB",
"url": "https://www.sudo.ws/releases/stable/#1.9.13p2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/03/01/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W8XW-FCH8-G9JQ
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix double uncharge the mem of sk_msg
If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed.
tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free()
The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error.
This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30
{
"affected": [],
"aliases": [
"CVE-2022-49205"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:57Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix double uncharge the mem of sk_msg\n\nIf tcp_bpf_sendmsg is running during a tear down operation, psock may be\nfreed.\n\ntcp_bpf_sendmsg()\n tcp_bpf_send_verdict()\n sk_msg_return()\n tcp_bpf_sendmsg_redir()\n unlikely(!psock))\n sk_msg_free()\n\nThe mem of msg has been uncharged in tcp_bpf_send_verdict() by\nsk_msg_return(), and would be uncharged by sk_msg_free() again. When psock\nis null, we can simply returning an error code, this would then trigger\nthe sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have\nthe side effect of throwing an error up to user space. This would be a\nslight change in behavior from user side but would look the same as an\nerror if the redirect on the socket threw an error.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n \u003cTASK\u003e\n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e",
"id": "GHSA-w8xw-fch8-g9jq",
"modified": "2025-09-22T21:30:15Z",
"published": "2025-09-22T21:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49205"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/223f3c51ab163852dd4819d357dcf33039929434"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2486ab434b2c2a14e9237296db00b1e1b7ae3273"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94c6ac22abcdede72bfaa0f4c22fb370891f4002"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac3ecb7760c750c8e4fc09c719241d8e6e88028c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cb6f141ae705af0101e819065a79e6d029f6e393"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd84ea3920aef936c559b63099ef0013ce6b2325"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W945-7MFQ-G3P5
Vulnerability from github – Published: 2022-05-17 00:32 – Updated: 2022-05-17 00:32In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a possible double free/use after free in the SPS driver when debugfs logging is used.
{
"affected": [],
"aliases": [
"CVE-2017-9686"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-10T20:29:00Z",
"severity": "HIGH"
},
"details": "In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, there is a possible double free/use after free in the SPS driver when debugfs logging is used.",
"id": "GHSA-w945-7mfq-g3p5",
"modified": "2022-05-17T00:32:28Z",
"published": "2022-05-17T00:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9686"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2017-10-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101160"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WC7F-HJQ2-JVV5
Vulnerability from github – Published: 2023-07-04 06:30 – Updated: 2024-04-04 05:22Memory Corruption in Modem due to double free while parsing the PKCS15 sim files.
{
"affected": [],
"aliases": [
"CVE-2023-21629"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-04T05:15:10Z",
"severity": "MODERATE"
},
"details": "Memory Corruption in Modem due to double free while parsing the PKCS15 sim files.",
"id": "GHSA-wc7f-hjq2-jvv5",
"modified": "2024-04-04T05:22:07Z",
"published": "2023-07-04T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21629"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/july-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WC89-RHM4-P2GC
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.
{
"affected": [],
"aliases": [
"CVE-2018-3845"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-26T20:29:00Z",
"severity": "HIGH"
},
"details": "In Hyland Perceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux, a crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.",
"id": "GHSA-wc89-rhm4-p2gc",
"modified": "2022-05-13T01:02:08Z",
"published": "2022-05-13T01:02:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3845"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0528"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WCCM-7WFC-H3W3
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Double free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2026-55132"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:19Z",
"severity": "HIGH"
},
"details": "Double free in Microsoft Office Word allows an unauthorized attacker to execute code locally.",
"id": "GHSA-wccm-7wfc-h3w3",
"modified": "2026-07-14T18:32:35Z",
"published": "2026-07-14T18:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55132"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55132"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.