CWE-415
AllowedDouble Free
Abstraction: Variant · Status: Draft
The product calls free() twice on the same memory address.
965 vulnerabilities reference this CWE, most recent first.
GHSA-XF3Q-F592-RMGX
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get = generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the cloned pipe_buffer share the same smc_spd_priv *.
When both pipes are subsequently released, smc_rx_pipe_buf_release() is called twice against the same object:
1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct] 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]
KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which then escalates to a NULL-pointer dereference and kernel panic via smc_rx_update_consumer() when it chases the freed priv->smc pointer:
BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0 Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xce/0x650 kasan_report+0xc6/0x100 smc_rx_pipe_buf_release+0x78/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: kernel NULL pointer dereference, address: 0000000000000020 RIP: 0010:smc_rx_update_consumer+0x8d/0x350 Call Trace: smc_rx_pipe_buf_release+0x121/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Kernel panic - not syncing: Fatal exception
Beyond the memory-safety problem, duplicating an SMC splice buffer is semantically questionable: smc_rx_update_cons() would advance the consumer cursor twice for the same data, corrupting receive-window accounting. A refcount on smc_spd_priv could fix the double-free, but the cursor-accounting issue would still need to be addressed separately.
The .get callback is invoked by both tee(2) and splice_pipe_to_pipe() for partial transfers; both will now return -EFAULT. Users who need to duplicate SMC socket data must use a copy-based read path.
{
"affected": [],
"aliases": [
"CVE-2026-31507"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:49Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer\n\nsmc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores\nthe pointer in pipe_buffer.private. The pipe_buf_operations for these\nbuffers used .get = generic_pipe_buf_get, which only increments the page\nreference count when tee(2) duplicates a pipe buffer. The smc_spd_priv\npointer itself was not handled, so after tee() both the original and the\ncloned pipe_buffer share the same smc_spd_priv *.\n\nWhen both pipes are subsequently released, smc_rx_pipe_buf_release() is\ncalled twice against the same object:\n\n 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]\n 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]\n\nKASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which\nthen escalates to a NULL-pointer dereference and kernel panic via\nsmc_rx_update_consumer() when it chases the freed priv-\u003esmc pointer:\n\n BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0\n Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x650\n kasan_report+0xc6/0x100\n smc_rx_pipe_buf_release+0x78/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n RIP: 0010:smc_rx_update_consumer+0x8d/0x350\n Call Trace:\n \u003cTASK\u003e\n smc_rx_pipe_buf_release+0x121/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nBeyond the memory-safety problem, duplicating an SMC splice buffer is\nsemantically questionable: smc_rx_update_cons() would advance the\nconsumer cursor twice for the same data, corrupting receive-window\naccounting. A refcount on smc_spd_priv could fix the double-free, but\nthe cursor-accounting issue would still need to be addressed separately.\n\nThe .get callback is invoked by both tee(2) and splice_pipe_to_pipe()\nfor partial transfers; both will now return -EFAULT. Users who need\nto duplicate SMC socket data must use a copy-based read path.",
"id": "GHSA-xf3q-f592-rmgx",
"modified": "2026-07-14T15:31:53Z",
"published": "2026-04-22T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31507"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/24dd586bb4cbba1889a50abe74143817a095c1c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cc76380fea749280c026f410af56a28aaac388a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/54c87a730157868543ebdfa0ecb21b4590ed23a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7bcb974c771c863e8588cea0012ac204443a7126"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7e8916f46c2f48607f907fd401590093753a6bc5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/81acbd345d405994875d419d43b319fee0b9ad62"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98ba5cb274768146e25ffbfde47753652c1c20d3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ae5575e660410c8d2c5d38fb28a0f37aea945676"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG4R-75H7-2CGV
Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2022-05-14 03:16jpegoptim.c in jpegoptim 1.4.5 (fixed in 1.4.6) has an invalid use of realloc() and free(), which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
{
"affected": [],
"aliases": [
"CVE-2018-11416"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-24T20:29:00Z",
"severity": "HIGH"
},
"details": "jpegoptim.c in jpegoptim 1.4.5 (fixed in 1.4.6) has an invalid use of realloc() and free(), which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.",
"id": "GHSA-xg4r-75h7-2cgv",
"modified": "2022-05-14T03:16:19Z",
"published": "2022-05-14T03:16:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11416"
},
{
"type": "WEB",
"url": "https://github.com/tjko/jpegoptim/issues/57"
},
{
"type": "WEB",
"url": "https://github.com/tjko/jpegoptim/blob/master/README"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGP4-8GX6-Q392
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01A double-Free vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free situation to occur. An attacker can display a specially crafted image to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-14449"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-24T19:29:00Z",
"severity": "HIGH"
},
"details": "A double-Free vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free situation to occur. An attacker can display a specially crafted image to trigger this vulnerability.",
"id": "GHSA-xgp4-8gx6-q392",
"modified": "2022-05-13T01:01:33Z",
"published": "2022-05-13T01:01:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14449"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201903-17"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4177"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0498"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGQR-WGH8-W4HW
Vulnerability from github – Published: 2022-05-14 01:31 – Updated: 2025-04-12 12:35Double free vulnerability in the Ancillary Function Driver (AFD) in afd.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2014-1767"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-07-08T22:55:00Z",
"severity": "HIGH"
},
"details": "Double free vulnerability in the Ancillary Function Driver (AFD) in afd.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka \"Ancillary Function Driver Elevation of Privilege Vulnerability.\"",
"id": "GHSA-xgqr-wgh8-w4hw",
"modified": "2025-04-12T12:35:29Z",
"published": "2022-05-14T01:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1767"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-040"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39446"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39525"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/59778"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/68394"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-14-220"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XGVC-C35W-MF28
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-38087"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T17:15:44Z",
"severity": "HIGH"
},
"details": "SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability",
"id": "GHSA-xgvc-c35w-mf28",
"modified": "2024-07-09T18:30:52Z",
"published": "2024-07-09T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38087"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGXG-VMFC-H42H
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. A malformed input file could result in double free of an allocated buffer that leads to a crash. An attacker could leverage this vulnerability to cause denial of service condition. (CNVD-C-2021-79295)
{
"affected": [],
"aliases": [
"CVE-2021-34333"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-13T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in JT2Go (All versions \u003c V13.2), Teamcenter Visualization (All versions \u003c V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. A malformed input file could result in double free of an allocated buffer that leads to a crash. An attacker could leverage this vulnerability to cause denial of service condition. (CNVD-C-2021-79295)",
"id": "GHSA-xgxg-vmfc-h42h",
"modified": "2022-05-24T19:07:37Z",
"published": "2022-05-24T19:07:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34333"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-483182.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XH5P-RM5R-7F82
Vulnerability from github – Published: 2025-05-13 00:31 – Updated: 2025-11-03 21:33A double free issue was addressed with improved memory management. This issue is fixed in iPadOS 17.7.7, macOS Ventura 13.7.6, macOS Sequoia 15.5, macOS Sonoma 14.7.6. An app may be able to cause unexpected system termination.
{
"affected": [],
"aliases": [
"CVE-2025-31235"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-12T22:15:23Z",
"severity": "MODERATE"
},
"details": "A double free issue was addressed with improved memory management. This issue is fixed in iPadOS 17.7.7, macOS Ventura 13.7.6, macOS Sequoia 15.5, macOS Sonoma 14.7.6. An app may be able to cause unexpected system termination.",
"id": "GHSA-xh5p-rm5r-7f82",
"modified": "2025-11-03T21:33:53Z",
"published": "2025-05-13T00:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31235"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122405"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122716"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122717"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122718"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/6"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHM7-3CGH-G3G7
Vulnerability from github – Published: 2022-05-14 01:29 – Updated: 2022-05-14 01:29Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chrome 41.0.2251.0 allows remote attackers to cause a denial of service (memory corruption and crash) via a crafted .m4a file.
{
"affected": [],
"aliases": [
"CVE-2015-1207"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-06T18:29:00Z",
"severity": "MODERATE"
},
"details": "Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chrome 41.0.2251.0 allows remote attackers to cause a denial of service (memory corruption and crash) via a crafted .m4a file.",
"id": "GHSA-xhm7-3cgh-g3g7",
"modified": "2022-05-14T01:29:12Z",
"published": "2022-05-14T01:29:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1207"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/chromium/issues/detail?id=444539"
},
{
"type": "WEB",
"url": "https://gist.github.com/bittorrent3389/8fee7cdaa73d1d351ee9"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00005.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJFC-F2RJ-H2HM
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-27 15:30In the Linux kernel, the following vulnerability has been resolved:
xfrm: iptfs: only publish mode_data after clone setup
iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_data pointing at freed memory.
The xfrm clone unwind later runs destroy_state() through x->mode_data, so the failed clone path tears down IPTFS state that clone_state() already freed.
Keep the cloned IPTFS state private until all allocations succeed so failed clones leave x->mode_data unset. The destroy path already handles a NULL mode_data pointer.
{
"affected": [],
"aliases": [
"CVE-2026-31471"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:16:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: only publish mode_data after clone setup\n\niptfs_clone_state() stores x-\u003emode_data before allocating the reorder\nwindow. If that allocation fails, the code frees the cloned state and\nreturns -ENOMEM, leaving x-\u003emode_data pointing at freed memory.\n\nThe xfrm clone unwind later runs destroy_state() through x-\u003emode_data,\nso the failed clone path tears down IPTFS state that clone_state()\nalready freed.\n\nKeep the cloned IPTFS state private until all allocations succeed so\nfailed clones leave x-\u003emode_data unset. The destroy path already\nhandles a NULL mode_data pointer.",
"id": "GHSA-xjfc-f2rj-h2hm",
"modified": "2026-04-27T15:30:38Z",
"published": "2026-04-22T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31471"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/371a43c4ac70cac0de9f9b1fc5b1660b9565b9f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5784a1e2889c9525a8f036cb586930e232170bf7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d849a2f7309fc0616e79d13b008b0a47e0458b6e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJV4-5HJM-MW83
Vulnerability from github – Published: 2022-01-14 00:02 – Updated: 2023-05-27 06:30The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ilst_box_read function in box_code_apple.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2021-40571"
],
"database_specific": {
"cwe_ids": [
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-13T18:15:00Z",
"severity": "HIGH"
},
"details": "The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ilst_box_read function in box_code_apple.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.",
"id": "GHSA-xjv4-5hjm-mw83",
"modified": "2023-05-27T06:30:38Z",
"published": "2022-01-14T00:02:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40571"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/issues/1895"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/a69b567b8c95c72f9560c873c5ab348be058f340"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5411"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.
Mitigation
Use a static analysis tool to find double free instances.
No CAPEC attack patterns related to this CWE.