...
According to the C Standard, the behavior of a program that uses the value of a pointer that refers to space deallocated by a call to the free() or realloc() function is undefined . (See undefined behavior 177 of Annex J.)
Reading a pointer to deallocated memory is undefined behavior because the pointer value is indeterminate and can have a trap representation. In the latter case, doing so may cause a hardware trap.
...
| [ISO/IEC 9899:2011] | Subclause 7.22.3, "Memory Management Functions" Annex J, J.2, "Undefined Behavior" |
| [Kernighan 1988] | Section 7.8.5, "Storage Management" |
| [OWASP Freed Memory] | |
| [MIT 2005] | |
| [Seacord 2013] | Chapter 4, "Dynamic Memory Management" |
| [Viega 2005] | Section 5.2.19, "Using Freed Memory" |
| [VU#623332] | |
| [xorl 2009] | CVE-2009-1364: LibWMF Pointer Use after free() |
...