Double Free
What is Double Free?
Double FreeA memory-safety bug where the same heap chunk is freed twice, corrupting allocator metadata and often enabling arbitrary code execution.
A double free occurs when free()/delete is invoked more than once on the same pointer. The allocator's free lists or bin structures become inconsistent, allowing attackers to trick a later allocation into returning attacker-influenced memory or into overlapping live objects — a primitive that can lead to arbitrary writes and code execution. Double frees are tracked as CWE-415 and often coexist with use-after-free and double-fetch bugs. Defences include single-ownership patterns (RAII, smart pointers), setting pointers to NULL after free, hardened allocators that detect duplicate frees (tcache double-free protection in glibc, scudo), AddressSanitizer testing, and memory-safe languages.
● Examples
- 01
CVE-2015-1322 — glibc tcache double-free leading to heap corruption.
- 02
CVE-2019-19377 — Linux btrfs double-free triggered by malformed images.
● Frequently asked questions
What is Double Free?
A memory-safety bug where the same heap chunk is freed twice, corrupting allocator metadata and often enabling arbitrary code execution. It belongs to the Vulnerabilities category of cybersecurity.
What does Double Free mean?
A memory-safety bug where the same heap chunk is freed twice, corrupting allocator metadata and often enabling arbitrary code execution.
How do you defend against Double Free?
Defences for Double Free typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Double Free?
Common alternative names include: Double-free vulnerability.