CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9811 vulnerabilities reference this CWE, most recent first.
GHSA-XRHF-CCCW-CPM8
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
ext4: fix timer use-after-free on failed mount
Syzbot has found an ODEBUG bug in ext4_fill_super
The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi).
When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called.
Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
{
"affected": [],
"aliases": [
"CVE-2024-49960"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:17Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix timer use-after-free on failed mount\n\nSyzbot has found an ODEBUG bug in ext4_fill_super\n\nThe del_timer_sync function cancels the s_err_report timer,\nwhich reminds about filesystem errors daily. We should\nguarantee the timer is no longer active before kfree(sbi).\n\nWhen filesystem mounting fails, the flow goes to failed_mount3,\nwhere an error occurs when ext4_stop_mmpd is called, causing\na read I/O failure. This triggers the ext4_handle_error function\nthat ultimately re-arms the timer,\nleaving the s_err_report timer active before kfree(sbi) is called.\n\nFix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.",
"id": "GHSA-xrhf-cccw-cpm8",
"modified": "2025-11-04T00:31:43Z",
"published": "2024-10-21T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49960"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0ce160c5bdb67081a62293028dc85758a8efb22a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22e9b83f0f33bc5a7a3181769d1dccbf021f5b04"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7aac0c17a8cdf4a3236991c1e60435c6a984076c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9203817ba46ebba7c865c8de2aba399537b6e891"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b85569585d0154d4db1e4f9e3e6a4731d407feb0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf3196e5e2f36cd80dab91ffae402e13935724bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fa78fb51d396f4f2f80f8e96a3b1516f394258be"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRJ4-4G3M-87PF
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net: rose: convert 'use' field to refcount_t
The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths.
For example, when rose_neigh->use becomes zero during an ioctl operation via rose_rt_ioctl(), the structure may be removed while its timer is still active, potentially causing use-after-free issues.
This patch changes the type of 'use' from unsigned short to refcount_t and updates all code paths to use rose_neigh_hold() and rose_neigh_put() which operate reference counts atomically.
{
"affected": [],
"aliases": [
"CVE-2025-39826"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T13:16:02Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert \u0027use\u0027 field to refcount_t\n\nThe \u0027use\u0027 field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh-\u003euse becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of \u0027use\u0027 from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically.",
"id": "GHSA-xrj4-4g3m-87pf",
"modified": "2026-07-14T15:31:27Z",
"published": "2025-09-16T15:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39826"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0085b250fcc79f900c82a69980ec2f3e1871823b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/203e4f42596ede31498744018716a3db6dbb7f51"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d860d1faa6b2ce3becfdb8b0c2b048ad31800061"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8c29fc437d03a98fb075c31c5be761cc8326284"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb07156cc0742ba4e93dfcc84280c011d05b301f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRMP-X8VM-QCMH
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: remove station if connection prep fails
If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes.
This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.
{
"affected": [],
"aliases": [
"CVE-2026-46125"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: remove station if connection prep fails\n\nIf connection preparation fails for MLO connections, then the\ninterface is completely reset to non-MLD. In this case, we must\nnot keep the station since it\u0027s related to the link of the vif\nbeing removed. Delete an existing station. Any \"new_sta\" is\nalready being removed, so that doesn\u0027t need changes.\n\nThis fixes a use-after-free/double-free in debugfs if that\u0027s\nenabled, because a vif going from MLD (and to MLD, but that\u0027s\nnot relevant here) recreates its entire debugfs.",
"id": "GHSA-xrmp-x8vm-qcmh",
"modified": "2026-06-30T03:36:51Z",
"published": "2026-05-28T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46125"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46125.json"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18fed0a209500bfea5c4c08609ec93855e4e500b"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482608"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-46125"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27288"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26428"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRP3-WPHR-647X
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 15:30Use after free in GFX in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-9936"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:51Z",
"severity": "HIGH"
},
"details": "Use after free in GFX in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-xrp3-wphr-647x",
"modified": "2026-05-29T15:30:31Z",
"published": "2026-05-29T00:38:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9936"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/502104354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRV4-RVR5-75GV
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-10890"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:16:50Z",
"severity": "HIGH"
},
"details": "Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Critical)",
"id": "GHSA-xrv4-rvr5-75gv",
"modified": "2026-06-05T03:31:30Z",
"published": "2026-06-05T00:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10890"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513136593"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRVJ-3VX6-WWH7
Vulnerability from github – Published: 2024-03-15 21:30 – Updated: 2025-02-27 03:33In the Linux kernel, the following vulnerability has been resolved:
net/tls: Fix use-after-free after the TLS device goes down and up
When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear down the TLS context. However, the socket stays alive, and it still points to the TLS context, which is now deallocated. If a netdev goes up, while the connection is still active, and the data flow resumes after a number of TCP retransmissions, it will lead to a use-after-free of the TLS context.
This commit addresses this bug by keeping the context alive until its normal destruction, and implements the necessary fallbacks, so that the connection can resume in software (non-offloaded) kTLS mode.
On the TX side tls_sw_fallback is used to encrypt all packets. The RX side already has all the necessary fallbacks, because receiving non-decrypted packets is supported. The thing needed on the RX side is to block resync requests, which are normally produced after receiving non-decrypted packets.
The necessary synchronization is implemented for a graceful teardown: first the fallbacks are deployed, then the driver resources are released (it used to be possible to have a tls_dev_resync after tls_dev_del).
A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback mode. It's used to skip the RX resync logic completely, as it becomes useless, and some objects may be released (for example, resync_async, which is allocated and freed by the driver).
{
"affected": [],
"aliases": [
"CVE-2021-47131"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-15T21:15:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: Fix use-after-free after the TLS device goes down and up\n\nWhen a netdev with active TLS offload goes down, tls_device_down is\ncalled to stop the offload and tear down the TLS context. However, the\nsocket stays alive, and it still points to the TLS context, which is now\ndeallocated. If a netdev goes up, while the connection is still active,\nand the data flow resumes after a number of TCP retransmissions, it will\nlead to a use-after-free of the TLS context.\n\nThis commit addresses this bug by keeping the context alive until its\nnormal destruction, and implements the necessary fallbacks, so that the\nconnection can resume in software (non-offloaded) kTLS mode.\n\nOn the TX side tls_sw_fallback is used to encrypt all packets. The RX\nside already has all the necessary fallbacks, because receiving\nnon-decrypted packets is supported. The thing needed on the RX side is\nto block resync requests, which are normally produced after receiving\nnon-decrypted packets.\n\nThe necessary synchronization is implemented for a graceful teardown:\nfirst the fallbacks are deployed, then the driver resources are released\n(it used to be possible to have a tls_dev_resync after tls_dev_del).\n\nA new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback\nmode. It\u0027s used to skip the RX resync logic completely, as it becomes\nuseless, and some objects may be released (for example, resync_async,\nwhich is allocated and freed by the driver).",
"id": "GHSA-xrvj-3vx6-wwh7",
"modified": "2025-02-27T03:33:55Z",
"published": "2024-03-15T21:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47131"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f1e6fe66977a864fe850522316f713d7b926fd9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f1d4184f128dede82a59a841658ed40d4e6d3aa2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRW7-56RH-2JRQ
Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-11-04 00:32In the Linux kernel, the following vulnerability has been resolved:
usb: musb: sunxi: Fix accessing an released usb phy
Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on exit") will cause that usb phy @glue->xceiv is accessed after released.
1) register platform driver @sunxi_musb_driver // get the usb phy @glue->xceiv sunxi_musb_probe() -> devm_usb_get_phy().
2) register and unregister platform driver @musb_driver musb_probe() -> sunxi_musb_init() use the phy here //the phy is released here musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()
3) register @musb_driver again musb_probe() -> sunxi_musb_init() use the phy here but the phy has been released at 2). ...
Fixed by reverting the commit, namely, removing devm_usb_put_phy() from sunxi_musb_exit().
{
"affected": [],
"aliases": [
"CVE-2024-50269"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T02:16:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: sunxi: Fix accessing an released usb phy\n\nCommit 6ed05c68cbca (\"usb: musb: sunxi: Explicitly release USB PHY on\nexit\") will cause that usb phy @glue-\u003exceiv is accessed after released.\n\n1) register platform driver @sunxi_musb_driver\n// get the usb phy @glue-\u003exceiv\nsunxi_musb_probe() -\u003e devm_usb_get_phy().\n\n2) register and unregister platform driver @musb_driver\nmusb_probe() -\u003e sunxi_musb_init()\nuse the phy here\n//the phy is released here\nmusb_remove() -\u003e sunxi_musb_exit() -\u003e devm_usb_put_phy()\n\n3) register @musb_driver again\nmusb_probe() -\u003e sunxi_musb_init()\nuse the phy here but the phy has been released at 2).\n...\n\nFixed by reverting the commit, namely, removing devm_usb_put_phy()\nfrom sunxi_musb_exit().",
"id": "GHSA-xrw7-56rh-2jrq",
"modified": "2025-11-04T00:32:03Z",
"published": "2024-11-19T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50269"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/498dbd9aea205db9da674994b74c7bf8e18448bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4aa77d5ea9944468e16c3eed15e858fd5de44de1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/63559ba8077cbadae1c92a65b73ea522bf377dd9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e2848d1c8c0139161e69ac0a94133e90e9988e8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/721ddad945596220c123eb6f7126729fe277ee4f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8a30da5aa9609663b3e05bcc91a916537f66a4cd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b08baa75b989cf779cbfa0969681f8ba2dc46569"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ccd811c304d2ee56189bfbc49302cb3c44361893"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XV26-933M-66H2
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the style attribute of FileAttachment annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5026.
{
"affected": [],
"aliases": [
"CVE-2017-14834"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-20T14:29:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the style attribute of FileAttachment annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5026.",
"id": "GHSA-xv26-933m-66h2",
"modified": "2022-05-13T01:37:35Z",
"published": "2022-05-13T01:37:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14834"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://zerodayinitiative.com/advisories/ZDI-17-878"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XV38-PH7H-P3QW
Vulnerability from github – Published: 2022-01-15 00:01 – Updated: 2022-01-22 00:02Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-44704"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "HIGH"
},
"details": "Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by a use-after-free vulnerability in the processing of Format event actions that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-xv38-ph7h-p3qw",
"modified": "2022-01-22T00:02:02Z",
"published": "2022-01-15T00:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44704"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-01.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XV5C-VG59-HJ7X
Vulnerability from github – Published: 2025-06-11 09:30 – Updated: 2025-06-11 09:30There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a POST request and the simultaneous handling of HTTP error responses.
This issue only affects Qt 6.9.0 and has been fixed for Qt 6.9.1.
{
"affected": [],
"aliases": [
"CVE-2025-5991"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-11T08:15:22Z",
"severity": "LOW"
},
"details": "There is a \"Use After Free\" vulnerability in Qt\u0027s QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a\n POST request and the simultaneous handling of HTTP error responses.\n\nThis issue only affects Qt 6.9.0 and has been fixed for Qt 6.9.1.",
"id": "GHSA-xv5c-vg59-hj7x",
"modified": "2025-06-11T09:30:32Z",
"published": "2025-06-11T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5991"
},
{
"type": "WEB",
"url": "https://codereview.qt-project.org/c/qt/qtbase/+/643777"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.