CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9807 vulnerabilities reference this CWE, most recent first.
GHSA-XVXW-65R3-5RCF
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-15 21:30Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages.
Physical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource.
{
"affected": [],
"aliases": [
"CVE-2026-41158"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:50Z",
"severity": "HIGH"
},
"details": "Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages.\n\n\n\nPhysical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource.",
"id": "GHSA-xvxw-65r3-5rcf",
"modified": "2026-06-15T21:30:32Z",
"published": "2026-06-13T00:34:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41158"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XVXX-VRH7-XH3V
Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2025-04-20 03:36A use after free in ANGLE in Google Chrome prior to 57.0.2987.98 for Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2017-5031"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-24T23:59:00Z",
"severity": "HIGH"
},
"details": "A use after free in ANGLE in Google Chrome prior to 57.0.2987.98 for Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.",
"id": "GHSA-xvxx-vrh7-xh3v",
"modified": "2025-04-20T03:36:50Z",
"published": "2022-05-14T03:19:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5031"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1328762"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/682020"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201704-02"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2017-14"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0499.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3810"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96767"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98326"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XW54-M5G5-FQCG
Vulnerability from github – Published: 2025-09-16 18:31 – Updated: 2025-12-02 00:31In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free
Fix potential use-after-free in l2cap_le_command_rej.
{
"affected": [],
"aliases": [
"CVE-2023-53305"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T17:15:36Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free\n\nFix potential use-after-free in l2cap_le_command_rej.",
"id": "GHSA-xw54-m5g5-fqcg",
"modified": "2025-12-02T00:31:10Z",
"published": "2025-09-16T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53305"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/149daab45922ab1ac7f0cbeacab7251a46bf5e63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a40c56e8bff3e424724d78a9a6b3272dd8a371d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/255be68150291440657b2cdb09420b69441af3d8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/548a6b64b3c0688f01119a6fcccceb41f8c984e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e76bab1b7afa580cd76362540fc37551ada4359b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f752a0b334bb95fe9b42ecb511e0864e2768046f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe49aa73cca6608714477b74bfc6874b9db979df"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XW76-QW2J-V4FP
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-28 00:00Use after free in shell in Google Chrome on ChromeOS prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-1311"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T14:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in shell in Google Chrome on ChromeOS prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-xw76-qw2j-v4fp",
"modified": "2022-07-28T00:00:48Z",
"published": "2022-07-26T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1311"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1310717"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XW77-7RCC-VW8Q
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-14 21:30Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-8581"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T20:17:20Z",
"severity": "HIGH"
},
"details": "Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-xw77-7rcc-vw8q",
"modified": "2026-05-14T21:30:47Z",
"published": "2026-05-14T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8581"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/497292072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWF4-4P9V-22FP
Vulnerability from github – Published: 2025-08-11 06:30 – Updated: 2025-08-11 06:30in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through use after free.
{
"affected": [],
"aliases": [
"CVE-2025-24298"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-11T04:15:33Z",
"severity": "HIGH"
},
"details": "in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through use after free.",
"id": "GHSA-xwf4-4p9v-22fp",
"modified": "2025-08-11T06:30:30Z",
"published": "2025-08-11T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24298"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-07.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWQP-VX4G-WQCC
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 12:31Use after free in XML in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-9947"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:52Z",
"severity": "HIGH"
},
"details": "Use after free in XML in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-xwqp-vx4g-wqcc",
"modified": "2026-05-29T12:31:24Z",
"published": "2026-05-29T00:38:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9947"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/503627446"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWRF-HHX9-VMHV
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-09-23 21:30In the Linux kernel, the following vulnerability has been resolved:
RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests
The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice.
CPU 1 CPU 2
rdma_resolve_addr(): RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1
process_one_req(): for #1
addr_handler():
RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND
mutex_unlock(&id_priv->handler_mutex);
[.. handler still running ..]
rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list
rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel()
// process_one_req() self removes it
spin_lock_bh(&lock);
cancel_delayed_work(&req->work);
if (!list_empty(&req->list)) == true
! rdma_addr_cancel() returns after process_on_req #1 is done
kfree(id_priv)
process_one_req(): for #2
addr_handler():
mutex_lock(&id_priv->handler_mutex);
!! Use after free on id_priv
rdma_addr_cancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the req_list can have two reqs for the same "handle" but rdma_addr_cancel() only cancels the first one.
The second req remains active beyond rdma_destroy_id() and will use-after-free id_priv once it inevitably triggers.
Fix this by remembering if the id_priv has called rdma_resolve_ip() and always cancel before calling it again. This ensures the req_list never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path.
{
"affected": [],
"aliases": [
"CVE-2021-47391"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:24Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests\n\nThe FSM can run in a circle allowing rdma_resolve_ip() to be called twice\non the same id_priv. While this cannot happen without going through the\nwork, it violates the invariant that the same address resolution\nbackground request cannot be active twice.\n\n CPU 1 CPU 2\n\nrdma_resolve_addr():\n RDMA_CM_IDLE -\u003e RDMA_CM_ADDR_QUERY\n rdma_resolve_ip(addr_handler) #1\n\n\t\t\t process_one_req(): for #1\n addr_handler():\n RDMA_CM_ADDR_QUERY -\u003e RDMA_CM_ADDR_BOUND\n mutex_unlock(\u0026id_priv-\u003ehandler_mutex);\n [.. handler still running ..]\n\nrdma_resolve_addr():\n RDMA_CM_ADDR_BOUND -\u003e RDMA_CM_ADDR_QUERY\n rdma_resolve_ip(addr_handler)\n !! two requests are now on the req_list\n\nrdma_destroy_id():\n destroy_id_handler_unlock():\n _destroy_id():\n cma_cancel_operation():\n rdma_addr_cancel()\n\n // process_one_req() self removes it\n\t\t spin_lock_bh(\u0026lock);\n cancel_delayed_work(\u0026req-\u003ework);\n\t if (!list_empty(\u0026req-\u003elist)) == true\n\n ! rdma_addr_cancel() returns after process_on_req #1 is done\n\n kfree(id_priv)\n\n\t\t\t process_one_req(): for #2\n addr_handler():\n\t mutex_lock(\u0026id_priv-\u003ehandler_mutex);\n !! Use after free on id_priv\n\nrdma_addr_cancel() expects there to be one req on the list and only\ncancels the first one. The self-removal behavior of the work only happens\nafter the handler has returned. This yields a situations where the\nreq_list can have two reqs for the same \"handle\" but rdma_addr_cancel()\nonly cancels the first one.\n\nThe second req remains active beyond rdma_destroy_id() and will\nuse-after-free id_priv once it inevitably triggers.\n\nFix this by remembering if the id_priv has called rdma_resolve_ip() and\nalways cancel before calling it again. This ensures the req_list never\ngets more than one item in it and doesn\u0027t cost anything in the normal flow\nthat never uses this strange error path.",
"id": "GHSA-xwrf-hhx9-vmhv",
"modified": "2025-09-23T21:30:53Z",
"published": "2024-05-21T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47391"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/03d884671572af8bcfbc9e63944c1021efce7589"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/305d568b72f17f674155a2a8275f865f207b3808"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9a085fa9b7d644a234465091e038c1911e1a4f2a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XWVH-FXHH-3QRR
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-01-14 18:31In the Linux kernel, the following vulnerability has been resolved:
net: sched: flower: protect fl_walk() with rcu
Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul() also removed rcu protection of individual filters which causes following use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain rcu read lock while iterating and taking the filter reference and temporary release the lock while calling arg->fn() callback that can sleep.
KASAN trace:
[ 352.773640] ================================================================== [ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower] [ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987
[ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2 [ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 352.781022] Call Trace: [ 352.781573] dump_stack_lvl+0x46/0x5a [ 352.782332] print_address_description.constprop.0+0x1f/0x140 [ 352.783400] ? fl_walk+0x159/0x240 [cls_flower] [ 352.784292] ? fl_walk+0x159/0x240 [cls_flower] [ 352.785138] kasan_report.cold+0x83/0xdf [ 352.785851] ? fl_walk+0x159/0x240 [cls_flower] [ 352.786587] kasan_check_range+0x145/0x1a0 [ 352.787337] fl_walk+0x159/0x240 [cls_flower] [ 352.788163] ? fl_put+0x10/0x10 [cls_flower] [ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.790102] tcf_chain_dump+0x231/0x450 [ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170 [ 352.791833] ? __might_sleep+0x2e/0xc0 [ 352.792594] ? tfilter_notify+0x170/0x170 [ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.794477] tc_dump_tfilter+0x385/0x4b0 [ 352.795262] ? tc_new_tfilter+0x1180/0x1180 [ 352.796103] ? __mod_node_page_state+0x1f/0xc0 [ 352.796974] ? __build_skb_around+0x10e/0x130 [ 352.797826] netlink_dump+0x2c0/0x560 [ 352.798563] ? netlink_getsockopt+0x430/0x430 [ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220 [ 352.800542] __netlink_dump_start+0x356/0x440 [ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550 [ 352.802190] ? tc_new_tfilter+0x1180/0x1180 [ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.803668] ? tc_new_tfilter+0x1180/0x1180 [ 352.804344] ? _copy_from_iter_nocache+0x800/0x800 [ 352.805202] ? kasan_set_track+0x1c/0x30 [ 352.805900] netlink_rcv_skb+0xc6/0x1f0 [ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0 [ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 352.808324] ? netlink_ack+0x4d0/0x4d0 [ 352.809086] ? netlink_deliver_tap+0x62/0x3d0 [ 352.809951] netlink_unicast+0x353/0x480 [ 352.810744] ? netlink_attachskb+0x430/0x430 [ 352.811586] ? __alloc_skb+0xd7/0x200 [ 352.812349] netlink_sendmsg+0x396/0x680 [ 352.813132] ? netlink_unicast+0x480/0x480 [ 352.813952] ? __import_iovec+0x192/0x210 [ 352.814759] ? netlink_unicast+0x480/0x480 [ 352.815580] sock_sendmsg+0x6c/0x80 [ 352.816299] _syssendmsg+0x3a5/0x3c0 [ 352.817096] ? kernel_sendmsg+0x30/0x30 [ 352.817873] ? ia32_sys_recvmmsg+0x150/0x150 [ 352.818753] syssendmsg+0xd8/0x140 [ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110 [ 352.820402] ? _sys_recvmsg+0xf4/0x1a0 [ 352.821110] ? __copy_msghdr_from_user+0x260/0x260 [ 352.821934] ? _raw_spin_lock+0x81/0xd0 [ 352.822680] ? __handle_mm_fault+0xef3/0x1b20 [ 352.823549] ? rb_insert_color+0x2a/0x270 [ 352.824373] ? copy_page_range+0x16b0/0x16b0 [ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0 [ 352.826190] ? __fget_light+0xd9/0xf0 [ 352.826941] __sys_sendmsg+0xb3/0x130 [ 352.827613] ? __sys_sendmsg_sock+0x20/0x20 [ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0 [ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60 [ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160 [ 352.830845] do_syscall_64+0x35/0x80 [ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 352.832331] RIP: 0033:0x7f7bee973c17 [ ---truncated---
{
"affected": [],
"aliases": [
"CVE-2021-47402"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:25Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: flower: protect fl_walk() with rcu\n\nPatch that refactored fl_walk() to use idr_for_each_entry_continue_ul()\nalso removed rcu protection of individual filters which causes following\nuse-after-free when filter is deleted concurrently. Fix fl_walk() to obtain\nrcu read lock while iterating and taking the filter reference and temporary\nrelease the lock while calling arg-\u003efn() callback that can sleep.\n\nKASAN trace:\n\n[ 352.773640] ==================================================================\n[ 352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower]\n[ 352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987\n\n[ 352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2\n[ 352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 352.781022] Call Trace:\n[ 352.781573] dump_stack_lvl+0x46/0x5a\n[ 352.782332] print_address_description.constprop.0+0x1f/0x140\n[ 352.783400] ? fl_walk+0x159/0x240 [cls_flower]\n[ 352.784292] ? fl_walk+0x159/0x240 [cls_flower]\n[ 352.785138] kasan_report.cold+0x83/0xdf\n[ 352.785851] ? fl_walk+0x159/0x240 [cls_flower]\n[ 352.786587] kasan_check_range+0x145/0x1a0\n[ 352.787337] fl_walk+0x159/0x240 [cls_flower]\n[ 352.788163] ? fl_put+0x10/0x10 [cls_flower]\n[ 352.789007] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[ 352.790102] tcf_chain_dump+0x231/0x450\n[ 352.790878] ? tcf_chain_tp_delete_empty+0x170/0x170\n[ 352.791833] ? __might_sleep+0x2e/0xc0\n[ 352.792594] ? tfilter_notify+0x170/0x170\n[ 352.793400] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[ 352.794477] tc_dump_tfilter+0x385/0x4b0\n[ 352.795262] ? tc_new_tfilter+0x1180/0x1180\n[ 352.796103] ? __mod_node_page_state+0x1f/0xc0\n[ 352.796974] ? __build_skb_around+0x10e/0x130\n[ 352.797826] netlink_dump+0x2c0/0x560\n[ 352.798563] ? netlink_getsockopt+0x430/0x430\n[ 352.799433] ? __mutex_unlock_slowpath.constprop.0+0x220/0x220\n[ 352.800542] __netlink_dump_start+0x356/0x440\n[ 352.801397] rtnetlink_rcv_msg+0x3ff/0x550\n[ 352.802190] ? tc_new_tfilter+0x1180/0x1180\n[ 352.802872] ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[ 352.803668] ? tc_new_tfilter+0x1180/0x1180\n[ 352.804344] ? _copy_from_iter_nocache+0x800/0x800\n[ 352.805202] ? kasan_set_track+0x1c/0x30\n[ 352.805900] netlink_rcv_skb+0xc6/0x1f0\n[ 352.806587] ? rht_deferred_worker+0x6b0/0x6b0\n[ 352.807455] ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[ 352.808324] ? netlink_ack+0x4d0/0x4d0\n[ 352.809086] ? netlink_deliver_tap+0x62/0x3d0\n[ 352.809951] netlink_unicast+0x353/0x480\n[ 352.810744] ? netlink_attachskb+0x430/0x430\n[ 352.811586] ? __alloc_skb+0xd7/0x200\n[ 352.812349] netlink_sendmsg+0x396/0x680\n[ 352.813132] ? netlink_unicast+0x480/0x480\n[ 352.813952] ? __import_iovec+0x192/0x210\n[ 352.814759] ? netlink_unicast+0x480/0x480\n[ 352.815580] sock_sendmsg+0x6c/0x80\n[ 352.816299] ____sys_sendmsg+0x3a5/0x3c0\n[ 352.817096] ? kernel_sendmsg+0x30/0x30\n[ 352.817873] ? __ia32_sys_recvmmsg+0x150/0x150\n[ 352.818753] ___sys_sendmsg+0xd8/0x140\n[ 352.819518] ? sendmsg_copy_msghdr+0x110/0x110\n[ 352.820402] ? ___sys_recvmsg+0xf4/0x1a0\n[ 352.821110] ? __copy_msghdr_from_user+0x260/0x260\n[ 352.821934] ? _raw_spin_lock+0x81/0xd0\n[ 352.822680] ? __handle_mm_fault+0xef3/0x1b20\n[ 352.823549] ? rb_insert_color+0x2a/0x270\n[ 352.824373] ? copy_page_range+0x16b0/0x16b0\n[ 352.825209] ? perf_event_update_userpage+0x2d0/0x2d0\n[ 352.826190] ? __fget_light+0xd9/0xf0\n[ 352.826941] __sys_sendmsg+0xb3/0x130\n[ 352.827613] ? __sys_sendmsg_sock+0x20/0x20\n[ 352.828377] ? do_user_addr_fault+0x2c5/0x8a0\n[ 352.829184] ? fpregs_assert_state_consistent+0x52/0x60\n[ 352.830001] ? exit_to_user_mode_prepare+0x32/0x160\n[ 352.830845] do_syscall_64+0x35/0x80\n[ 352.831445] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 352.832331] RIP: 0033:0x7f7bee973c17\n[ \n---truncated---",
"id": "GHSA-xwvh-fxhh-3qrr",
"modified": "2025-01-14T18:31:49Z",
"published": "2024-05-21T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47402"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/694b0cee7f8546b69a80996a29cb3cf4149c0453"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d0d520c19e7ea19ed38dc5797b12397b6ccf9f88"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d5ef190693a7d76c5c192d108e8dec48307b46ee"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dab4677bdbffa5c8270e79e34e51c89efa0728a0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XX49-HMRJ-2WM5
Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, watchOS 9, macOS Monterey 12.6, tvOS 16. An app may be able to execute arbitrary code with kernel privileges.
{
"affected": [],
"aliases": [
"CVE-2022-32914"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T20:15:00Z",
"severity": "HIGH"
},
"details": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, watchOS 9, macOS Monterey 12.6, tvOS 16. An app may be able to execute arbitrary code with kernel privileges.",
"id": "GHSA-xx49-hmrj-2wm5",
"modified": "2022-11-02T19:00:28Z",
"published": "2022-11-02T12:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32914"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213443"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213444"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213446"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213486"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213487"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.