CWE-672: Operation on a Resource after Expiration or Release — known CVE vulnerabilities
CVEs classified under CWE-672 (Operation on a Resource after Expiration or Release), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2023-41094 — CVSS 10.0 (critical): TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing Release of Resource…
CVE-2020-24030 — CVSS 9.8 (critical): ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and access to sensitive data…
CVE-2020-12043 — CVSS 9.8 (critical): The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when configured for wireless networking the FTP service operating on the…
CVE-2019-17638 — CVSS 9.4 (critical): In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to…
CVE-2013-10075 — CVSS 9.1 (critical): Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and…
CVE-2022-22755 — CVSS 8.8 (high): By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within…
CVE-2021-23995 — CVSS 8.8 (high): When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this…
CVE-2021-33020 — CVSS 8.2 (high): Philips Vue PACS versions 12.2.x.x and prior uses a cryptographic key or password past its expiration date, which diminishes its safety…
CVE-2026-43585 — CVSS 8.1 (high): OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef…
CVE-2024-47571 — CVSS 8.1 (high): An operation on a resource after expiration or release in Fortinet FortiManager 6.4.12 through 7.4.0 allows an attacker to gain improper…
CVE-2023-34326 — CVSS 7.8 (high): The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as…
CVE-2020-25221 — CVSS 7.8 (high): get_gate_page in mm/gup.c in the Linux kernel 5.7.x and 5.8.x before 5.8.7 allows privilege escalation because of incorrect reference…
CVE-2017-14895 — CVSS 7.8 (high): In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, after a subsystem reset…
CVE-2017-0544 — CVSS 7.8 (high): An elevation of privilege vulnerability in CameraBase could enable a local malicious application to execute arbitrary code. This issue is…
CVE-2025-58149 — CVSS 7.5 (high): When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have…
CVE-2025-55669 — CVSS 7.5 (high): When the BIG-IP Advanced WAF and ASM security policy and a server-side HTTP/2 profile are configured on a virtual server, undisclosed…
CVE-2025-6031 — CVSS 7.5 (high): Amazon Cloud Cam is a home security camera that was deprecated on December 2, 2022, is end of life, and is no longer actively supported…
CVE-2024-39792 — CVSS 7.5 (high): When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource…
CVE-2022-30256 — CVSS 7.5 (high): An issue was discovered in MaraDNS Deadwood through 3.5.0021 that allows variant V1 of unintended domain name resolution. A revoked domain…
CVE-2022-22197 — CVSS 7.5 (high): An Operation on a Resource after Expiration or Release vulnerability in the Routing Protocol Daemon (RPD) of Juniper Networks Junos OS and…
CVE-2022-22332 — CVSS 7.5 (high): IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker to impersonate another user due to missing revocation mechanism for…
CVE-2021-37204 — CVSS 7.5 (high): A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC Drive Controller family (All…
CVE-2021-37185 — CVSS 7.5 (high): A vulnerability has been identified in SIMATIC Drive Controller family (All versions >= V2.9.2 < V2.9.4), SIMATIC ET 200SP Open Controller…
CVE-2020-13530 — CVSS 7.5 (high): A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit…
CVE-2019-15691 — CVSS 7.2 (high): TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in…
CVE-2026-56314 — CVSS 7.1 (high): Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to…
CVE-2025-69415 — CVSS 7.1 (high): In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether…
CVE-2025-31253 — CVSS 7.1 (high): This issue was addressed through improved state management. This issue is fixed in iOS 18.5 and iPadOS 18.5. Muting the microphone during a…
CVE-2024-57929 — CVSS 7.1 (high): In the Linux kernel, the following vulnerability has been resolved: dm array: fix releasing a faulty array block twice in…
CVE-2019-15794 — CVSS 7.1 (high): Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to the Linux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both…
CVE-2021-47069 — CVSS 7.0 (high): In the Linux kernel, the following vulnerability has been resolved: ipc/mqueue, msg, sem: avoid relying on a stack reference past its…
CVE-2025-21117 — CVSS 6.6 (medium): Dell Avamar, version 19.4 or later, contains an access token reuse vulnerability in the AUI. A low privileged local attacker could…
CVE-2022-2447 — CVSS 6.6 (medium): A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token…
CVE-2025-10060 — CVSS 6.5 (medium): MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an…
CVE-2024-23638 — CVSS 6.5 (medium): Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of…
CVE-2023-42446 — CVSS 6.5 (medium): Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version…
CVE-2019-20022 — CVSS 6.5 (medium): An invalid memory address dereference was discovered in load_pnm in frompnm.c in libsixel before 1.8.3.
CVE-2026-58291 — CVSS 6.1 (medium): Operation on a resource after expiration or release in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose…
CVE-2026-45005 — CVSS 6.0 (medium): OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after…
CVE-2026-2379 — CVSS 5.9 (medium): On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected…
CVE-2026-31875 — CVSS 5.9 (medium): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33…
CVE-2023-48220 — CVSS 5.7 (medium): Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the…
CVE-2024-56674 — CVSS 5.5 (medium): In the Linux kernel, the following vulnerability has been resolved: virtio_net: correct netdev_tx_reset_queue() invocation point When…
CVE-2024-49955 — CVSS 5.5 (medium): In the Linux kernel, the following vulnerability has been resolved: ACPI: battery: Fix possible crash when unregistering a battery hook…
CVE-2024-49953 — CVSS 5.5 (medium): In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice The…
CVE-2021-47294 — CVSS 5.5 (medium): In the Linux kernel, the following vulnerability has been resolved: netrom: Decrease sock refcount when sock timers expire Commit…
CVE-2024-4693 — CVSS 5.5 (medium): A flaw was found in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci.c). An improper release and use of the irqfd for vector 0 during the…
CVE-2026-33463 — CVSS 5.3 (medium): Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error…
CVE-2022-45292 — CVSS 5.3 (medium): User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been…
CVE-2019-19480 — CVSS 4.6 (medium): An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/pkcs15-prkey.c has an incorrect free operation in…