CWE-415
Double Free
Description
The product calls free() twice on the same memory address.
Hierarchy (View 1000)
CVEs mapped to this weakness (275)
page 9 of 14| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-9287 | Med | 0.43 | 6.5 | 0.07 | May 29, 2017 | servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. | ||
| CVE-2026-44422 | Hig | 0.42 | 7.5 | 0.00 | May 29, 2026 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is… | ||
| CVE-2026-33811 | Hig | 0.42 | 7.5 | 0.01 | May 7, 2026 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. | ||
| CVE-2026-4358 | Med | 0.42 | 6.4 | 0.00 | Mar 17, 2026 | A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk. | ||
| CVE-2025-5351 | Med | 0.42 | 6.5 | 0.00 | Jul 4, 2025 | A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free… | ||
| CVE-2025-31235 | Med | 0.42 | 6.5 | 0.00 | May 12, 2025 | A double free issue was addressed with improved memory management. This issue is fixed in iPadOS 17.7.7, macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. An app may be able to cause unexpected system termination. | ||
| CVE-2021-46700 | Med | 0.42 | 6.5 | 0.01 | Feb 19, 2022 | In libsixel 1.8.6, sixel_encoder_output_without_macro (called from sixel_encoder_encode_frame in encoder.c) has a double free. | ||
| CVE-2017-15186 | Med | 0.42 | 6.5 | 0.02 | Oct 24, 2017 | Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to cause a denial of service via a crafted AVI file. | ||
| CVE-2015-1239 | Med | 0.42 | 6.5 | 0.01 | Oct 18, 2017 | Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG before r2997, as used in PDFium in Google Chrome, allows remote attackers to cause a denial of service (process crash) via a crafted PDF. | ||
| CVE-2017-12925 | Med | 0.42 | 6.5 | 0.01 | Aug 28, 2017 | Double free vulnerability in DfFromLB in docfile.cxx in libfpx 1.3.1_p6 allows remote attackers to cause a denial of service via a crafted fpx image. | ||
| CVE-2015-1207 | Med | 0.42 | 6.5 | 0.01 | Jun 6, 2017 | Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chrome 41.0.2251.0 allows remote attackers to cause a denial of service (memory corruption and crash) via a crafted .m4a file. | ||
| CVE-2018-0160 | Med | 0.41 | 6.3 | 0.02 | Mar 28, 2018 | A vulnerability in Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper management of memory resources, referred to as a… | ||
| CVE-2015-8962 | Hig | 0.41 | 7.3 | 0.02 | Nov 16, 2016 | Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call. | ||
| CVE-2026-46164 | Hig | 0.39 | 7.0 | 0.00 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() ->… | ||
| CVE-2024-3187 | Med | 0.39 | 5.9 | 0.00 | Oct 17, 2024 | This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag is enabled, a remote… | ||
| CVE-2017-6166 | Med | 0.39 | 5.9 | 0.02 | Nov 22, 2017 | In BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe software 12.0.0 to 12.1.1, in some cases the Traffic Management Microkernel (TMM) may crash when processing fragmented packets. This vulnerability affects TMM through a virtual server configured… | ||
| CVE-2017-7521 | Med | 0.39 | 5.9 | 0.04 | Jun 27, 2017 | OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension(). | ||
| CVE-2026-46690 | Med | 0.38 | 5.8 | 0.00 | Jun 12, 2026 | unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches. | ||
| CVE-2026-20026 | Med | 0.38 | 5.8 | 0.01 | Jan 7, 2026 | Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet… | ||
| CVE-2025-8058 | Med | 0.38 | — | 0.00 | Jul 23, 2025 | The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow… |
- risk 0.43cvss 6.5epss 0.07
servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0.
- risk 0.42cvss 7.5epss 0.00
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is…
- risk 0.42cvss 7.5epss 0.01
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
- risk 0.42cvss 6.4epss 0.00
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
- risk 0.42cvss 6.5epss 0.00
A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free…
- risk 0.42cvss 6.5epss 0.00
A double free issue was addressed with improved memory management. This issue is fixed in iPadOS 17.7.7, macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. An app may be able to cause unexpected system termination.
- risk 0.42cvss 6.5epss 0.01
In libsixel 1.8.6, sixel_encoder_output_without_macro (called from sixel_encoder_encode_frame in encoder.c) has a double free.
- risk 0.42cvss 6.5epss 0.02
Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to cause a denial of service via a crafted AVI file.
- risk 0.42cvss 6.5epss 0.01
Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG before r2997, as used in PDFium in Google Chrome, allows remote attackers to cause a denial of service (process crash) via a crafted PDF.
- risk 0.42cvss 6.5epss 0.01
Double free vulnerability in DfFromLB in docfile.cxx in libfpx 1.3.1_p6 allows remote attackers to cause a denial of service via a crafted fpx image.
- risk 0.42cvss 6.5epss 0.01
Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chrome 41.0.2251.0 allows remote attackers to cause a denial of service (memory corruption and crash) via a crafted .m4a file.
- risk 0.41cvss 6.3epss 0.02
A vulnerability in Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to improper management of memory resources, referred to as a…
- risk 0.41cvss 7.3epss 0.02
Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call.
- risk 0.39cvss 7.0epss 0.00
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() ->…
- risk 0.39cvss 5.9epss 0.00
This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag is enabled, a remote…
- risk 0.39cvss 5.9epss 0.02
In BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe software 12.0.0 to 12.1.1, in some cases the Traffic Management Microkernel (TMM) may crash when processing fragmented packets. This vulnerability affects TMM through a virtual server configured…
- risk 0.39cvss 5.9epss 0.04
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().
- risk 0.38cvss 5.8epss 0.00
unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches.
- risk 0.38cvss 5.8epss 0.01
Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet…
- risk 0.38cvss —epss 0.00
The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow…