mutated × shared — the answer changes between runs

Use-After-Free / Dangling Read

A freed allocation is still reachable through a second name; the stale read returns whatever reused the slot.

01the recipe

In the wild

compound ofAliasing & Mutable DefaultsCWE-471 MAID (Modification of Immutable Data)Pointer MismanagementCWE-416 Use After FreecompoundCWE-825 Expired Pointer

example.c

/* SMELL: a freed pointer is still aliased and read.
   (aliasing-mutable-defaults x pointer-mismanagement) */
char *p = malloc(32);
strcpy(p, "session");
char *alias = p;          /* a second name for the same allocation */
free(p);                  /* the slot can now be handed to anyone */
puts(alias);              /* use-after-free: prints whatever reused it */

/* RIGHT: drop every alias at free; null it so a stale read is caught. */
free(p);
p = alias = NULL;         /* no live name points at freed memory */

Two names share one allocation; freeing through one leaves the other dangling. What the stale read returns depends on what the allocator handed the freed slot to next -- so it changes run to run and only crashes sometimes.

// observed

uaf:   prints stale or reallocated bytes; intermittent crash
right: dangling alias nulled -- a stale read fails loudly, not silently

02weakness catalog

Mapped weaknesses (CWE)

On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.