Vulnerabilities > Double Free
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-07 | CVE-2024-42234 | Double Free vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: mm: fix crashes from deferred split racing folio migration Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PG_locked had been set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration. 6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large folio migration") was right to fix the memcg-dependent locking broken in 85ce2c517ade ("memcontrol: only transfer the memcg data for migration"), but missed a subtlety of deferred_split_scan(): it moves folios to its own local list to work on them without split_queue_lock, during which time folio->_deferred_list is not empty, but even the "right" lock does nothing to secure the folio and the list it is on. Fortunately, deferred_split_scan() is careful to use folio_try_get(): so folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable() while the old folio's reference count is temporarily frozen to 0 - adding such a freeze in the !mapping case too (originally, folio lock and unmapping and no swap cache left an anon folio unreachable, so no freezing was needed there: but the deferred split queue offers a way to reach it). | 5.5 |
| 2024-08-01 | CVE-2024-41957 | Double Free vulnerability in VIM Vim is an open source command line text editor. | 5.3 |
| 2024-08-01 | CVE-2024-41965 | Double Free vulnerability in VIM Vim is an open source command line text editor. | 4.2 |
| 2024-07-30 | CVE-2024-42123 | Double Free vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix double free err_addr pointer warnings In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages will be run many times so that double free err_addr in some special case. So set the err_addr to NULL to avoid the warnings. | 4.4 |
| 2024-07-29 | CVE-2024-41087 | Double Free vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. | 7.8 |
| 2024-07-29 | CVE-2024-41046 | Double Free vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix double free in detach The number of the currently released descriptor is never incremented which results in the same skb being released multiple times. | 7.8 |
| 2024-07-29 | CVE-2024-41073 | Double Free vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: nvme: avoid double free special payload If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. | 7.8 |
| 2024-07-01 | CVE-2024-21461 | Double Free vulnerability in Qualcomm products Memory corruption while performing finish HMAC operation when context is freed by keymaster. | 7.8 |
| 2024-06-24 | CVE-2024-39292 | Double Free vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails. | 5.5 |
| 2024-06-21 | CVE-2024-38627 | Double Free vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: stm class: Fix a double free in stm_register_device() The put_device(&stm->dev) call will trigger stm_device_release() which frees "stm" so the vfree(stm) on the next line is a double free. | 7.8 |