Common Weakness Enumeration

CWE-416

Allowed

Use After Free

Abstraction: Variant · Status: Stable

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

9821 vulnerabilities reference this CWE, most recent first.

GHSA-XCFF-Q6MV-V46W

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-30 12:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters

scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).

scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:31Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters\n\nscx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring\nscx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs.\nIf the loaded scheduler is disabled and freed (via RCU work) and another is\nenabled between the naked load and the rwsem acquire, the reader sees\nscx_cgroup_enabled=true (the new scheduler\u0027s) but dereferences the freed one\n- UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).\n\nscx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write\n(scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section\ncorrelates @sch with the enabled snapshot.",
  "id": "GHSA-xcff-q6mv-v46w",
  "modified": "2026-05-30T12:30:25Z",
  "published": "2026-05-28T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46154"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f54f6355575971673d8aac7da107ec4178e45bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/80afd4c84bc8f5e80145ce35279f5ce53f6043db"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce9aaa3af445c391735c9d000c4db60dfd5640d4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCG5-9P3P-FGRJ

Vulnerability from github – Published: 2026-02-14 18:30 – Updated: 2026-03-19 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

cgroup/dmem: avoid pool UAF

An UAF issue was observed:

BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527

CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260

Allocated by task 527:

Freed by task 0:

The buggy address belongs to the object at ffff888106715400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888106715400, ffff888106715600)

The buggy address belongs to the physical page:

Memory state around the buggy address: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

The issue occurs because a pool can still be held by a caller after its associated memory region is unregistered. The current implementation frees the pool even if users still hold references to it (e.g., before uncharge operations complete).

This patch adds a reference counter to each pool, ensuring that a pool is only freed when its reference count drops to zero.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T17:15:57Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/dmem: avoid pool UAF\n\nAn UAF issue was observed:\n\nBUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150\nWrite of size 8 at addr ffff888106715440 by task insmod/527\n\nCPU: 4 UID: 0 PID: 527 Comm: insmod    6.19.0-rc7-next-20260129+ #11\nTainted: [O]=OOT_MODULE\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x82/0xd0\nkasan_report+0xca/0x100\nkasan_check_range+0x39/0x1c0\npage_counter_uncharge+0x65/0x150\ndmem_cgroup_uncharge+0x1f/0x260\n\nAllocated by task 527:\n\nFreed by task 0:\n\nThe buggy address belongs to the object at ffff888106715400\nwhich belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 64 bytes inside of\nfreed 512-byte region [ffff888106715400, ffff888106715600)\n\nThe buggy address belongs to the physical page:\n\nMemory state around the buggy address:\nffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\nffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\t\t\t\t     ^\nffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\nffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThe issue occurs because a pool can still be held by a caller after its\nassociated memory region is unregistered. The current implementation frees\nthe pool even if users still hold references to it (e.g., before uncharge\noperations complete).\n\nThis patch adds a reference counter to each pool, ensuring that a pool is\nonly freed when its reference count drops to zero.",
  "id": "GHSA-xcg5-9p3p-fgrj",
  "modified": "2026-03-19T18:31:14Z",
  "published": "2026-02-14T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23195"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99a2ef500906138ba58093b9893972a5c303c734"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3081353acaa6a638dcf75726066ea556a2de8d5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCG6-3XH5-6M77

Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-03 19:00
VLAI
Details

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Monterey 12.4, Safari 15.5. Processing maliciously crafted web content may lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-01T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Monterey 12.4, Safari 15.5. Processing maliciously crafted web content may lead to arbitrary code execution.",
  "id": "GHSA-xcg6-3xh5-6m77",
  "modified": "2022-11-03T19:00:28Z",
  "published": "2022-11-02T12:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26709"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213253"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213254"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213257"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213258"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213260"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCH5-V6MF-CVXJ

Vulnerability from github – Published: 2024-11-04 12:32 – Updated: 2024-11-04 12:32
VLAI
Details

Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-04T10:15:08Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption while invoking IOCTL calls from the use-space for HGSL memory node.",
  "id": "GHSA-xch5-v6mf-cvxj",
  "modified": "2024-11-04T12:32:56Z",
  "published": "2024-11-04T12:32:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38419"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCHM-7954-5WVG

Vulnerability from github – Published: 2026-02-24 15:30 – Updated: 2026-02-25 15:31
VLAI
Details

Use-after-free in the DOM: Window and Location component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-24T14:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "Use-after-free in the DOM: Window and Location component. This vulnerability affects Firefox \u003c 148, Firefox ESR \u003c 115.33, and Firefox ESR \u003c 140.8.",
  "id": "GHSA-xchm-7954-5wvg",
  "modified": "2026-02-25T15:31:37Z",
  "published": "2026-02-24T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2787"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014560"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-13"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-14"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-15"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-16"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCJ4-R8WQ-5RCC

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38
VLAI
Details

Use after free in autofill in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-08T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Use after free in autofill in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.",
  "id": "GHSA-xcj4-r8wq-5rcc",
  "modified": "2022-05-24T17:38:24Z",
  "published": "2022-05-24T17:38:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21106"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1148749"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202101-05"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4832"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XCJF-5V2R-GVC9

Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2026-07-16 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

PCI/ASPM: Fix link state exit during switch upstream function removal

Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free"), we would free the ASPM link only after the last function on the bus pertaining to the given link was removed.

That was too late. If function 0 is removed before sibling function, link->downstream would point to free'd memory after.

After above change, we freed the ASPM parent link state upon any function removal on the bus pertaining to a given link.

That is too early. If the link is to a PCIe switch with MFD on the upstream port, then removing functions other than 0 first would free a link which still remains parent_link to the remaining downstream ports.

The resulting GPFs are especially frequent during hot-unplug, because pciehp removes devices on the link bus in reverse order.

On that switch, function 0 is the virtual P2P bridge to the internal bus. Free exactly when function 0 is removed -- before the parent link is obsolete, but after all subordinate links are gone.

[kwilczynski: commit log]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-16T15:15:53Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix link state exit during switch upstream function removal\n\nBefore 456d8aa37d0f (\"PCI/ASPM: Disable ASPM on MFD function removal to\navoid use-after-free\"), we would free the ASPM link only after the last\nfunction on the bus pertaining to the given link was removed.\n\nThat was too late. If function 0 is removed before sibling function,\nlink-\u003edownstream would point to free\u0027d memory after.\n\nAfter above change, we freed the ASPM parent link state upon any function\nremoval on the bus pertaining to a given link.\n\nThat is too early. If the link is to a PCIe switch with MFD on the upstream\nport, then removing functions other than 0 first would free a link which\nstill remains parent_link to the remaining downstream ports.\n\nThe resulting GPFs are especially frequent during hot-unplug, because\npciehp removes devices on the link bus in reverse order.\n\nOn that switch, function 0 is the virtual P2P bridge to the internal bus.\nFree exactly when function 0 is removed -- before the parent link is\nobsolete, but after all subordinate links are gone.\n\n[kwilczynski: commit log]",
  "id": "GHSA-xcjf-5v2r-gvc9",
  "modified": "2026-07-16T12:31:42Z",
  "published": "2025-04-16T15:34:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58093"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a0f9aecf66b98959aab7fb5764b4b3e522f4f5b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4d96930239981f312821a4065db8cc0f8240a173"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/62db339ecc3d58d8fd83a9e4d80061cd943bb6e2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b930ddc2044e36866c41423e89889e0258695a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba4cdc14c0d4df00d3e99bff7fe545303db98183"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cbf937dcadfd571a434f8074d057b32cd14fbea5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd4b07507794f7ad1a74e12eca75121d98187e66"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e5cd58f61e9d8024ee11bd78c12c8916891d4077"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f556b6ba0ac5f8353287ce6ed761228f0b4fafb7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCJW-33RW-V8V3

Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 18:31
VLAI
Details

Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T23:16:41Z",
    "severity": "HIGH"
  },
  "details": "Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)",
  "id": "GHSA-xcjw-33rw-v8v3",
  "modified": "2026-05-29T18:31:21Z",
  "published": "2026-05-29T00:38:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10002"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/513536416"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCMR-V73H-8G32

Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix UaF in listener shutdown

As reported by Christoph after having refactored the passive socket initialization, the mptcp listener shutdown path is prone to an UaF issue.

BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0 Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266

CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x6e/0x91 print_report+0x16a/0x46f kasan_report+0xad/0x130 kasan_check_range+0x14a/0x1a0 _raw_spin_lock_bh+0x73/0xe0 subflow_error_report+0x6d/0x110 sk_error_report+0x3b/0x190 tcp_disconnect+0x138c/0x1aa0 inet_child_forget+0x6f/0x2e0 inet_csk_listen_stop+0x209/0x1060 __mptcp_close_ssk+0x52d/0x610 mptcp_destroy_common+0x165/0x640 mptcp_destroy+0x13/0x80 __mptcp_destroy_sock+0xe7/0x270 __mptcp_close+0x70e/0x9b0 mptcp_close+0x2b/0x150 inet_release+0xe9/0x1f0 __sock_release+0xd2/0x280 sock_close+0x15/0x20 __fput+0x252/0xa20 task_work_run+0x169/0x250 exit_to_user_mode_prepare+0x113/0x120 syscall_exit_to_user_mode+0x1d/0x40 do_syscall_64+0x48/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc

The msk grace period can legitly expire in between the last reference count dropped in mptcp_subflow_queue_clean() and the later eventual access in inet_csk_listen_stop()

After the previous patch we don't need anymore special-casing msk listener socket cleanup: the mptcp worker will process each of the unaccepted msk sockets.

Just drop the now unnecessary code.

Please note this commit depends on the two parent ones:

mptcp: refactor passive socket initialization mptcp: use the workqueue to destroy unaccepted sockets

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix UaF in listener shutdown\n\nAs reported by Christoph after having refactored the passive\nsocket initialization, the mptcp listener shutdown path is prone\nto an UaF issue.\n\n  BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x73/0xe0\n  Write of size 4 at addr ffff88810cb23098 by task syz-executor731/1266\n\n  CPU: 1 PID: 1266 Comm: syz-executor731 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6e/0x91\n   print_report+0x16a/0x46f\n   kasan_report+0xad/0x130\n   kasan_check_range+0x14a/0x1a0\n   _raw_spin_lock_bh+0x73/0xe0\n   subflow_error_report+0x6d/0x110\n   sk_error_report+0x3b/0x190\n   tcp_disconnect+0x138c/0x1aa0\n   inet_child_forget+0x6f/0x2e0\n   inet_csk_listen_stop+0x209/0x1060\n   __mptcp_close_ssk+0x52d/0x610\n   mptcp_destroy_common+0x165/0x640\n   mptcp_destroy+0x13/0x80\n   __mptcp_destroy_sock+0xe7/0x270\n   __mptcp_close+0x70e/0x9b0\n   mptcp_close+0x2b/0x150\n   inet_release+0xe9/0x1f0\n   __sock_release+0xd2/0x280\n   sock_close+0x15/0x20\n   __fput+0x252/0xa20\n   task_work_run+0x169/0x250\n   exit_to_user_mode_prepare+0x113/0x120\n   syscall_exit_to_user_mode+0x1d/0x40\n   do_syscall_64+0x48/0x90\n   entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nThe msk grace period can legitly expire in between the last\nreference count dropped in mptcp_subflow_queue_clean() and\nthe later eventual access in inet_csk_listen_stop()\n\nAfter the previous patch we don\u0027t need anymore special-casing\nmsk listener socket cleanup: the mptcp worker will process each\nof the unaccepted msk sockets.\n\nJust drop the now unnecessary code.\n\nPlease note this commit depends on the two parent ones:\n\n  mptcp: refactor passive socket initialization\n  mptcp: use the workqueue to destroy unaccepted sockets",
  "id": "GHSA-xcmr-v73h-8g32",
  "modified": "2025-11-12T21:31:01Z",
  "published": "2025-05-02T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53088"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0a3f4f1f9c27215e4ddcd312558342e57b93e518"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f4f4cf5d32f10543deb946a37111e714579511e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5564be74a22a61855f8b8c100d8c4abb003bb792"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCQ8-M6WR-W65P

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:41Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-xcq8-m6wr-w65p",
  "modified": "2026-07-14T18:32:20Z",
  "published": "2026-07-14T18:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50396"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50396"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Language Selection

Choose a language that provides automatic memory management.

Mitigation
Implementation

Strategy: Attack Surface Reduction

When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.

No CAPEC attack patterns related to this CWE.