CWE-459
AllowedIncomplete Cleanup
Abstraction: Base · Status: Draft
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
223 vulnerabilities reference this CWE, most recent first.
GHSA-VRR6-JM4R-HQVP
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-05-01 15:31A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2022-3238"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-14T21:15:00Z",
"severity": "HIGH"
},
"details": "A double-free flaw was found in the Linux kernel\u2019s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"id": "GHSA-vrr6-jm4r-hqvp",
"modified": "2025-05-01T15:31:31Z",
"published": "2023-07-06T19:24:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3238"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127927"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VVFR-G83F-8QCV
Vulnerability from github – Published: 2026-04-22 00:31 – Updated: 2026-04-22 00:31nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.
{
"affected": [],
"aliases": [
"CVE-2026-6830"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T22:16:20Z",
"severity": "MODERATE"
},
"details": "nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys and other sensitive secrets from one profile context in another profile, breaking expected security isolation between profiles.",
"id": "GHSA-vvfr-g83f-8qcv",
"modified": "2026-04-22T00:31:40Z",
"published": "2026-04-22T00:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6830"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/pull/351"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/commit/88dc8bbe26a6055161d3251b70f5cd3d3c5831b0"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.12"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.50.132"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nesquena-hermes-webui-environment-variable-credential-leakage-via-profile-switch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W3R7-9RRF-88PM
Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2022-08-27 00:00PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS query that leads to an answer with specific properties.
{
"affected": [],
"aliases": [
"CVE-2022-37428"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-23T17:15:00Z",
"severity": "MODERATE"
},
"details": "PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS query that leads to an answer with specific properties.",
"id": "GHSA-w3r7-9rrf-88pm",
"modified": "2022-08-27T00:00:42Z",
"published": "2022-08-24T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37428"
},
{
"type": "WEB",
"url": "https://docs.powerdns.com/recursor/lua-config/protobuf.html"
},
{
"type": "WEB",
"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-02.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXSREJKTT6RNE3GXQENQ4R4HS37UNSPX"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W5FV-HHFV-34JM
Vulnerability from github – Published: 2024-08-21 09:31 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gt: Cleanup partial engine discovery failures
If we abort driver initialisation in the middle of gt/engine discovery, some engines will be fully setup and some not. Those incompletely setup engines only have 'engine->release == NULL' and so will leak any of the common objects allocated.
v2: - Drop the destroy_pinned_context() helper for now. It's not really worth it with just a single callsite at the moment. (Janusz)
{
"affected": [],
"aliases": [
"CVE-2022-48893"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-21T07:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Cleanup partial engine discovery failures\n\nIf we abort driver initialisation in the middle of gt/engine discovery,\nsome engines will be fully setup and some not. Those incompletely setup\nengines only have \u0027engine-\u003erelease == NULL\u0027 and so will leak any of the\ncommon objects allocated.\n\nv2:\n - Drop the destroy_pinned_context() helper for now. It\u0027s not really\n worth it with just a single callsite at the moment. (Janusz)",
"id": "GHSA-w5fv-hhfv-34jm",
"modified": "2025-11-03T21:31:11Z",
"published": "2024-08-21T09:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48893"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78350c36fb15afef423404a83dcbc5c558dce795"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7d21587d35bc816c85a51b8686f0f7e8e676fb14"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9MF-MF4G-64QG
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Incomplete cleanup in some Intel(R) PROSet/Wireless WiFi and Killer (TM) drivers before version 22.0 may allow a privileged user to potentially enable information disclosure and denial of service via adjacent access.
{
"affected": [],
"aliases": [
"CVE-2020-24458"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-17T14:15:00Z",
"severity": "MODERATE"
},
"details": "Incomplete cleanup in some Intel(R) PROSet/Wireless WiFi and Killer (TM) drivers before version 22.0 may allow a privileged user to potentially enable information disclosure and denial of service\u003cb\u003e\u0026nbsp;\u003c/b\u003evia adjacent access.",
"id": "GHSA-w9mf-mf4g-64qg",
"modified": "2022-05-24T17:42:27Z",
"published": "2022-05-24T17:42:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24458"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00448.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WCF9-3WR2-8WMF
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros.
{
"affected": [],
"aliases": [
"CVE-2020-13451"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-07T22:15:00Z",
"severity": "CRITICAL"
},
"details": "An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros.",
"id": "GHSA-wcf9-3wr2-8wmf",
"modified": "2022-05-24T17:38:10Z",
"published": "2022-05-24T17:38:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13451"
},
{
"type": "WEB",
"url": "https://github.com/thecodingmachine/gotenberg/issues/199"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WF6C-43PG-H78X
Vulnerability from github – Published: 2024-06-25 15:31 – Updated: 2024-06-25 15:31Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain strings were present in the PDU before redaction
{
"affected": [],
"aliases": [
"CVE-2024-6300"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T13:15:50Z",
"severity": "LOW"
},
"details": "Incomplete cleanup when performing redactions in Conduit, allowing an attacker to check whether certain strings were present in the PDU before redaction",
"id": "GHSA-wf6c-43pg-h78x",
"modified": "2024-06-25T15:31:08Z",
"published": "2024-06-25T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6300"
},
{
"type": "WEB",
"url": "https://conduit.rs/changelog/#v0-8-0-2024-06-12"
},
{
"type": "WEB",
"url": "https://gitlab.com/famedly/conduit/-/releases/v0.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WGGJ-8RCC-246R
Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2025-03-17 15:31In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup
The commit 8b45a26f2ba9 ("drm/msm/dpu: reserve cdm blocks for writeback in case of YUV output") introduced a smatch warning about another conditional block in dpu_encoder_helper_phys_cleanup() which had assumed hw_pp will always be valid which may not necessarily be true.
Lets fix the other conditional block by making sure hw_pp is valid before dereferencing it.
Patchwork: https://patchwork.freedesktop.org/patch/574878/
{
"affected": [],
"aliases": [
"CVE-2024-26667"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T07:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup\n\nThe commit 8b45a26f2ba9 (\"drm/msm/dpu: reserve cdm blocks for writeback\nin case of YUV output\") introduced a smatch warning about another\nconditional block in dpu_encoder_helper_phys_cleanup() which had assumed\nhw_pp will always be valid which may not necessarily be true.\n\nLets fix the other conditional block by making sure hw_pp is valid\nbefore dereferencing it.\n\nPatchwork: https://patchwork.freedesktop.org/patch/574878/",
"id": "GHSA-wggj-8rcc-246r",
"modified": "2025-03-17T15:31:38Z",
"published": "2024-04-02T09:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26667"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/79592a6e7bdc1d05460c95f891f5e5263a107af8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb4f56f3ff5799ca754ae6d811803a63fe25a4a2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb8bfc6ea3cd8c5ac3d35711d064e2f6646aec17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WGJJ-5RJM-4R22
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19Insufficiently quick clearing of stale rendered content in Navigation in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2018-17467"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-14T15:29:00Z",
"severity": "MODERATE"
},
"details": "Insufficiently quick clearing of stale rendered content in Navigation in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.",
"id": "GHSA-wgjj-5rjm-4r22",
"modified": "2022-05-13T01:19:26Z",
"published": "2022-05-13T01:19:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17467"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3004"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/844881"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201811-10"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4330"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105666"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WHGH-PJ7M-GM7P
Vulnerability from github – Published: 2023-06-20 18:30 – Updated: 2024-04-04 04:59Improper deletion of resource in the user management feature in Devolutions Server 2023.1.8 and earlier allows an administrator to view users vaults of deleted users via database access.
{
"affected": [],
"aliases": [
"CVE-2023-2400"
],
"database_specific": {
"cwe_ids": [
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-20T17:15:09Z",
"severity": "LOW"
},
"details": "Improper deletion of resource in the user management feature in Devolutions Server 2023.1.8 and earlier allows an administrator to view users vaults of deleted users via database access.\n\n",
"id": "GHSA-whgh-pj7m-gm7p",
"modified": "2024-04-04T04:59:02Z",
"published": "2023-06-20T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2400"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2023-0014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed.
No CAPEC attack patterns related to this CWE.