Common Weakness Enumeration

CWE-826

Allowed

Premature Release of Resource During Expected Lifetime

Abstraction: Base · Status: Incomplete

The product releases a resource that is still intended to be used by itself or another actor.

14 vulnerabilities reference this CWE, most recent first.

GHSA-C7GF-37RM-RPG6

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-07-14 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix use-after-free in iomap inline data write path

The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area.

The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory

Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation.

Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use.

[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-826"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:15Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix use-after-free in iomap inline data write path\n\nThe inline data buffer head (dibh) is being released prematurely in\ngfs2_iomap_begin() via release_metapath() while iomap-\u003einline_data\nstill points to dibh-\u003eb_data. This causes a use-after-free when\niomap_write_end_inline() later attempts to write to the inline data\narea.\n\nThe bug sequence:\n1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode\n   metadata into dibh\n2. Sets iomap-\u003einline_data = dibh-\u003eb_data + sizeof(struct gfs2_dinode)\n3. Calls release_metapath() which calls brelse(dibh), dropping refcount\n   to 0\n4. kswapd reclaims the page (~39ms later in the syzbot report)\n5. iomap_write_end_inline() tries to memcpy() to iomap-\u003einline_data\n6. KASAN detects use-after-free write to freed memory\n\nFix by storing dibh in iomap-\u003eprivate and incrementing its refcount\nwith get_bh() in gfs2_iomap_begin(). The buffer is then properly\nreleased in gfs2_iomap_end() after the inline write completes,\nensuring the page stays alive for the entire iomap operation.\n\nNote: A C reproducer is not available for this issue. The fix is based\non analysis of the KASAN report and code review showing the buffer head\nis freed before use.\n\n[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid\nleaks in gfs2_iomap_get() and gfs2_iomap_alloc().]",
  "id": "GHSA-c7gf-37rm-rpg6",
  "modified": "2026-07-14T12:31:12Z",
  "published": "2026-05-27T15:33:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45984"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45984.json"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481922"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45984"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:38902"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36767"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:35894"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:33743"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27789"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJ34-CRXV-J5MG

Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-06-30 03:37
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Clean up DMABUFs before disabling function

On device shutdown, make vfio_pci_core_close_device() call vfio_pci_dma_buf_cleanup() before the function is disabled via vfio_pci_core_disable(). This ensures that all access via DMABUFs is revoked before the function's BARs become inaccessible.

This fixes an issue where, if the function is disabled first, a tiny window exists in which the function's MSE is cleared and yet BARs could still be accessed via the DMABUF. The resources would also be freed and up for grabs by a different driver.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-826"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T20:17:25Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Clean up DMABUFs before disabling function\n\nOn device shutdown, make vfio_pci_core_close_device() call\nvfio_pci_dma_buf_cleanup() before the function is disabled via\nvfio_pci_core_disable().  This ensures that all access via DMABUFs is\nrevoked before the function\u0027s BARs become inaccessible.\n\nThis fixes an issue where, if the function is disabled first, a tiny\nwindow exists in which the function\u0027s MSE is cleared and yet BARs\ncould still be accessed via the DMABUF.  The resources would also be\nfreed and up for grabs by a different driver.",
  "id": "GHSA-rj34-crxv-j5mg",
  "modified": "2026-06-30T03:37:14Z",
  "published": "2026-06-26T21:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53322"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-53322"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493709"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f1000a30f67cf7d328059242776a858611d5ef9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d97708701434ce72968e771976aaf9d3438fcafd"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53322.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V4M9-VRGR-8XM2

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-06-30 03:36
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: hold dev ref until after transport_finish NF_HOOK

After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown.

Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn.

For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-826"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:45Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: hold dev ref until after transport_finish NF_HOOK\n\nAfter async crypto completes, xfrm_input_resume() calls dev_put()\nimmediately on re-entry before the skb reaches transport_finish.\nThe skb-\u003edev pointer is then used inside NF_HOOK and its okfn,\nwhich can race with device teardown.\n\nRemove the dev_put from the async resumption entry and instead\ndrop the reference after the NF_HOOK call in transport_finish,\nusing a saved device pointer since NF_HOOK may consume the skb.\nThis covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip\nthe okfn.\n\nFor non-transport exits (decaps, gro, drop) and secondary\nasync return points, release the reference inline when\nasync is set.",
  "id": "GHSA-v4m9-vrgr-8xm2",
  "modified": "2026-06-30T03:36:24Z",
  "published": "2026-04-24T15:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31663"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31663"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461462"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f451b43c88bf2b9c038b414be580efee42e031b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1c428b03840094410c5fb6a5db30640486bbbfcb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4236c30b437b80f673b9e08c8fae38b8d471ac9e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5002beda5cac69d522dc54da0d5d463ed9c963d2"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31663.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMWQ-H234-5C33

Vulnerability from github – Published: 2024-12-06 18:30 – Updated: 2024-12-06 18:30
VLAI
Details

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a feature that could enable attackers to invalidate a legitimate user's session and cause a denial-of-service attack on a user's account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-826"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T18:15:25Z",
    "severity": "HIGH"
  },
  "details": "Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x contains a feature that could enable attackers to invalidate a legitimate user\u0027s session and cause a denial-of-service attack on a user\u0027s account.",
  "id": "GHSA-wmwq-h234-5c33",
  "modified": "2024-12-06T18:30:46Z",
  "published": "2024-12-06T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51727"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.