Total
456 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-42915 | 5 Apple, Fedoraproject, Haxx and 2 more | 13 Macos, Fedora, Curl and 10 more | 2024-03-27 | N/A | 8.1 HIGH |
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. | |||||
CVE-2023-27537 | 4 Broadcom, Haxx, Netapp and 1 more | 13 Brocade Fabric Operating System Firmware, Libcurl, Active Iq Unified Manager and 10 more | 2024-03-27 | N/A | 5.9 MEDIUM |
A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free. | |||||
CVE-2021-37159 | 3 Debian, Linux, Oracle | 5 Debian Linux, Linux Kernel, Communications Cloud Native Core Binding Support Function and 2 more | 2024-03-25 | 4.4 MEDIUM | 6.4 MEDIUM |
hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free. | |||||
CVE-2023-4256 | 2 Broadcom, Fedoraproject | 3 Tcpreplay, Extra Packages For Enterprise Linux, Fedora | 2024-03-24 | N/A | 5.5 MEDIUM |
Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the tcpedit_dlt_cleanup() function within plugins/dlt_plugins.c. This vulnerability can be exploited by supplying a specifically crafted file to the tcprewrite binary. This flaw enables a local attacker to initiate a Denial of Service (DoS) attack. | |||||
CVE-2023-33952 | 2 Linux, Redhat | 4 Linux Kernel, Enterprise Linux, Enterprise Linux For Real Time and 1 more | 2024-03-19 | N/A | 6.7 MEDIUM |
A double-free vulnerability was found in handling vmw_buffer_object objects in the vmwgfx driver in the Linux kernel. This issue occurs due to the lack of validating the existence of an object prior to performing further free operations on the object, which may allow a local privileged user to escalate privileges and execute code in the context of the kernel. | |||||
CVE-2023-52439 | 1 Linux | 1 Linux Kernel | 2024-03-15 | N/A | 7.8 HIGH |
In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock. | |||||
CVE-2017-18595 | 2 Linux, Opensuse | 2 Linux Kernel, Leap | 2024-03-07 | 7.2 HIGH | 7.8 HIGH |
An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c. | |||||
CVE-2024-27099 | 2024-02-28 | N/A | 9.8 CRITICAL | ||
The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Services. When processing an incorrect `AMQP_VALUE` failed state, may cause a double free problem. This may cause a RCE. Update submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987. | |||||
CVE-2023-25136 | 3 Fedoraproject, Netapp, Openbsd | 9 Fedora, 500f, 500f Firmware and 6 more | 2024-02-27 | N/A | 6.5 MEDIUM |
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible." | |||||
CVE-2023-38562 | 2024-02-20 | N/A | 8.7 HIGH | ||
A double-free vulnerability exists in the IP header loopback parsing functionality of Weston Embedded uC-TCP-IP v3.06.01. A specially crafted set of network packets can lead to memory corruption, potentially resulting in code execution. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability. | |||||
CVE-2022-4450 | 2 Openssl, Stormshield | 2 Openssl, Stormshield Network Security | 2024-02-04 | N/A | 7.5 HIGH |
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. | |||||
CVE-2006-5051 | 3 Apple, Debian, Openbsd | 4 Mac Os X, Mac Os X Server, Debian Linux and 1 more | 2024-02-02 | 9.3 HIGH | 8.1 HIGH |
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. | |||||
CVE-2004-0642 | 3 Debian, Mit, Redhat | 5 Debian Linux, Kerberos 5, Enterprise Linux Desktop and 2 more | 2024-02-02 | 7.5 HIGH | N/A |
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code. | |||||
CVE-2004-0772 | 3 Debian, Mit, Openpkg | 3 Debian Linux, Kerberos 5, Openpkg | 2024-02-02 | 7.5 HIGH | 9.8 CRITICAL |
Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code. | |||||
CVE-2005-1689 | 3 Apple, Debian, Mit | 4 Mac Os X, Mac Os X Server, Debian Linux and 1 more | 2024-02-02 | 7.5 HIGH | 9.8 CRITICAL |
Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions. | |||||
CVE-2003-0545 | 1 Openssl | 1 Openssl | 2024-02-02 | 10.0 HIGH | 9.8 CRITICAL |
Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. | |||||
CVE-2003-1048 | 1 Microsoft | 8 Internet Explorer, Outlook, Windows 98 and 5 more | 2024-02-02 | 10.0 HIGH | 7.8 HIGH |
Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. | |||||
CVE-2005-0891 | 1 Gnome | 1 Gtk | 2024-02-02 | 5.0 MEDIUM | 7.5 HIGH |
Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image. | |||||
CVE-2002-0059 | 1 Zlib | 1 Zlib | 2024-02-02 | 7.5 HIGH | 9.8 CRITICAL |
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data. | |||||
CVE-2023-40103 | 1 Google | 1 Android | 2024-02-02 | N/A | 7.8 HIGH |
In multiple locations, there is a possible way to corrupt memory due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |