Monthly
Local privilege escalation in Ubuntu Linux 6.8 kernel stems from an AppArmor SAUCE patch that omits proper locking when modifying a linked list, enabling a race condition that can be exploited by an unprivileged local user. Successful exploitation leads to a use-after-free condition with theoretical arbitrary code execution in kernel context. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw requires user interaction (visiting a malicious page) but no authentication, and while Chromium rates its security severity as Medium, the CVSS 3.1 base score of 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).
Use-after-free in the DNS-over-HTTPS (DoH) implementation of ISC BIND 9 (9.20.0-9.20.22, 9.21.0-9.21.21, and Subscription Edition 9.20.9-S1-9.20.22-S1) allows remote attackers to corrupt freed memory in the resolver/server process, potentially causing denial of service and possible information disclosure. The 9.18.x branch (including 9.18.11-S1 through 9.18.48-S1) is explicitly unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attackers to crash the daemon or potentially achieve arbitrary code execution by serving a malicious signed zone to a vulnerable resolver. The flaw stems from a struct-assignment bug during deep copying of response messages when DS sub-queries suspend validation under NSEC3 computational budget exhaustion. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.1 with network attack vector and no required privileges or user interaction makes this a high-priority patching target for any operator running a recursive Unbound resolver.
Local privilege escalation in Ubuntu Linux 6.8 kernel stems from an AppArmor SAUCE patch that omits proper locking when modifying a linked list, enabling a race condition that can be exploited by an unprivileged local user. Successful exploitation leads to a use-after-free condition with theoretical arbitrary code execution in kernel context. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw requires user interaction (visiting a malicious page) but no authentication, and while Chromium rates its security severity as Medium, the CVSS 3.1 base score of 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).
Use-after-free in the DNS-over-HTTPS (DoH) implementation of ISC BIND 9 (9.20.0-9.20.22, 9.21.0-9.21.21, and Subscription Edition 9.20.9-S1-9.20.22-S1) allows remote attackers to corrupt freed memory in the resolver/server process, potentially causing denial of service and possible information disclosure. The 9.18.x branch (including 9.18.11-S1 through 9.18.48-S1) is explicitly unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attackers to crash the daemon or potentially achieve arbitrary code execution by serving a malicious signed zone to a vulnerable resolver. The flaw stems from a struct-assignment bug during deep copying of response messages when DS sub-queries suspend validation under NSEC3 computational budget exhaustion. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.1 with network attack vector and no required privileges or user interaction makes this a high-priority patching target for any operator running a recursive Unbound resolver.