CWE-416— Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.— MITRE CWE catalog
7,398 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-416page 108 of 148
- CVE-2025-21436HIGHCVSS 7.8EG 7.82025-04-07
Memory corruption may occur while initiating two IOCTL calls simultaneously to create processes from two different threads.
- CVE-2025-21437HIGHCVSS 7.8EG 7.82025-04-07
Memory corruption while processing memory map or unmap IOCTL operations simultaneously.
- CVE-2025-21453HIGHCVSS 7.8EG 7.82025-05-06
Memory corruption while processing a data structure, when an iterator is accessed after it has been removed, potential failures occur.
- CVE-2025-21456HIGHCVSS 7.8EG 7.82025-08-06
Memory corruption while processing IOCTL command when multiple threads are called to map/unmap buffer concurrently.
- CVE-2025-21458HIGHCVSS 7.8EG 7.82025-08-06
Memory corruption when IOCTL interface is called to map and unmap buffers simultaneously.
- CVE-2025-21466HIGHCVSS 7.8EG 7.82025-07-08
Memory corruption while processing a private escape command in an event trigger.
- CVE-2025-21474HIGHCVSS 7.8EG 7.82025-08-06
Memory corruption while processing commands from A2dp sink command queue.
- CVE-2025-21631HIGHCVSS 7.8EG 7.82025-01-19
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Our syzkaller report a following UAF for v6.6: BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/…
- CVE-2025-21652HIGHCVSS 7.8EG 7.82025-01-19
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix use-after-free in ipvlan_get_iflink(). syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch. ipvlan does not hold a refcnt of the lo…
- CVE-2025-21655MEDIUMCVSS 4.7EG 4.72025-01-20
In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_…
- CVE-2025-21671HIGHCVSS 7.8EG 7.82025-01-31
In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_fr…
- CVE-2025-21693HIGHCVSS 7.8EG 7.82025-02-10
In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginn…
- CVE-2025-21700HIGHCVSS 7.8EG 7.82025-02-13
In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the fo…
- CVE-2025-21703HIGHCVSS 7.8EG 7.82025-02-18
In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to re…
- CVE-2025-21714HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are dest…
- CVE-2025-21715HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix …
- CVE-2025-21718HIGHCVSS 7.0EG 7.02025-02-27
In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check an…
- CVE-2025-21722HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: nilfs2: do not force clear folio if buffer is referenced Patch series "nilfs2: protect busy buffer heads from being force-cleared". This series fixes the buffer head st…
- CVE-2025-21726HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue …
- CVE-2025-21727HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003…
- CVE-2025-21729HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the conditi…
- CVE-2025-21731HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() …
- CVE-2025-21739HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) devi…
- CVE-2025-21751HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: HWS, change error flow on matcher disconnect Currently, when firmware failure occurs during matcher disconnect flow, the error flow of the function reconnects …
- CVE-2025-21753HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when attempting to join an aborted transaction When we are trying to join the current transaction and if it's aborted, we read its 'aborted' fi…
- CVE-2025-21756HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autob…
- CVE-2025-21759HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: extend RCU protection in igmp6_send() igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net …
- CVE-2025-21760HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rc…
- CVE-2025-21761HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() ovs_vport_cmd_fill_info() can be called without RTNL or RCU. Use RCU protection and dev_net_rcu() to avoid …
- CVE-2025-21762HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: arp: use RCU protection in arp_xmit() arp_xmit() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF.
- CVE-2025-21763HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: neighbour: use RCU protection in __neigh_notify() __neigh_notify() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF.
- CVE-2025-21764HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF.
- CVE-2025-21786HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: workqueue: Put the pwq after detaching the rescuer from the pool The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and remove detach_completion") adds …
- CVE-2025-21791HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out…
- CVE-2025-21796HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access wil…
- CVE-2025-21797HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: HID: corsair-void: Add missing delayed work cancel for headset status The cancel_delayed_work_sync() call was missed, causing a use-after-free in corsair_void_remove().
- CVE-2025-21811HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect access to buffers with no active references nilfs_lookup_dirty_data_buffers(), which iterates through the buffers attached to dirty data folios/pages, ac…
- CVE-2025-21812HIGHCVSS 7.8EG 7.82025-02-27
In the Linux kernel, the following vulnerability has been resolved: ax25: rcu protect dev->ax25_ptr syzbot found a lockdep issue [1]. We should remove ax25 RTNL dependency in ax25_setsockopt() This should also fix a variety of possible…
- CVE-2025-21855HIGHCVSS 7.8EG 7.82025-03-12
In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of th…
- CVE-2025-21856HIGHCVSS 7.8EG 7.82025-03-12
In the Linux kernel, the following vulnerability has been resolved: s390/ism: add release function for struct device According to device_release() in /drivers/base/core.c, a device without a release function is a broken device and must b…
- CVE-2025-21858HIGHCVSS 7.8EG 7.82025-03-12
In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.…
- CVE-2025-21861MEDIUMCVSS 5.5EG 5.52025-03-12
In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migra…
- CVE-2025-21867HIGHCVSS 7.8EG 7.82025-03-27
In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt…
- CVE-2025-21879HIGHCVSS 7.8EG 7.82025-03-27
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free on inode when scanning root during em shrinking At btrfs_scan_root() we are accessing the inode's root (and fs_info) in a call to btrfs_fs_clos…
- CVE-2025-21883HIGHCVSS 7.8EG 7.82025-03-27
In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox…
- CVE-2025-21887HIGHCVSS 7.8EG 7.82025-03-27
In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d…
- CVE-2025-21893HIGHCVSS 7.8EG 7.82025-03-31
In the Linux kernel, the following vulnerability has been resolved: keys: Fix UAF in key_put() Once a key's reference count has been reduced to 0, the garbage collector thread may destroy it at any time and so key_put() is not allowed to…
- CVE-2025-21896HIGHCVSS 7.8EG 7.82025-04-01
In the Linux kernel, the following vulnerability has been resolved: fuse: revert back to __readahead_folio() for readahead In commit 3eab9d7bc2f4 ("fuse: convert readahead to use folios"), the logic was converted to using the new folio r…
- CVE-2025-21915HIGHCVSS 7.8EG 7.82025-04-01
In the Linux kernel, the following vulnerability has been resolved: cdx: Fix possible UAF error in driver_override_show() Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() i…
- CVE-2025-21923HIGHCVSS 7.8EG 7.82025-04-01
In the Linux kernel, the following vulnerability has been resolved: HID: hid-steam: Fix use-after-free when detaching device When a hid-steam device is removed it must clean up the client_hdev used for intercepting hidraw access. This ca…
Map vulnerabilities like CWE-416 to your infrastructure
EchelonGraph correlates every CVE — across CWE-416 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →