Monthly
YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor. In the bundled libsyck an anchor name allocated by syck_strndup is stored both as node->anchor, freed when the node is freed, and as the key in the parser's anchors table. Freeing the node frees the shared key, and a later anchor redefinition makes st_delete compare against the freed key, so st_strcmp reads freed heap memory. Anchors are a standard YAML feature and need no special flags, so this is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor reaches the read of freed memory.
YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack. In the bundled libsyck, when an anchor name is redefined or removed, syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node stored under that name with syck_free_node. That node can still be live on the parser's value stack, so syck_hdlr_add_node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service.
Use-after-free in ESET's Linux security product kernel components enables a local high-privileged attacker to trigger a kernel panic, causing a complete system crash and denial of service. Both ESET Endpoint Antivirus for Linux and ESET Server Security for Linux are affected across unspecified versions, per ESET's own customer advisory. No public exploit code has been identified and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, server-deployed AV with kernel-level hooks makes the DoS impact operationally significant in production environments.
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.
Use-after-free in ImageMagick's FreeType integration path allows remote denial of service against image processing pipelines using vulnerable 6.x or 7.x releases. When FreeType initialization fails during an image processing operation, the affected code path neglects to exit cleanly and continues referencing already-freed memory, causing process corruption or crash. No public exploit identified at time of analysis; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects meaningful preconditions required to trigger the failure path.
Denial of service in BusyBox 1.38.0 arises from a use-after-free in the awk_sub() routine of the AWK applet (editors/awk.c), allowing an attacker who can supply a crafted AWK script to crash the busybox awk process. The flaw is a memory-corruption bug (CWE-416) with availability-only impact and no confidentiality or integrity consequences. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and its EPSS score is low (0.14%, 4th percentile).
Use after free in UI in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Skia in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome on Android prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor. In the bundled libsyck an anchor name allocated by syck_strndup is stored both as node->anchor, freed when the node is freed, and as the key in the parser's anchors table. Freeing the node frees the shared key, and a later anchor redefinition makes st_delete compare against the freed key, so st_strcmp reads freed heap memory. Anchors are a standard YAML feature and need no special flags, so this is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor reaches the read of freed memory.
YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack. In the bundled libsyck, when an anchor name is redefined or removed, syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node stored under that name with syck_free_node. That node can still be live on the parser's value stack, so syck_hdlr_add_node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service.
Use-after-free in ESET's Linux security product kernel components enables a local high-privileged attacker to trigger a kernel panic, causing a complete system crash and denial of service. Both ESET Endpoint Antivirus for Linux and ESET Server Security for Linux are affected across unspecified versions, per ESET's own customer advisory. No public exploit code has been identified and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, server-deployed AV with kernel-level hooks makes the DoS impact operationally significant in production environments.
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.
Use-after-free in ImageMagick's FreeType integration path allows remote denial of service against image processing pipelines using vulnerable 6.x or 7.x releases. When FreeType initialization fails during an image processing operation, the affected code path neglects to exit cleanly and continues referencing already-freed memory, causing process corruption or crash. No public exploit identified at time of analysis; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects meaningful preconditions required to trigger the failure path.
Denial of service in BusyBox 1.38.0 arises from a use-after-free in the awk_sub() routine of the AWK applet (editors/awk.c), allowing an attacker who can supply a crafted AWK script to crash the busybox awk process. The flaw is a memory-corruption bug (CWE-416) with availability-only impact and no confidentiality or integrity consequences. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and its EPSS score is low (0.14%, 4th percentile).
Use after free in UI in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Skia in Google Chrome prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome on Android prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)