Common Weakness Enumeration

CWE-415

Allowed

Double Free

Abstraction: Variant · Status: Draft

The product calls free() twice on the same memory address.

965 vulnerabilities reference this CWE, most recent first.

GHSA-XM3X-2CX4-FH5J

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

In DrmManagerService::~DrmManagerService() of DrmManagerService.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-155647761

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-15T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In DrmManagerService::~DrmManagerService() of DrmManagerService.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-155647761",
  "id": "GHSA-xm3x-2cx4-fh5j",
  "modified": "2022-05-24T17:36:26Z",
  "published": "2022-05-24T17:36:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0483"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2020-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XP2H-P3FR-J2J5

Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-12-16 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

parisc: Fix double SIGFPE crash

Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately.

When the T bit is set, an assist exception trap occurs when when the co-processor encounters any floating-point instruction except for a double store of register %fr0. The latter cancels all pending traps. Let's fix this by clearing the Trap (T) bit in the FP status register before returning to the signal handler in userspace.

The issue can be reproduced with this test program:

root@parisc:~# cat fpe.c

static void fpe_func(int sig, siginfo_t i, void v) { sigset_t set; sigemptyset(&set); sigaddset(&set, SIGFPE); sigprocmask(SIG_UNBLOCK, &set, NULL); printf("GOT signal %d with si_code %ld\n", sig, i->si_code); }

int main() { struct sigaction action = { .sa_sigaction = fpe_func, .sa_flags = SA_RESTART|SA_SIGINFO }; sigaction(SIGFPE, &action, 0); feenableexcept(FE_OVERFLOW); return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308); }

root@parisc:~# gcc fpe.c -lm root@parisc:~# ./a.out Floating point exception

root@parisc:~# strace -f ./a.out execve("./a.out", ["./a.out"], 0xf9ac7034 / 20 vars /) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 ... rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- +++ killed by SIGFPE +++ Floating point exception

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T18:15:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix double SIGFPE crash\n\nCamm noticed that on parisc a SIGFPE exception will crash an application with\na second SIGFPE in the signal handler.  Dave analyzed it, and it happens\nbecause glibc uses a double-word floating-point store to atomically update\nfunction descriptors. As a result of lazy binding, we hit a floating-point\nstore in fpe_func almost immediately.\n\nWhen the T bit is set, an assist exception trap occurs when when the\nco-processor encounters *any* floating-point instruction except for a double\nstore of register %fr0.  The latter cancels all pending traps.  Let\u0027s fix this\nby clearing the Trap (T) bit in the FP status register before returning to the\nsignal handler in userspace.\n\nThe issue can be reproduced with this test program:\n\nroot@parisc:~# cat fpe.c\n\nstatic void fpe_func(int sig, siginfo_t *i, void *v) {\n        sigset_t set;\n        sigemptyset(\u0026set);\n        sigaddset(\u0026set, SIGFPE);\n        sigprocmask(SIG_UNBLOCK, \u0026set, NULL);\n        printf(\"GOT signal %d with si_code %ld\\n\", sig, i-\u003esi_code);\n}\n\nint main() {\n        struct sigaction action = {\n                .sa_sigaction = fpe_func,\n                .sa_flags = SA_RESTART|SA_SIGINFO };\n        sigaction(SIGFPE, \u0026action, 0);\n        feenableexcept(FE_OVERFLOW);\n        return printf(\"%lf\\n\",1.7976931348623158E308*1.7976931348623158E308);\n}\n\nroot@parisc:~# gcc fpe.c -lm\nroot@parisc:~# ./a.out\n Floating point exception\n\nroot@parisc:~# strace -f ./a.out\n execve(\"./a.out\", [\"./a.out\"], 0xf9ac7034 /* 20 vars */) = 0\n getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0\n ...\n rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0\n --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---\n --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---\n +++ killed by SIGFPE +++\n Floating point exception",
  "id": "GHSA-xp2h-p3fr-j2j5",
  "modified": "2025-12-16T21:30:49Z",
  "published": "2025-05-20T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37991"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a1aff3616b3b57aa4a5f8a7762cce1e82493fe6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a098c51d18ec99485668da44294565c43dbc106"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c639af49e9e5615a8395981eaf5943fb40acd6f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/757ba4d17b868482837c566cfefca59e2296c608"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cf21e890f56b7d0038ddaf25224e4f4c69ecd143"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de3629baf5a33af1919dec7136d643b0662e85ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df3592e493d7f29bae4ffde9a9325de50ddf962e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ec4584495868bd465fe60a3f771915c0e7ce7951"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP4F-MW6J-JXM8

Vulnerability from github – Published: 2026-05-12 18:30 – Updated: 2026-05-12 18:30
VLAI
Details

Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T18:16:38Z",
    "severity": "MODERATE"
  },
  "details": "Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-xp4f-mw6j-jxm8",
  "modified": "2026-05-12T18:30:40Z",
  "published": "2026-05-12T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21530"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP4H-Q65R-X2PM

Vulnerability from github – Published: 2024-12-04 12:31 – Updated: 2024-12-04 12:31
VLAI
Details

Double-Free Vulnerability in uD3TN BPv7 Caused by Malformed Endpoint Identifier allows remote attacker to reliably cause DoS

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-04T11:15:05Z",
    "severity": "HIGH"
  },
  "details": "Double-Free Vulnerability in uD3TN BPv7 Caused by Malformed Endpoint Identifier allows remote attacker to reliably cause DoS",
  "id": "GHSA-xp4h-q65r-x2pm",
  "modified": "2024-12-04T12:31:45Z",
  "published": "2024-12-04T12:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12107"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/d3tn/ud3tn/-/issues/233"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPHW-CQX3-667J

Vulnerability from github – Published: 2026-04-15 19:24 – Updated: 2026-05-05 15:43
VLAI
Summary
thin-vec: Use-After-Free and Double Free in IntoIter::drop When Element Drop Panics
Details

Summary

A Double Free / Use-After-Free (UAF) vulnerability has been identified in the IntoIter::drop and ThinVec::clear implementations of the thin_vec crate. Both vulnerabilities share the same root cause and can trigger memory corruption using only safe Rust code — no unsafe blocks required. Undefined Behavior has been confirmed via Miri and AddressSanitizer (ASAN).


Details

Both vulnerabilities share the same root cause. When a panic occurs during sequential element deallocation, the subsequent length cleanup code (set_len(0)) is never executed. During stack unwinding, the container is dropped again, causing already-freed memory to be re-freed (Double Free / UAF).

Vulnerability 1 — IntoIter::drop

Location: thin-vec/src/lib.rs L.2308~2314

IntoIter::drop transfers ownership of the internal buffer via mem::replace, then sequentially frees elements via ptr::drop_in_place. If a panic occurs during element deallocation, set_len_non_singleton(0) is never reached. During unwinding, vec is dropped again, re-freeing already-freed elements. The standard library's std::vec::IntoIter prevents this with a DropGuard pattern, but thin-vec lacks this defense.

// Problematic structure (conceptual representation)
impl<T> Drop for IntoIter<T> {
    fn drop(&mut self) {
        let mut vec = mem::replace(&mut self.vec, ThinVec::new());
        unsafe {
            ptr::drop_in_place(vec.remaining_slice_mut()); // ← panic may occur here
            vec.set_len_non_singleton(0);                  // ← unreachable on panic
        }
        // During unwinding, vec is dropped again → Double Free
    }
}

Vulnerability 2 — ThinVec::clear

clear() calls ptr::drop_in_place(&mut self[..]) followed by self.set_len(0) to reset the length. If a panic occurs during element deallocation, set_len(0) is never executed. When the ThinVec itself is subsequently dropped, already-freed elements are freed again.

// Problematic structure (conceptual representation)
pub fn clear(&mut self) {
    unsafe {
        ptr::drop_in_place(&mut self[..]); // ← panic may occur here
        self.set_len(0);                   // ← unreachable on panic
    }
    // ThinVec drop later → Double Free
}

Recommended Fix

Both vulnerabilities can be resolved with the same pattern:

  • DropGuard pattern: Insert an RAII guard before drop_in_place to guarantee set_len(0) is called regardless of panic
  • Pre-zeroing approach: Set the length to 0 before calling drop_in_place

PoC

Requirements: Rust nightly toolchain, thin-vec = "0.2.14"

# Miri
cargo +nightly miri run

# ASAN
RUSTFLAGS="-Z sanitizer=address" cargo +nightly run --release

PoC-1: IntoIter::drop

use thin_vec::ThinVec;

struct PanicBomb(String);

impl Drop for PanicBomb {
    fn drop(&mut self) {
        if self.0 == "panic" {
            panic!("panic!");
        }
        println!("Dropping: {}", self.0);
    }
}

fn main() {
    let mut v = ThinVec::new();
    v.push(PanicBomb(String::from("normal1")));
    v.push(PanicBomb(String::from("panic")));  // trigger element
    v.push(PanicBomb(String::from("normal2")));

    let mut iter = v.into_iter();
    iter.next();
    // When iter is dropped: panic occurs at "panic" element
    // → During unwinding, Double Drop is triggered on "normal1" (already freed)
}

Miri output:

error: Undefined Behavior: pointer not dereferenceable:
       alloc227 has been freed, so this pointer is dangling

stack backtrace:
   3: <PanicBomb as Drop>::drop           ← Double Drop entry
   6: <ThinVec<T> as Drop>::drop::drop_non_singleton
   9: <IntoIter<T> as Drop>::drop::drop_non_singleton  ← lib.rs:2310 (root cause)

ASAN output:

==66150==ERROR: AddressSanitizer: heap-use-after-free on address 0x7afa685e0010
READ of size 7 at 0x7afa685e0010
    #0 memcpy
    #4 drop_in_place::<PanicBomb>        ← Double Drop entry point
    #5 <ThinVec as Drop>::drop::drop_non_singleton
    #6 <IntoIter as Drop>::drop::drop_non_singleton

PoC-2: ThinVec::clear

use thin_vec::ThinVec;
use std::panic;

struct Poison(Box<usize>, &'static str);

impl Drop for Poison {
    fn drop(&mut self) {
        if self.1 == "panic" {
            panic!("panic!");
        }
        println!("Dropping: {}", self.0);
    }
}

fn main() {
    let mut v = ThinVec::new();
    v.push(Poison(Box::new(1), "normal1")); // index 0
    v.push(Poison(Box::new(2), "panic"));   // index 1 → panic triggered here
    v.push(Poison(Box::new(3), "normal2")); // index 2

    let _ = panic::catch_unwind(panic::AssertUnwindSafe(|| {
        v.clear();
        // panic occurs at "panic" element during clear()
        // → set_len(0) is never called
        // → already-freed elements are re-freed when v goes out of scope
    }));
}

Impact

Vulnerability classification: - CWE-415: Double Free - CWE-416: Use-After-Free

Affected code: All code satisfying the following conditions simultaneously:

  1. ThinVec stores heap-owning types (String, Vec, Box, etc.)
  2. (Vulnerability 1) An iterator is created via into_iter() and dropped before being fully consumed, or (Vulnerability 2) clear() is called while a remaining element's Drop implementation can panic
  3. The Drop implementation of a remaining element triggers a panic

Additionally, when combined with Box<dyn Trait> types, an exploit primitive enabling Arbitrary Code Execution (ACE) via heap spray and vtable hijacking has been confirmed. If the freed fat pointer slot (16 bytes) at the point of Double Drop is reclaimed by an attacker-controlled fake vtable, subsequent Drop calls can be redirected to attacker-controlled code.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "thin-vec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:24:54Z",
    "nvd_published_at": "2026-04-20T11:16:19Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA **Double Free / Use-After-Free (UAF)** vulnerability has been identified in the `IntoIter::drop` and `ThinVec::clear` implementations of the `thin_vec` crate.\nBoth vulnerabilities share the same root cause and can trigger memory corruption using only safe Rust code \u2014 no `unsafe` blocks required.\nUndefined Behavior has been confirmed via **Miri** and **AddressSanitizer (ASAN)**.\n\n---\n\n### Details\n\nBoth vulnerabilities share the same root cause. When a **panic occurs** during sequential element deallocation, the subsequent length cleanup code (`set_len(0)`) is never executed. During stack unwinding, the container is dropped again, causing already-freed memory to be re-freed (Double Free / UAF).\n\n#### Vulnerability 1 \u2014 `IntoIter::drop`\n\n**Location:** `thin-vec/src/lib.rs` L.2308~2314\n\n`IntoIter::drop` transfers ownership of the internal buffer via `mem::replace`, then sequentially frees elements via `ptr::drop_in_place`.\nIf a panic occurs during element deallocation, `set_len_non_singleton(0)` is never reached. During unwinding, `vec` is dropped again, re-freeing already-freed elements.\nThe standard library\u0027s `std::vec::IntoIter` prevents this with a **DropGuard pattern**, but thin-vec lacks this defense.\n\n```rust\n// Problematic structure (conceptual representation)\nimpl\u003cT\u003e Drop for IntoIter\u003cT\u003e {\n    fn drop(\u0026mut self) {\n        let mut vec = mem::replace(\u0026mut self.vec, ThinVec::new());\n        unsafe {\n            ptr::drop_in_place(vec.remaining_slice_mut()); // \u2190 panic may occur here\n            vec.set_len_non_singleton(0);                  // \u2190 unreachable on panic\n        }\n        // During unwinding, vec is dropped again \u2192 Double Free\n    }\n}\n```\n\n#### Vulnerability 2 \u2014 `ThinVec::clear`\n\n`clear()` calls `ptr::drop_in_place(\u0026mut self[..])` followed by `self.set_len(0)` to reset the length.\nIf a panic occurs during element deallocation, `set_len(0)` is never executed. When the `ThinVec` itself is subsequently dropped, already-freed elements are freed again.\n\n```rust\n// Problematic structure (conceptual representation)\npub fn clear(\u0026mut self) {\n    unsafe {\n        ptr::drop_in_place(\u0026mut self[..]); // \u2190 panic may occur here\n        self.set_len(0);                   // \u2190 unreachable on panic\n    }\n    // ThinVec drop later \u2192 Double Free\n}\n```\n\n#### Recommended Fix\n\nBoth vulnerabilities can be resolved with the same pattern:\n\n- **DropGuard pattern:** Insert an RAII guard before `drop_in_place` to guarantee `set_len(0)` is called regardless of panic\n- **Pre-zeroing approach:** Set the length to 0 before calling `drop_in_place`\n\n---\n\n### PoC\n\n**Requirements:** Rust nightly toolchain, `thin-vec = \"0.2.14\"`\n\n```bash\n# Miri\ncargo +nightly miri run\n\n# ASAN\nRUSTFLAGS=\"-Z sanitizer=address\" cargo +nightly run --release\n```\n\n#### PoC-1: `IntoIter::drop`\n\n```rust\nuse thin_vec::ThinVec;\n\nstruct PanicBomb(String);\n\nimpl Drop for PanicBomb {\n    fn drop(\u0026mut self) {\n        if self.0 == \"panic\" {\n            panic!(\"panic!\");\n        }\n        println!(\"Dropping: {}\", self.0);\n    }\n}\n\nfn main() {\n    let mut v = ThinVec::new();\n    v.push(PanicBomb(String::from(\"normal1\")));\n    v.push(PanicBomb(String::from(\"panic\")));  // trigger element\n    v.push(PanicBomb(String::from(\"normal2\")));\n\n    let mut iter = v.into_iter();\n    iter.next();\n    // When iter is dropped: panic occurs at \"panic\" element\n    // \u2192 During unwinding, Double Drop is triggered on \"normal1\" (already freed)\n}\n```\n\n**Miri output:**\n```\nerror: Undefined Behavior: pointer not dereferenceable:\n       alloc227 has been freed, so this pointer is dangling\n\nstack backtrace:\n   3: \u003cPanicBomb as Drop\u003e::drop           \u2190 Double Drop entry\n   6: \u003cThinVec\u003cT\u003e as Drop\u003e::drop::drop_non_singleton\n   9: \u003cIntoIter\u003cT\u003e as Drop\u003e::drop::drop_non_singleton  \u2190 lib.rs:2310 (root cause)\n```\n\n**ASAN output:**\n```\n==66150==ERROR: AddressSanitizer: heap-use-after-free on address 0x7afa685e0010\nREAD of size 7 at 0x7afa685e0010\n    #0 memcpy\n    #4 drop_in_place::\u003cPanicBomb\u003e        \u2190 Double Drop entry point\n    #5 \u003cThinVec as Drop\u003e::drop::drop_non_singleton\n    #6 \u003cIntoIter as Drop\u003e::drop::drop_non_singleton\n```\n\n#### PoC-2: `ThinVec::clear`\n\n```rust\nuse thin_vec::ThinVec;\nuse std::panic;\n\nstruct Poison(Box\u003cusize\u003e, \u0026\u0027static str);\n\nimpl Drop for Poison {\n    fn drop(\u0026mut self) {\n        if self.1 == \"panic\" {\n            panic!(\"panic!\");\n        }\n        println!(\"Dropping: {}\", self.0);\n    }\n}\n\nfn main() {\n    let mut v = ThinVec::new();\n    v.push(Poison(Box::new(1), \"normal1\")); // index 0\n    v.push(Poison(Box::new(2), \"panic\"));   // index 1 \u2192 panic triggered here\n    v.push(Poison(Box::new(3), \"normal2\")); // index 2\n\n    let _ = panic::catch_unwind(panic::AssertUnwindSafe(|| {\n        v.clear();\n        // panic occurs at \"panic\" element during clear()\n        // \u2192 set_len(0) is never called\n        // \u2192 already-freed elements are re-freed when v goes out of scope\n    }));\n}\n```\n\n---\n\n### Impact\n\n**Vulnerability classification:**\n- CWE-415: Double Free\n- CWE-416: Use-After-Free\n\n**Affected code:** All code satisfying the following conditions simultaneously:\n\n1. `ThinVec` stores heap-owning types (`String`, `Vec`, `Box`, etc.)\n2. (Vulnerability 1) An iterator is created via `into_iter()` and dropped before being fully consumed, or\n   (Vulnerability 2) `clear()` is called while a remaining element\u0027s `Drop` implementation can panic\n3. The `Drop` implementation of a remaining element triggers a panic\n\nAdditionally, when combined with `Box\u003cdyn Trait\u003e` types, an exploit primitive enabling Arbitrary Code Execution (ACE) via heap spray and vtable hijacking has been confirmed. If the freed fat pointer slot (16 bytes) at the point of Double Drop is reclaimed by an attacker-controlled fake vtable, subsequent Drop calls can be redirected to attacker-controlled code.",
  "id": "GHSA-xphw-cqx3-667j",
  "modified": "2026-05-05T15:43:14Z",
  "published": "2026-04-15T19:24:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/thin-vec/security/advisories/GHSA-xphw-cqx3-667j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6654"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mozilla/thin-vec"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0103.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "thin-vec: Use-After-Free and Double Free in IntoIter::drop When Element Drop Panics"
}

GHSA-XQ96-F7X8-GFX3

Vulnerability from github – Published: 2026-06-30 09:31 – Updated: 2026-06-30 18:31
VLAI
Details

A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T07:16:32Z",
    "severity": "HIGH"
  },
  "details": "A double free issue has been identified in libarchive\u0027s RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.",
  "id": "GHSA-xq96-f7x8-gfx3",
  "modified": "2026-06-30T18:31:36Z",
  "published": "2026-06-30T09:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14164"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libarchive/libarchive/issues/3069"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libarchive/libarchive/pull/3071"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30333"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-14164"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XR5G-JRQ4-W3J4

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2023-09-20 00:30
VLAI
Details

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-22T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.",
  "id": "GHSA-xr5g-jrq4-w3j4",
  "modified": "2023-09-20T00:30:14Z",
  "published": "2022-05-24T17:07:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20393"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/issues/742"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793930"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XV2M-P78G-CM3M

Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-07-08 06:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

idpf: fix double free and use-after-free in aux device error paths

When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or idpf_plug_core_aux_dev(), the err_aux_dev_add label calls auxiliary_device_uninit() and falls through to err_aux_dev_init. The uninit call will trigger put_device(), which invokes the release callback (idpf_vport_adev_release / idpf_core_adev_release) that frees iadev. The fall-through then reads adev->id from the freed iadev for ida_free() and double-frees iadev with kfree().

Free the IDA slot and clear the back-pointer before uninit, while adev is still valid, then return immediately.

Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization") fixed the same use-after-free in the matching unplug path in this file but missed both probe error paths.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T20:17:21Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix double free and use-after-free in aux device error paths\n\nWhen auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or\nidpf_plug_core_aux_dev(), the err_aux_dev_add label calls\nauxiliary_device_uninit() and falls through to err_aux_dev_init.  The\nuninit call will trigger put_device(), which invokes the release\ncallback (idpf_vport_adev_release / idpf_core_adev_release) that frees\niadev.  The fall-through then reads adev-\u003eid from the freed iadev for\nida_free() and double-frees iadev with kfree().\n\nFree the IDA slot and clear the back-pointer before uninit, while adev\nis still valid, then return immediately.\n\nCommit 65637c3a1811 (\"idpf: fix UAF in RDMA core aux dev deinitialization\")\nfixed the same use-after-free in the matching unplug path in this file but\nmissed both probe error paths.",
  "id": "GHSA-xv2m-p78g-cm3m",
  "modified": "2026-07-08T06:31:35Z",
  "published": "2026-06-26T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53286"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c77b9510829a424d1b74409b7db9456e3522871"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/722b91d5086a249318c9d0e2b36aeac80ba8c808"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f319de7074e1728a9f9ff7134257360c694ec2b2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XV82-93GJ-H8JQ

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:47
VLAI
Details

Possibility of double free issue while running multiple instances of smp2p test because of proper protection is missing while using global variable in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-2247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-24T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Possibility of double free issue while running multiple instances of smp2p test because of proper protection is missing while using global variable in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24",
  "id": "GHSA-xv82-93gj-h8jq",
  "modified": "2024-04-04T00:47:51Z",
  "published": "2022-05-24T16:46:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2247"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2019/04/01/april-2019-code-aurora-security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVCG-HV6H-729G

Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2025-04-11 12:31
VLAI
Details

PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attackers to cause a denial of service (double free), limit the ability of a malware scanner to operate on the entire original data, or possibly have unspecified other impact via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-18T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attackers to cause a denial of service (double free), limit the ability of a malware scanner to operate on the entire original data, or possibly have unspecified other impact via a crafted file.",
  "id": "GHSA-xvcg-hv6h-729g",
  "modified": "2025-04-11T12:31:38Z",
  "published": "2022-05-13T01:28:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/upx/upx/issues/206"
    },
    {
      "type": "WEB",
      "url": "https://github.com/upx/upx/issues/207"
    },
    {
      "type": "WEB",
      "url": "https://github.com/upx/upx/blob/devel/NEWS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUTVSTXAFTD552NO2K2RIF6MDQEHP3BE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D7XU42G6MUQQXHWRP7DCF2JSIBOJ5GOO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EUTVSTXAFTD552NO2K2RIF6MDQEHP3BE"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Choose a language that provides automatic memory management.

Mitigation
Implementation

Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Mitigation
Implementation

Use a static analysis tool to find double free instances.

No CAPEC attack patterns related to this CWE.