Monthly
Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for Mac) stems from a double free of heap memory (CWE-415) that lets an unauthorized attacker run arbitrary code when a victim opens a malicious document. The flaw was reported by Microsoft, carries CVSS 7.8, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation requires the target to open a crafted file (UI:R), it is a user-interaction-gated client-side RCE rather than a remotely-triggerable service bug.
Remote code execution in the Microsoft Windows DHCP Server role (Windows Server 2012 through 2025, plus Windows 10 1607/1809) arises from a double-free (CWE-415) condition that an authorized, network-adjacent attacker can trigger to run arbitrary code in the DHCP service context. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates a network-reachable but high-complexity attack requiring low-level privileges, with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and no CISA KEV listing, so exploitation appears theoretical rather than active for now.
Local privilege elevation in the Windows Brokering File System (bfs.sys/brokering component) lets an authenticated low-privileged user corrupt kernel memory via a double free (CWE-415) to gain SYSTEM-level privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A Microsoft-released patch is available. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.
Local privilege escalation in the Microsoft Printer Drivers component across Windows 10, Windows 11 (through 26H1), and Windows Server 2012 through 2025 lets an already-authenticated attacker corrupt kernel-adjacent memory to gain higher privileges. The flaw is a double free (CWE-415) triggered locally by a low-privileged user, yielding high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote denial-of-service in the Rockwell Automation FLEX 5000 EtherNet/IP adapter allows an unauthenticated network attacker to crash the module by sending a crafted CIP (Common Industrial Protocol) packet, halting the adapter and its associated I/O until a manual power cycle restores operation. The CVSS 4.0 score of 8.7 (High) reflects a network-reachable, no-privilege attack with high availability impact but no confidentiality or integrity loss. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV, so there is no confirmed active exploitation.
Double-free memory corruption in GPAC MP4Box up to version 2.5-DEV allows a local, low-privileged attacker to trigger heap corruption via a crafted MP4 file processed by the `gf_isom_nalu_sample_rewrite` function, resulting in low availability impact (crash). No confidentiality or integrity impact is indicated by the CVSS 4.0 vector despite the 'Information Disclosure' tag in VulDB, which appears inconsistent with the scored metrics. A public POC exists at GitHub, but no active exploitation has been confirmed and this CVE is not listed in CISA KEV.
Double-free heap corruption in Open Asset Import Library (Assimp) through version 6.0.4 allows remote low-privileged attackers to corrupt process memory by supplying a maliciously crafted PLY 3D model file to the ExportToBlob function in the PLY Model Handler. A publicly available proof-of-concept exploit was disclosed alongside the report. The CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality, integrity, and availability impact on the vulnerable system, though CWE-415 double-free conditions in C++ libraries carry latent potential for escalated impact depending on memory layout and heap state at runtime.
Double-free memory corruption in GIMP's PSP file format parser exposes local users to denial of service and potential arbitrary code execution when opening a specially crafted Paint Shop Pro image file. The flaw in read_layer_block() allows heap memory corruption that reliably crashes GIMP and, in a more sophisticated exploitation scenario, could enable arbitrary code execution with the privileges of the victim user. No public exploit has been identified and this vulnerability does not appear in the CISA KEV catalog, though upstream tagging of the issue as RCE-capable warrants patching in environments where GIMP users may open untrusted image files.
Non-atomic reference-count manipulation in the Zephyr RTOS net_buf library (lib/net_buf/buf.c) allows a double-free/use-after-free when a single buffer is shared and independently unref'd across concurrent contexts. Because buf->ref and the per-data-block ref_count were incremented/decremented with plain C operators despite the API being documented as self-synchronizing, two holders racing net_buf_unref() under SMP or single-core preemption can each conclude they hold the last reference, causing a double k_heap_free()/k_free() (heap-metadata corruption and UAF on heap-hardening poison) for heap/variable-data pools, or a double return to the pool free list for any pool type. All Zephyr releases through v4.4.0 are affected; no public exploit is identified at time of analysis and EPSS risk is low (0.16%, 6th percentile).
Denial of service in libarchive's RAR5 reader allows remote attackers to crash applications that decompress untrusted RAR5 archives via a double-free (CWE-415) of the stale filtered_buf pointer. Reported by Red Hat and affecting libarchive as shipped across Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images, the flaw is triggered purely by parsing a malicious archive entry. No public exploit has been identified and the issue is not in CISA KEV; impact is limited to availability (CVSS 7.5, A:H only) with no code execution or data exposure claimed.
Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for Mac) stems from a double free of heap memory (CWE-415) that lets an unauthorized attacker run arbitrary code when a victim opens a malicious document. The flaw was reported by Microsoft, carries CVSS 7.8, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation requires the target to open a crafted file (UI:R), it is a user-interaction-gated client-side RCE rather than a remotely-triggerable service bug.
Remote code execution in the Microsoft Windows DHCP Server role (Windows Server 2012 through 2025, plus Windows 10 1607/1809) arises from a double-free (CWE-415) condition that an authorized, network-adjacent attacker can trigger to run arbitrary code in the DHCP service context. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates a network-reachable but high-complexity attack requiring low-level privileges, with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and no CISA KEV listing, so exploitation appears theoretical rather than active for now.
Local privilege elevation in the Windows Brokering File System (bfs.sys/brokering component) lets an authenticated low-privileged user corrupt kernel memory via a double free (CWE-415) to gain SYSTEM-level privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A Microsoft-released patch is available. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.
Local privilege escalation in the Microsoft Printer Drivers component across Windows 10, Windows 11 (through 26H1), and Windows Server 2012 through 2025 lets an already-authenticated attacker corrupt kernel-adjacent memory to gain higher privileges. The flaw is a double free (CWE-415) triggered locally by a low-privileged user, yielding high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote denial-of-service in the Rockwell Automation FLEX 5000 EtherNet/IP adapter allows an unauthenticated network attacker to crash the module by sending a crafted CIP (Common Industrial Protocol) packet, halting the adapter and its associated I/O until a manual power cycle restores operation. The CVSS 4.0 score of 8.7 (High) reflects a network-reachable, no-privilege attack with high availability impact but no confidentiality or integrity loss. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV, so there is no confirmed active exploitation.
Double-free memory corruption in GPAC MP4Box up to version 2.5-DEV allows a local, low-privileged attacker to trigger heap corruption via a crafted MP4 file processed by the `gf_isom_nalu_sample_rewrite` function, resulting in low availability impact (crash). No confidentiality or integrity impact is indicated by the CVSS 4.0 vector despite the 'Information Disclosure' tag in VulDB, which appears inconsistent with the scored metrics. A public POC exists at GitHub, but no active exploitation has been confirmed and this CVE is not listed in CISA KEV.
Double-free heap corruption in Open Asset Import Library (Assimp) through version 6.0.4 allows remote low-privileged attackers to corrupt process memory by supplying a maliciously crafted PLY 3D model file to the ExportToBlob function in the PLY Model Handler. A publicly available proof-of-concept exploit was disclosed alongside the report. The CVSS 4.0 score of 5.3 (Medium) reflects limited confidentiality, integrity, and availability impact on the vulnerable system, though CWE-415 double-free conditions in C++ libraries carry latent potential for escalated impact depending on memory layout and heap state at runtime.
Double-free memory corruption in GIMP's PSP file format parser exposes local users to denial of service and potential arbitrary code execution when opening a specially crafted Paint Shop Pro image file. The flaw in read_layer_block() allows heap memory corruption that reliably crashes GIMP and, in a more sophisticated exploitation scenario, could enable arbitrary code execution with the privileges of the victim user. No public exploit has been identified and this vulnerability does not appear in the CISA KEV catalog, though upstream tagging of the issue as RCE-capable warrants patching in environments where GIMP users may open untrusted image files.
Non-atomic reference-count manipulation in the Zephyr RTOS net_buf library (lib/net_buf/buf.c) allows a double-free/use-after-free when a single buffer is shared and independently unref'd across concurrent contexts. Because buf->ref and the per-data-block ref_count were incremented/decremented with plain C operators despite the API being documented as self-synchronizing, two holders racing net_buf_unref() under SMP or single-core preemption can each conclude they hold the last reference, causing a double k_heap_free()/k_free() (heap-metadata corruption and UAF on heap-hardening poison) for heap/variable-data pools, or a double return to the pool free list for any pool type. All Zephyr releases through v4.4.0 are affected; no public exploit is identified at time of analysis and EPSS risk is low (0.16%, 6th percentile).
Denial of service in libarchive's RAR5 reader allows remote attackers to crash applications that decompress untrusted RAR5 archives via a double-free (CWE-415) of the stale filtered_buf pointer. Reported by Red Hat and affecting libarchive as shipped across Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images, the flaw is triggered purely by parsing a malicious archive entry. No public exploit has been identified and the issue is not in CISA KEV; impact is limited to availability (CVSS 7.5, A:H only) with no code execution or data exposure claimed.