Use-After-Free

A use-after-free dereferences a pointer to memory that has already been freed, often letting an attacker control the contents.

Definition

Use-after-free (UAF) is a memory-safety bug in which a program retains a pointer to a memory region after that region has been freed back to the allocator. A subsequent dereference of the pointer reads or writes whatever the allocator has since placed at that address. If the attacker can influence the allocator's behaviour — typically by triggering a controlled allocation in another code path between the free and the use — the contents of the freed region come under attacker control.

UAF is the bug class that drives most modern browser-rendering-engine exploitation. Chrome, Safari, and Firefox have all shipped numerous UAF fixes; the underlying object-lifetime complexity of a JavaScript engine plus DOM is enormous and small reference-counting mistakes are inevitable in C++ codebases at that scale.

How it works

An object is allocated and a pointer is stashed somewhere — in a callback, in a parent object, on a stack frame. The object is later freed (sometimes by a different code path than the one that holds the pointer). The original code path then dereferences the now-dangling pointer. The allocator has likely reused that memory for a different allocation; the attacker arranges, through controlled DOM operations or scripted allocations, that the new contents are an attacker-chosen object — frequently with a vtable pointer that points at attacker-prepared code.

Modern exploitation pairs UAF with information leaks (to defeat ASLR) and ROP gadgets (to defeat DEP). Browser sandbox escapes routinely chain a UAF in the renderer with an additional kernel bug.

Impact

Reliable code execution in the affected process. In browser engines and OS kernels, UAF is the predominant pre-authentication RCE vector.

Mitigation

Use memory-safe languages. In C/C++, set freed pointers to `nullptr` immediately and use smart pointers (`std::unique_ptr`, `std::shared_ptr` with weak references for cycles). Enable AddressSanitizer in test, MemorySanitizer for uninitialised-read detection, and the modern hardened allocators (scudo, mimalloc, PartitionAlloc). The MiraclePtr / BackupRefPtr work in Chromium specifically targets UAF at scale; Microsoft's MemGC and Apple's libpas similarly raise the cost of UAF exploitation. The longer-term answer is Rust.

Examples

  • CVE-2022-1364 — Type confusion in V8 (chained with renderer UAF).
  • CVE-2023-4863 — libwebp heap buffer overflow used UAF gadget for sandbox escape.

See also

References