Memory Corruption

Out-of-bounds memory access in Mesa's WebGPU implementation allows remote attackers to achieve code execution, data corruption, or denial of service through untrusted allocation sizes passed to alloca. Affects Mesa versions before 25.3.6 and 26.x before 26.0.1. CVSS 8.1 (High) with network attack vector but high complexity. EPSS data not provided; no public exploit identified at time of analysis. Patch available via upstream merge request with fixed versions released.

Out-of-bounds write in Labcenter Electronics Proteus PDSPRJ file parser enables unauthenticated remote code execution when victims open crafted project files. The vulnerability stems from insufficient validation during PDSPRJ file processing, allowing buffer overflow conditions that permit arbitrary code execution with victim's privileges. Exploitation requires user interaction-opening a malicious PDSPRJ file or visiting attacker-controlled web content. CVSS 7.8 (High) reflects local attack vector with no privileges required but mandatory user interaction. No public exploit identified at time of analysis. Affects all versions per available CPE data.

Out-of-bounds write in Labcenter Electronics Proteus PDSPRJ file parser enables unauthenticated remote code execution with high integrity impact. Exploitation requires user interaction (opening malicious PDSPRJ file or visiting attacker-controlled page). Insufficient input validation during PDSPRJ processing allows buffer overflow, writing arbitrary data beyond allocated memory boundaries. Successful exploitation grants attacker code execution in application context with full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis.

Out-of-bounds write during PDSPRJ file parsing in Labcenter Electronics Proteus enables remote code execution when users open malicious project files. Attackers exploit insufficient input validation to write beyond allocated buffer boundaries, executing arbitrary code with victim's privileges. Requires user interaction (opening crafted PDSPRJ file). CWE-787 memory corruption vulnerability. No public exploit identified at time of analysis.

Type confusion in Labcenter Electronics Proteus PDSPRJ file parser enables remote code execution when users open malicious project files. Attackers exploit insufficient validation during file parsing to trigger memory corruption, achieving arbitrary code execution with victim user privileges. Requires social engineering to deliver weaponized PDSPRJ files via email, web download, or file sharing. Publicly available exploit code exists (ZDI advisory disclosure). CVSS 7.8 reflects local attack vector requiring user interaction but no authentication.

Heap use-after-free in wolfSSL's TLS 1.3 post-quantum cryptography hybrid KeyShare processing allows unauthenticated remote attackers to corrupt heap memory and potentially disclose information. The vulnerability occurs when TLSX_KeyShare_ProcessPqcHybridClient() error handling prematurely frees a KyberKey object in src/tls.c, and the caller's subsequent TLSX_KeyShare_FreeAll() invocation writes zero bytes to already-freed memory. CVSS 6.3 reflects low integrity and availability impact; exploitation requires precise network timing (AT:P). No public exploit identified at time of analysis, but the underlying use-after-free pattern is a known attack vector in memory-unsafe code.

Buffer overflow in WolfSSL's TLSX_SNI_Write function allows remote unauthenticated attackers to corrupt memory by sending a specially crafted TLS ClientHello with ECH (Encrypted Client Hello) and SNI extension data. The vulnerability occurs when TLSX_EchChangeSNI unconditionally sets extensions even when no inner SNI is configured, causing attacker-controlled SNI data to be written 255 bytes beyond the allocated buffer boundary during ClientHello serialization. CVSS 6.9 indicates moderate integrity and availability impact with low attack complexity.

Heap use-after-free in HDF5 h5dump utility allows local attackers to achieve arbitrary code execution when processing malicious HDF5 files. Affects HDF5 versions 1.14.1-2 and earlier from HDFGroup. Attacker must convince user to open crafted file (user interaction required, CVSS UI:R). Unauthenticated attack vector enables high-impact compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis. Vulnerability stems from premature deallocation in H5D__typeinfo_term followed by unsafe reference in H5T__conv_struct memmove operation.

Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.

Wasmtime 43.0.0 contains a use-after-free vulnerability in the Linker cloning mechanism that allows host embedders to trigger memory corruption through a specific sequence of API calls: cloning a wasmtime::Linker, dropping the original instance, and then using the cloned instance. This vulnerability is not exploitable by guest WebAssembly programs and requires deliberate misuse of the host API. The flaw is fixed in Wasmtime 43.0.1. Despite the use-after-free nature (CWE-416), the CVSS 4.0 score of 1.0 reflects the extremely limited attack surface: physical or local access is required (AV:P), attack complexity is high (AC:H), high privilege level is needed (PR:H), and user interaction is required (UI:A), resulting in minimal confidentiality, integrity, and availability impact.

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.

An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.

Type confusion vulnerability in Google Chrome CSS engine (versions prior to 147.0.7727.55) enables heap corruption through malicious extensions. Attacker must convince user to install crafted Chrome extension, then exploit triggers memory corruption allowing high-severity impacts: arbitrary code execution, information disclosure, and denial of service. CVSS 8.8 rating reflects unauthenticated network vector requiring only user interaction. No public exploit identified at time of analysis. Chromium project classifies severity as Low despite critical CVSS score, indicating successful exploitation barriers beyond user interaction.

Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)

Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use after free in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use-after-free vulnerability in Google Chrome's PrivateAI component (versions prior to 147.0.7727.55) enables sandbox escape when remote attackers socially engineer victims into performing specific UI interactions with malicious HTML pages. Exploitation requires user engagement with attacker-controlled content but no authentication. CVSS 9.6 critical severity reflects potential for complete compromise of confidentiality, integrity, and availability with scope change indicating sandbox boundary violation. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.03%).

Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.

Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

Memory corruption in NI LabVIEW's ResFileFactory::InitResourceMgr() function allows arbitrary code execution or information disclosure when users open malicious VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity reflects high impact potential, though exploitation requires user interaction to open a crafted file. No public exploit identified at time of analysis, with EPSS data unavailable for this recently assigned CVE. Local attack vector limits remote exploitation scenarios.

Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution and information disclosure when processing maliciously crafted .lvclass files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open the weaponized file (CVSS AV:L/UI:P). No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability and provides remediation guidance.

Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution when processing malicious LVLIB files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open a specially crafted .lvlib project library file (CVSS 8.5, AV:L/PR:N/UI:P). No public exploit identified at time of analysis. EPSS data not available, but the local attack vector and user interaction requirement significantly limit immediate mass exploitation risk despite high CVSS score.

Local denial of service and potential remote code execution in OpenPrinting CUPS 2.4.16 and prior occurs when the scheduler (cupsd) deletes temporary printers without expiring associated subscriptions, leaving dangling pointers in memory that are subsequently dereferenced. An unauthenticated local attacker can crash the cupsd daemon or, with heap grooming techniques, achieve arbitrary code execution on systems running affected CUPS versions.

Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.

Remote code execution in Mozilla Firefox versions prior to 149.0.2 stems from multiple memory safety bugs allowing unauthenticated network attackers to execute arbitrary code without user interaction. Mozilla confirmed memory corruption evidence across affected versions (Firefox 149.0.1 and Thunderbird 149.0.1), though Thunderbird patch status remains unconfirmed. CVSS 9.8 reflects maximum severity due to network-accessible attack vector with no complexity barriers. No public exploit identified at time of analysis, though the CWE-787 out-of-bounds write class has high weaponization potential once technical details emerge from linked Bugzilla entries.

Multiple memory corruption vulnerabilities in Mozilla Firefox (< 149.0.2) and Firefox ESR (< 140.9.1) enable unauthenticated remote code execution with critical CVSS 9.8 severity. These memory safety bugs-including CWE-787 out-of-bounds write issues-affect both standard and Extended Support Release channels, with Mozilla confirming evidence of memory corruption exploitable for arbitrary code execution. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack requiring no user interaction.

Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack scenario requires specialized radio equipment and victim proximity to malicious infrastructure. Patch ID MOLY01088681 addresses the missing bounds check in modem baseband code.

Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment connects to an attacker-controlled rogue cellular base station. Affects 57 MediaTek chipset models across MT67xx, MT68xx, MT69xx, MT87xx, and MT27xx families used in mobile devices. Authentication not required (CVSS PR:N) but requires adjacent network access and user interaction to connect to malicious base station. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though vendor patch MOLY01406170 has been released per April 2026 MediaTek security bulletin.

Out-of-bounds write in Samsung Exynos chipsets (processors 980/990/850/1080/2100/1280/2200/1330/1380/1480/2400/1580/2500/9110, wearables W920/W930/W1000, modems 5123/5300/5400) allows unauthenticated remote attackers to achieve arbitrary code execution via malformed SMS TP-UD packets. Exploitation occurs through TP-UDHI/UDL value mismatch during SMS message parsing, enabling network-level attacks without user interaction. No public exploit identified at time of analysis.

Local privilege escalation via use-after-free in Qualcomm Snapdragon video memory management allows authenticated attackers with low privileges to achieve complete system compromise. The vulnerability exists in deprecated DMABUF IOCTL interfaces used for direct memory access buffer operations. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE. Qualcomm addressed this in their April 2026 security bulletin.

Memory corruption via use-after-free in Qualcomm Snapdragon SDK occurs when concurrent fence deregistration and signal handling operations access freed memory, allowing authenticated local attackers with low privileges to achieve information disclosure and integrity/availability compromise. CVSS 6.5 reflects local attack vector with high complexity; no public exploit code or active exploitation confirmed at time of analysis.

Use-after-free in Electron's offscreen rendering with GPU shared textures allows local attackers with high privileges to cause memory corruption or application crashes by invoking the texture release callback after its backing native state has been freed. The vulnerability affects Electron versions before 42.0.0-alpha.5, 41.1.0, 40.8.5, and 39.8.5, and only impacts applications explicitly enabling shared-texture offscreen rendering via webPreferences.offscreen.useSharedTexture: true.

Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver through specially crafted query data, requiring user interaction to process malicious queries. Affected versions include all Amazon Athena ODBC driver releases before 2.1.0.0 across Windows, Linux, and macOS platforms. CVSS 7.1 (High) reflects network-based attack with low complexity but requires user interaction (UI:P) and impacts only availability (VA:H). No public exploit identified at time of analysis. Vendor-released patch version 2.1.0.0 is available for all supported platforms with direct download links provided in AWS security bulletin 2026-013.

Linux kernel sunrpc subsystem fails to properly release cache_request objects when file descriptors are closed mid-read, resulting in memory leaks and potential information disclosure through stale cache entries. The vulnerability affects all Linux kernel versions with the affected sunrpc cache implementation, and requires no special privileges or network access to trigger since it occurs during normal file descriptor closure in the kernel's user-space cache management interface.

Linux kernel mm/rmap subsystem fails to correctly preserve page table entry attributes (writable and soft-dirty bits) when batching unmap operations on lazyfree folios, causing kernel panic via page table check violation when a large folio with mixed writable/non-writable PTEs is unmapped across multiple processes. The vulnerability affects all Linux kernel versions with the vulnerable folio_unmap_pte_batch() code path and can be triggered by local attackers through a specific sequence of memory management syscalls (MADV_DONTFORK, fork(), MADV_DOFORK, MADV_FREE, and memory reclaim), resulting in denial of service via kernel crash.

Linux kernel xe (Intel GPU) driver leaks dynamically allocated virtual memory area (VMA) structures when argument validation fails in the xe_vm_madvise_ioctl handler, allowing local attackers to exhaust kernel memory and trigger denial of service. The vulnerability has been patched upstream in stable kernel branches with proper cleanup path addition.

Linux kernel DRM/xe driver fails to protect GPU memory (GGTT) MMIO access during failed driver load or asynchronous buffer object teardown, potentially enabling information disclosure or memory corruption. The vulnerability affects systems with Intel Xe graphics where the driver's hotplug-based protection mechanism does not activate if initialization fails, leaving GGTT memory accessible after the driver should have been disabled. CVSS and KEV status not available; patches have been released in upstream Linux stable branches.

Memory corruption and potential kernel freezes occur in the Linux kernel's IP tunnel implementation when VXLAN or GENEVE tunnels transmit packets, due to incorrect offset calculations in per-CPU statistics tracking on 32-bit systems. The vulnerability arises from iptunnel_xmit_stats() assuming all tunnels use NETDEV_PCPU_STAT_TSTATS, but VXLAN and GENEVE actually use NETDEV_PCPU_STAT_DSTATS with a different memory layout, causing syncp sequence counter overwrites that corrupt statistics or deadlock the kernel. Patch commits are available in the Linux kernel stable tree and address this by adapting the statistics handler and repositioning the pcpu_stat_type field to improve cache efficiency.

Memory leak in Linux kernel's TI ICSSG PRU Ethernet driver XDP_DROP path causes page pool exhaustion and out-of-memory conditions on systems using XDP packet dropping in non-zero-copy mode. The vulnerability affects all Linux kernel versions with the vulnerable icssg-prueth driver code; page recycling was incorrectly removed from the XDP_DROP handler to support AF_XDP zero-copy mode, but this created a resource leak in standard mode. No active exploitation identified; this is a kernel stability and denial-of-service issue affecting embedded and edge systems using TI PRU Ethernet hardware.

Double-free memory corruption in the Linux kernel's TEQL (Trivial Link Equalizer) qdisc implementation allows local attackers to cause kernel crashes via denial of service. The vulnerability occurs when qdisc_reset is called without proper synchronization on lockless Qdisc root configurations, creating a race condition that results in use-after-free and double-free conditions in packet buffer management. This affects all Linux kernel versions with the vulnerable TEQL code path and requires local access to trigger via specially crafted packet scheduling operations.

Memory leak in Linux kernel mac80211 subsystem's ieee80211_tx_prepare_skb() function fails to free socket buffers (skb) in one of three error paths, allowing local denial of service through memory exhaustion. The vulnerability affects all Linux kernel versions with the vulnerable code path in wireless MAC 802.11 handling; no active exploitation has been reported, but the fix addresses a resource leak that could be triggered by applications exercising error conditions in Wi-Fi frame preparation.

A use-after-free vulnerability in the Linux kernel's mshv (Microsoft Hyper-V) driver allows local attackers to trigger a kernel panic by unmapping user memory after a failed mshv_map_user_memory() call. The error path incorrectly calls vfree() without unregistering the associated MMU notifier, leaving a dangling reference that fires when userspace performs subsequent memory operations. This is a memory safety issue affecting the Hyper-V virtualization subsystem in the Linux kernel.

Memory leak in the Linux kernel's Amlogic SPI controller driver (aml_spisg_probe) fails to release SPI controller resources in multiple error paths during probe, allowing local attackers to exhaust kernel memory through repeated driver load/unload cycles or failed probe attempts. The vulnerability has been resolved in the upstream kernel by converting to device-managed SPI allocation functions.

Memory leak in Linux kernel drm/vmwgfx driver caused by overwriting KMS surface dirty tracker without proper cleanup. The vulnerability affects the VMware graphics driver subsystem in the kernel, allowing local attackers to trigger memory exhaustion through repeated surface operations. No CVSS score, EPSS data, or KEV status available; fix commits exist in upstream stable kernel branches.

Linux kernel drm/logicvc driver fails to release a device node reference in logicvc_drm_config_parse(), causing a reference leak that can exhaust kernel memory resources over time. The vulnerability affects all Linux kernel versions with the logicvc DRM driver enabled; it requires local access to trigger repeated calls to the vulnerable code path. This is a low-severity resource exhaustion issue resolved via kernel patch implementing automatic cleanup attributes.

Linux kernel btrfs subsystem fails to free allocated pages in btrfs_uring_read_extent() when error conditions occur before asynchronous I/O completion, leading to memory leaks. The vulnerability affects all Linux kernel versions with the vulnerable btrfs implementation; while tagged as Information Disclosure, the primary impact is denial of service through memory exhaustion rather than data exposure. No public exploit code or active exploitation has been identified; this is a defensive fix addressing a code path that may never execute under normal conditions but represents a resource management defect.

Memory leak in Linux kernel DRM/XE configfs device release allows information disclosure through unfreed ctx_restore_mid_bb allocation. The xe_config_device_release() function fails to deallocate ctx_restore_mid_bb[0].cs memory that was previously allocated by wa_bb_store(), leaving sensitive kernel memory accessible when the configfs device is removed. Affected Linux kernel versions containing the vulnerable DRM/XE driver require patching to prevent potential information leakage.

Memory leak in Linux kernel DRM/XE register save-restore (reg_sr) module fails to free allocated memory when xa_store() operation fails, potentially allowing local information disclosure or denial of service through repeated trigger of the error path. The vulnerability affects all Linux kernel versions containing the affected drm/xe/reg_sr code prior to the fix commits referenced. No CVSS score or exploit data provided; patch commits are available in upstream Linux repository.

Type confusion in Roundcube Webmail's password plugin allows authenticated users to change passwords without knowing the old password, affecting versions before 1.5.14 and 1.6.14. The vulnerability stems from incorrect password comparison logic that enables privilege escalation within an authenticated session. While the CVSS score of 4.2 reflects moderate severity and the requirement for prior authentication, the impact is direct account compromise for any authenticated user.

Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. EPSS data not available; no public exploit identified at time of analysis. Fixed versions released by vendor.

Use-after-free in Electron framework allows memory corruption when native save-file dialogs remain open during session teardown. Affected Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.7 enable local attackers with UI interaction to trigger freed memory dereference via downloaded files, potentially causing application crashes or memory corruption. Only applications that programmatically destroy sessions at runtime and permit downloads are vulnerable; no public exploit code or active exploitation has been identified.

Use-after-free in Electron framework allows memory corruption when handling fullscreen, pointer-lock, or keyboard-lock permission requests in apps with asynchronous `session.setPermissionRequestHandler()` callbacks. Affects npm package electron versions prior to 41.0.0-beta.8, 40.7.0, 39.8.0, and 38.8.6. Remote attackers can trigger memory corruption or crashes if the requesting frame navigates or window closes while the permission handler is pending. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available across all affected major version branches.

Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. Exploitation requires local access and specific timing conditions (CVSS 7.0 HIGH, AC:H). No public exploit identified at time of analysis, though the technical details are publicly documented in the GitHub security advisory.

Type confusion in macOS memory handling allows local attackers to cause unexpected app termination through crafted user interaction, affecting macOS Sequoia before 15.6, Sonoma before 14.7.7, and Ventura before 13.7.7. With a CVSS score of 3.3 and SSVC exploitation status of 'none', this represents a low-severity local denial-of-service condition requiring user interaction; no public exploit code or active exploitation has been identified.

Out-of-bounds memory access in Apple media processing affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS, allowing remote attackers to trigger unexpected application termination or memory corruption through maliciously crafted media files. The vulnerability requires user interaction (opening/playing the malicious file) but no authentication. Apple has released patched versions for all affected platforms with CVSS 6.3 (moderate severity) and no public exploitation identified at time of analysis.

Memory corruption vulnerability in Apple iOS, iPadOS, and macOS allows local attackers to achieve denial of service or potentially arbitrary code execution through malicious file processing. The vulnerability affects iOS and iPadOS versions below 18.6 and macOS Sequoia below 15.6, and has been patched in iOS 18.6, iPadOS 18.6, and macOS Sequoia 15.6. No public exploit identified at time of analysis, and CVSS severity is not numerically specified by Apple, though the buffer overflow classification and file processing attack vector indicate moderate to high real-world risk for users who encounter malicious content.

Memory corruption in macOS Sequoia image processing allows remote attackers to achieve arbitrary code execution via maliciously crafted images requiring user interaction. Affects macOS Sequoia versions prior to 15.6, with CVSS 8.8 (High) severity due to potential for complete system compromise. EPSS data unavailable; no public exploit identified at time of analysis. Apple addressed the vulnerability through improved memory handling in macOS 15.6 (released June 2025). Attack requires victim to process a weaponized image file, making social engineering or malicious websites likely delivery vectors.

Type confusion in Free5GC 4.2.0's aper component allows remote attackers to trigger memory corruption and information disclosure with high attack complexity and without authentication. The vulnerability stems from improper type handling in ASN.1 parsing and has publicly available exploit code, though active exploitation at scale has not been confirmed. CVSS 6.3 with availability impact and exploit proof-of-concept disclosure warrant timely patching.

Memory sealing (mseal) in the Linux kernel incorrectly tracks virtual memory area (VMA) boundaries during merge operations, causing curr_end to become stale and resulting in incorrect iteration state. This flaw in mm/mseal.c affects Linux kernel versions where the mseal feature is present, allowing local attackers to potentially bypass memory sealing protections or trigger information disclosure by manipulating VMA merge behavior during seal operations.

Linux kernel TLS subsystem leaks socket buffers (skbs) when asynchronous AEAD decryption operations fail during batch processing, allowing local attackers to exhaust kernel memory and potentially cause denial of service. The vulnerability exists in tls_decrypt_async_wait() and related functions that manage the async_hold queue, which pins encrypted input buffers for AEAD engine references; improper cleanup in failure paths leaves these buffers allocated indefinitely. This is a kernel memory leak affecting TLS decryption in the kernel's cryptographic stack, confirmed by multiple upstream patches across stable branches.

Out-of-bounds write in LibRaw's JPEG DHT parser (HuffTable::initval function) allows unauthenticated remote attackers to trigger a denial of service via malformed JPEG image files. LibRaw versions up to 0.22.0 are affected; publicly available exploit code exists. CVSS 4.3 (low severity) reflects denial-of-service impact only, with low attack complexity and no authentication required. Vendor-released patch available in version 0.22.1.

Out-of-bounds write in Nothings stb library up to version 1.22 allows remote attackers to corrupt memory and potentially execute code by crafting malicious Vorbis audio files that trigger improper bounds checking in the start_decoder function. Publicly available exploit code exists for this vulnerability, which affects all applications statically linking vulnerable stb_vorbis.c code. The vendor has not responded to disclosure attempts, leaving deployed instances without an official patch.

Cisco IMC web-based management interface allows authenticated administrators to execute arbitrary code as root through improper input validation in HTTP requests. The vulnerability affects Cisco Unified Computing System (standalone) and requires admin-level credentials and network access; successful exploitation grants attacker root-level code execution on the underlying operating system. No public exploit code or active exploitation has been identified at time of analysis.

Memory leak in Linux kernel AppArmor module verify_header function causes namespace string allocation leaks during multiple profile unpacking and breaks namespace consistency checking. The vulnerable code incorrectly resets the namespace pointer to NULL on every function call, discarding previously allocated namespace strings and preventing proper namespace comparison across profile iterations. This affects Linux kernel versions with the vulnerable AppArmor implementation prior to upstream fixes applied across stable branches.

Linux kernel KVM x86/mmu module improperly validates shadow page table entries (SPTEs) in indirect MMUs, allowing host userspace writes to bypass KVM's write-tracking detection and corrupt shadow paging state. The vulnerability affects KVM implementations on x86 systems with nested or indirect MMU configurations where writes originating outside KVM's scope (e.g., from host userspace via memory access) are not detected, potentially leading to memory corruption or VM escape. No CVSS score, EPSS data, or KEV status is available; this appears to be an internal kernel consistency issue addressed via upstream patch rather than a directly exploitable security boundary.

Linux kernel KVM x86/MMU incorrectly installs emulated MMIO shadow page table entries (SPTEs) without first zapping existing shadow-present SPTEs when host userspace modifies guest page tables outside KVM's scope, causing kernel warnings and potential memory consistency issues. The vulnerability affects KVM on x86 systems running vulnerable kernel versions and can be triggered by a local attacker with ability to manipulate guest memory or run guest VMs, though the practical impact beyond kernel instability remains limited.

Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later.

Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor.

Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium.

Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.

Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.

Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.

Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in WebGL allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox by delivering a crafted HTML page. The vulnerability is marked as High severity by Chromium security and a vendor-released patch is available.

Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.

Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification.

Remote code execution in Google Chrome prior to 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebCodecs component. The vulnerability affects all versions before the patched release and has been addressed by Google with a vendor-released patch; no public exploit code or active exploitation has been confirmed at the time of analysis.

Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.

Use-after-free in Foxit PDF Reader and Editor allows arbitrary code execution when processing maliciously crafted PDF documents containing list box calculation arrays. The vulnerability (CVSS 7.8) occurs when stale references to deleted or re-created page/form objects persist in calculation logic, enabling local attackers to execute code with user privileges when victims open weaponized PDFs. No public exploit identified at time of analysis, though the memory corruption primitive is well-understood by exploit developers.

Use-after-free in Foxit PDF Editor and Foxit PDF Reader allows local attackers to achieve arbitrary code execution by crafting malicious JavaScript that manipulates document zoom and page state, causing stale view cache pointers to be dereferenced after the underlying view object is destroyed. The vulnerability requires user interaction (opening a crafted PDF) and local access, with a CVSS score of 5.5 reflecting denial-of-service impact, though the underlying memory corruption (CWE-416) and RCE tags indicate higher real-world severity under exploitation.

Memory corruption leading to arbitrary code execution affects AWS C Event Stream library versions before 0.6.0 when clients process malicious event-stream messages from attacker-controlled servers. The out-of-bounds write vulnerability in the streaming decoder requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), but grants complete control over confidentiality, integrity, and availability if successfully exploited. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE. Vendor-released patch version 0.6.0 addresses the issue.