CWE-416 7915 CVEs MITRE definition ↗

CWE-416: Use After Free

Overview

CWE-416 (Use After Free) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact
Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Applicable platforms

Kind Name Class Prevalence OS / CPE
language Memory-Unsafe Often
language C Often
language C++ Often

Related CVEs in this database

These CVEs are mapped to this weakness in this database and kept for traceability and search.

CVE Published Summary
CVE-2026-58598 2026-07-16 Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Backup Engine allows an authorized attacker to elevate privileges locally.
CVE-2026-57076 2026-07-16 YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor. In the bundled libsyck an anchor name allocated by syck…
CVE-2026-13713 2026-07-16 YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack. In the bundled libsyck, when an anchor name is redefine…
CVE-2026-55406 2026-07-16 Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView<V> type allowed safe Rust code to trigger a use-after-…
CVE-2026-6424 2026-07-16 Use-after-free vulnerability in ESET Linux products potentially allowed an attacker to trigger kernel panic on the system
CVE-2026-38753 2026-07-15 A use-after-free in the awk_sub() function (editors/awk.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AWK script.
CVE-2026-56434 2026-07-15 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssi_module module. This vulnerability may exist when the Server-Side Includes (SSI), proxy_pass, and proxy_buffering off directive…
CVE-2026-61860 2026-07-15 ImageMagick before 7.1.2-26 and 6.9.13-51 contains a use-after-free vulnerability that occurs when freetype initialization fails: the method does not exit and continues to use memory that was already …
CVE-2026-15777 2026-07-14 Use after free in UI in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a cra…
CVE-2026-15774 2026-07-14 Use after free in Skia in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chr…
CVE-2026-15773 2026-07-14 Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)…
CVE-2026-15772 2026-07-14 Use after free in GPU in Google Chrome on Android prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML …
CVE-2026-15765 2026-07-14 Use after free in Ozone in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted H…
CVE-2026-15764 2026-07-14 Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a …
CVE-2026-58637 2026-07-14 Use after free in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally.
CVE-2026-58634 2026-07-14 Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-58633 2026-07-14 Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.
CVE-2026-58632 2026-07-14 Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally.
CVE-2026-58629 2026-07-14 Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.
CVE-2026-58626 2026-07-14 Use after free in Windows Remote Desktop Services allows an authorized attacker to execute code over a network.

Content submission

Name
7 Pernicious Kingdoms
Date
2006-07-19
Version
Draft 3

Content modifications

Date Name Version Importance Comment
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-08-01 1.0 added/updated white box definitions
2008-09-08 CWE Content Team 1.0 updated Applicable_Platforms, Common_Consequences, Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2008-11-24 CWE Content Team 1.1 updated Relationships, Taxonomy_Mappings
2009-03-10 CWE Content Team 1.3 updated Demonstrative_Examples
2009-05-27 CWE Content Team 1.4 updated Demonstrative_Examples
2009-10-29 CWE Content Team 1.6 updated Common_Consequences
2010-02-16 CWE Content Team 1.8 updated Relationships
2010-06-21 CWE Content Team 1.9 updated Potential_Mitigations
2010-09-27 CWE Content Team 1.10 updated Observed_Examples, Relationships
2010-12-13 CWE Content Team 1.11 updated Alternate_Terms, Common_Consequences, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships
2011-03-29 CWE Content Team 1.12 updated Description
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2011-06-27 CWE Content Team 2.0 updated Demonstrative_Examples
2011-09-13 CWE Content Team 2.1 updated Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated References, Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Demonstrative_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions
2019-01-03 CWE Content Team 3.2 updated Relationships
2019-06-20 CWE Content Team 3.3 updated Relationships, Type
2019-09-19 CWE Content Team 3.4 updated Relationships
2020-02-24 CWE Content Team 4.0 updated References, Relationships, Taxonomy_Mappings
2020-06-25 CWE Content Team 4.1 updated Relationships
2020-08-20 CWE Content Team 4.2 updated Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-07-20 CWE Content Team 4.5 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated Description, Relationships, Taxonomy_Mappings
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2023-10-26 CWE Content Team 4.13 updated Observed_Examples
2024-02-29 CWE Content Team 4.14 updated Taxonomy_Mappings
2024-07-16 CWE Content Team 4.15 updated Alternate_Terms, Common_Consequences, Description, Diagram, Potential_Mitigations, Relationships, Weakness_Ordinalities
2024-11-19 CWE Content Team 4.16 updated Relationships
2025-04-03 CWE Content Team 4.17 updated Observed_Examples
2025-09-09 CWE Content Team 4.18 updated Functional_Areas
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Detection_Factors, References, Relationships
2026-04-30 CWE Content Team 4.20 updated Common_Consequences, Observed_Examples

Contributions

Type Name Date Comment
Feedback Anonymous External Contributor 2022-06-28 Suggested rephrase for extended description
Content participants in the CWE ICS/OT SIG 62443 Mapping Fall Workshop 2023-11-14 Contributed or reviewed taxonomy mappings for ISA/IEC 62443
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
cvelogic Threat Intelligence