Total
658 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-49205 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2025-09-22 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix double uncharge the mem of sk_msg If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error. This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: <TASK> __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> | ||||
| CVE-2023-52688 | 1 Linux | 1 Linux Kernel | 2025-09-19 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix the error handler of rfkill config When the core rfkill config throws error, it should free the allocated resources. Currently it is not freeing the core pdev create resources. Avoid this issue by calling the core pdev destroy in the error handler of core rfkill config. Found this issue in the code review and it is compile tested only. | ||||
| CVE-2025-5262 | 1 Mozilla | 1 Thunderbird | 2025-09-19 | 7.5 High |
| A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 139 and Thunderbird < 128.11. | ||||
| CVE-2024-35814 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2025-09-19 | 8.8 High |
| In the Linux kernel, the following vulnerability has been resolved: swiotlb: Fix double-allocation of slots due to broken alignment handling Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer: # Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page. Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page. This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size(). | ||||
| CVE-2024-27389 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2025-09-18 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: pstore: inode: Only d_invalidate() is needed Unloading a modular pstore backend with records in pstorefs would trigger the dput() double-drop warning: WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410 Using the combo of d_drop()/dput() (as mentioned in Documentation/filesystems/vfs.rst) isn't the right approach here, and leads to the reference counting problem seen above. Use d_invalidate() and update the code to not bother checking for error codes that can never happen. --- | ||||
| CVE-2025-50169 | 1 Microsoft | 5 Server, Windows, Windows 11 24h2 and 2 more | 2025-09-17 | 7.5 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2024-40940 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2025-09-17 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix tainted pointer delete is case of flow rules creation fail In case of flow rule creation fail in mlx5_lag_create_port_sel_table(), instead of previously created rules, the tainted pointer is deleted deveral times. Fix this bug by using correct flow rules pointers. Found by Linux Verification Center (linuxtesting.org) with SVACE. | ||||
| CVE-2025-55118 | 1 Bmc | 1 Control-m/agent | 2025-09-17 | 8.9 High |
| Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "use_openssl=n"; * Control-M/Agent 9.0.21 and 9.0.22: Agent router configuration uses the non-default settings "JAVA_AR=N" and "use_openssl=n". | ||||
| CVE-2024-42123 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2025-09-16 | 4.4 Medium |
| In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix double free err_addr pointer warnings In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages will be run many times so that double free err_addr in some special case. So set the err_addr to NULL to avoid the warnings. | ||||
| CVE-2025-21291 | 1 Microsoft | 8 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 5 more | 2025-09-09 | 8.8 High |
| Windows Direct Show Remote Code Execution Vulnerability | ||||
| CVE-2025-8585 | 1 Libav | 1 Libav | 2025-09-04 | 5.3 Medium |
| A vulnerability, which was classified as critical, has been found in libav up to 12.3. Affected by this issue is the function main of the file /avtools/avconv.c of the component DSS File Demuxer. The manipulation leads to double free. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The bug was initially reported by the researcher to the wrong project. This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-2002 | 3 Fedoraproject, Libdwarf Project, Redhat | 3 Fedora, Libdwarf, Enterprise Linux | 2025-08-30 | 7.5 High |
| A double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results. | ||||
| CVE-2022-4450 | 3 Openssl, Redhat, Stormshield | 6 Openssl, Enterprise Linux, Jboss Core Services and 3 more | 2025-08-27 | 7.5 High |
| The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. | ||||
| CVE-2024-23141 | 1 Autodesk | 10 Advance Steel, Autocad, Autocad Architecture and 7 more | 2025-08-26 | 7.8 High |
| A maliciously crafted MODEL file, when parsed in libodxdll through Autodesk applications, can cause a double free. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process. | ||||
| CVE-2021-34184 | 1 Mackron | 1 Miniaudio | 2025-08-26 | 9.8 Critical |
| Miniaudio 0.10.35 has a Double free vulnerability that could cause a buffer overflow in ma_default_vfs_close__stdio in miniaudio.h. | ||||
| CVE-2025-49693 | 1 Microsoft | 5 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 2 more | 2025-08-23 | 7.8 High |
| Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-49667 | 1 Microsoft | 18 Windows, Windows 10, Windows 10 1507 and 15 more | 2025-08-23 | 7.8 High |
| Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-47975 | 1 Microsoft | 18 Windows, Windows 10, Windows 10 1507 and 15 more | 2025-08-23 | 7 High |
| Double free in Windows SSDP Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-49690 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-08-23 | 7.4 High |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an unauthorized attacker to elevate privileges locally. | ||||
| CVE-2025-49688 | 1 Microsoft | 6 Windows Server 2012, Windows Server 2016, Windows Server 2019 and 3 more | 2025-08-23 | 8.8 High |
| Double free in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | ||||