Memory Corruption
Monthly
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.
Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
Use after free in Data Deduplication allows an authorized attacker to elevate privileges locally.
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
Use after free in Windows TCP/IP allows an unauthorized attacker to execute code over a network.
Use after free in Windows SMB Client allows an authorized attacker to elevate privileges locally.
Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.
Use after free in Windows TCP/IP allows an unauthorized attacker to disclose information over a network.
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows low-privileged authenticated users to execute arbitrary code with SYSTEM privileges via use-after-free memory corruption. Microsoft has released patches addressing Windows 10 (versions 1607 through 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2012. CVSS base score is 7.0 (High) with local attack vector and high attack complexity. EPSS data not available; no CISA KEV listing at time of analysis, suggesting exploitation has not been observed in the wild despite public disclosure.
Local privilege escalation in Windows Win32K graphics subsystem (Win32K - GRFX) allows authenticated users with low privileges to achieve SYSTEM-level access through a use-after-free memory corruption vulnerability. Affects multiple Windows 10, Windows 11, and Windows Server 2012 versions. Microsoft has released patches through their March 2026 security updates. The CVSS 7.0 (High) rating reflects high attack complexity (AC:H), requiring specific race condition timing or system state manipulation, though EPSS data is not yet available for this recently disclosed CVE.
Type confusion vulnerability in Windows Ancillary Function Driver for WinSock enables local authenticated users to escalate privileges to SYSTEM level on Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-26H1), and Windows Server 2012. Microsoft has released patches through their March 2026 security update cycle. The vulnerability requires low-privilege local access but no user interaction, making it a high-value target for post-compromise lateral movement and persistence. CVSS 7.8 reflects complete system compromise potential, though EPSS data and KEV status are not available for this future-dated CVE.
Local privilege escalation in Windows Win32K graphics subsystem affects Windows 10 (1607 through 22H2), Windows 11 (all versions including 26H1 preview), and Windows Server 2012 through authenticated low-privileged local users exploiting a use-after-free memory corruption flaw. Microsoft has released security updates addressing this CWE-416 vulnerability with CVSS 7.8 severity. The local attack vector and low complexity (AC:L) indicate straightforward exploitation once local access is achieved, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Privilege escalation in Windows Win32K ICOMP component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 via a use-after-free memory corruption flaw. Low-privileged authenticated local attackers can exploit this to gain SYSTEM-level privileges with low attack complexity and no user interaction required. Microsoft has released patches addressing this vulnerability, tracked under MSRC guidance. No active exploitation or public exploit code has been identified at time of analysis, with EPSS data not yet available for this recent CVE.
Remote code execution in Fortinet FortiOS 7.2.0-7.2.11, 7.4.0-7.4.8, and 7.6.0-7.6.3 enables authenticated attackers to execute arbitrary code via malformed network packets. The out-of-bounds write vulnerability (CWE-787) affects FortiOS firewall appliances and requires only low-privilege credentials to exploit over the network. Fortinet published advisory FG-IR-26-123 confirming the vulnerability. No CISA KEV listing or public exploit code identified at time of analysis, though the straightforward network attack vector (AV:N/AC:L) suggests moderate weaponization potential once details emerge.
Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.
Out-of-bounds write for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable data corruption. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (high) and availability (high) impacts.
Uninitialized pointer access in Siemens Solid Edge SE2026 enables arbitrary code execution when processing malicious PAR files. Attackers must deliver a crafted PAR file and convince users to open it (CVSS:4.0 AV:L/UI:P), achieving full compromise of the victim's workstation with high confidentiality, integrity, and availability impact. No active exploitation confirmed at time of analysis, though the local attack vector and user interaction requirement limit automated mass exploitation. EPSS data not available for risk calibration.
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Type confusion vulnerability in Apple's operating systems allows remote unauthenticated attackers to trigger denial of service across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has released patches addressing the issue in iOS/iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. The CVSS vector indicates network-accessible exploitation with low complexity and no privileges required, though EPSS score of 0.13% (32nd percentile) suggests relatively low likelihood of widespread exploitation. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
A use-after-free vulnerability in Apple's Wi-Fi stack allows attackers in a privileged network position to cause denial-of-service via crafted Wi-Fi packets. The vulnerability affects iOS and iPadOS versions prior to 26.5 and 18.7.9, macOS versions prior to 26.5, 15.7.7, and 14.8.7, and tvOS, watchOS versions prior to 26.5. Exploitation requires adjacent network access and specific radio conditions (AC:H) but results in high availability impact with no active public exploitation identified.
Remote attackers can crash Apple devices or corrupt kernel memory without authentication via a use-after-free vulnerability affecting iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has released patches across eight separate security bulletins (HT127110-127120) fixing this memory management flaw in all supported OS versions. EPSS score of 0.10% (28th percentile) suggests low exploitation probability despite the network-accessible attack vector and lack of authentication requirements. No active exploitation or public POC identified at time of analysis.
Denial of service in Apple macOS prior to version 26.5 allows remote attackers to crash Safari via maliciously crafted web content that triggers a use-after-free memory condition. The vulnerability requires user interaction (opening a malicious webpage) but no authentication, affecting all macOS versions before 26.5. EPSS exploitation probability is very low at 0.02%, suggesting limited real-world attack incentive despite the crash capability.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges.
Use-after-free in WebKit allows remote attackers to trigger Safari crashes and potentially achieve arbitrary code execution across Apple's entire ecosystem (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) via maliciously crafted web content. Users must visit or be tricked into visiting a malicious webpage (UI:R). Despite CVSS 8.8 (High) with theoretical code execution impact (C:H/I:H/A:H), EPSS probability is extremely low (0.02%, 5th percentile), indicating minimal observed exploitation activity. No public exploit identified at time of analysis, and vendor patches are available across all platforms as of version 26.5.
Use-after-free in WebKit across Apple's entire operating system ecosystem enables remote information disclosure via malicious web content. Affects iOS/iPadOS, macOS Tahoe, tvOS, visionOS, and watchOS versions prior to 26.5. The vulnerability allows network-based unauthenticated attackers to access high-value confidential information through crafted web pages, though the CVE description anomalously mentions process crash (availability impact) while the CVSS vector indicates confidentiality impact only. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) suggests low likelihood of imminent widespread exploitation despite the broad platform impact and network attack vector.
Out-of-bounds write in Apple operating systems allows network-based unauthenticated attackers to corrupt kernel memory or cause denial of service without user interaction. The vulnerability affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms, though the extremely low EPSS score (0.02%) suggests real-world exploitation risk is minimal despite the network attack vector.
Out-of-bounds write in Apple's file parsing component across iOS, iPadOS, and macOS enables remote code execution or denial of service via maliciously crafted files with no user interaction required. Exploitation probability is extremely low (EPSS 0.02%, 6th percentile) with no public exploit identified at time of analysis, despite the critical CVSS 7.3 score and network-based attack vector. Vendor patches available for all affected platforms (iOS/iPadOS 18.7.9, 26.5; macOS Sonoma 14.8.7, Sequoia 15.7.7, Tahoe 26.5). The CVSS vector indicating AV:N/PR:N/UI:N suggests automatic exploitation without user interaction, which contradicts the description's 'parsing a file' language - verify whether this requires user action to open/download the file or if background processes parse untrusted files automatically.
Use-after-free memory corruption in Apple operating systems allows high confidentiality impact through unexpected system termination. Affects iOS/iPadOS versions before 18.7.9 and 26.5, macOS Sequoia before 15.7.7, macOS Sonoma before 14.8.7, macOS Tahoe before 26.5, tvOS before 26.5, visionOS before 26.5, and watchOS before 26.5. Vendor-released patches are available across all affected platforms. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability in the wild, and no public exploit identified at time of analysis. CVSS vector indicates network-reachable attack surface with no authentication required, though the description states only 'an app' can trigger the condition, suggesting conflicting attack vector classification.
Safari on Apple platforms crashes when processing maliciously crafted web content due to a use-after-free vulnerability in memory management, resulting in denial of service. Affects iOS and iPadOS below 26.5, macOS Tahoe below 26.5, tvOS below 26.5, visionOS below 26.5, and watchOS below 26.5. Exploitation requires user interaction to visit a malicious webpage but does not allow code execution or information disclosure.
Out-of-bounds write in Apple operating systems allows local network attackers to cause denial-of-service via improved bounds checking bypass. Affects iOS/iPadOS (18.7.9+, 26.5+), macOS Sequoia (15.7.7+), Sonoma (14.8.7+), Tahoe (26.5+), tvOS (26.5+), visionOS (26.5+), and watchOS (26.5+). EPSS score of 0.02% indicates very low real-world exploitation probability despite local attack vector.
Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated attackers to achieve arbitrary code execution with kernel privileges. The vulnerability stems from improper handling of shared fragment memory in DATA and RESPONSE packet processing, where the kernel fails to unshare externally-owned page fragments before in-place decryption operations. This creates a buffer overflow condition (CWE-787) exploitable by local users with low privileges. Patches are available for kernel versions 6.18.29, 7.0.6, and 7.1-rc3. EPSS and KEV status not provided in available data.
Use-after-free in Linux kernel ASoC (ALSA System on Chip) subsystem allows local authenticated users with open audio streams to trigger memory corruption during sound card unbind operations. The flaw occurs when PCM stream closure schedules delayed DAPM (Dynamic Audio Power Management) work after widgets are freed, enabling potential privilege escalation or denial of service. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public POC identified at time of analysis.
Local privilege escalation in the Linux kernel's CAIF serial driver allows attackers with local access to trigger a use-after-free condition in pty_write_room() via the caif_serial line discipline. The flaw stems from missing reference counting on tty->link, enabling memory corruption that can lead to arbitrary kernel code execution with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with an EPSS score of 0.02% (7th percentile) indicating low likelihood of widespread exploitation.
Use-after-free in the Linux kernel iavf driver allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system. The vulnerability affects Intel Ethernet Adaptive Virtual Function (iavf) driver's PTP implementation where a worker thread continues accessing freed memory during network adapter reset or disable operations. Patch available from kernel.org upstream commits across multiple stable branches (6.18.19, 6.19.9, 7.0+). EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood, and no CISA KEV listing confirms this remains a theoretical risk requiring local access with low privileges.
Local privilege escalation potential in the Linux kernel's Microsoft Azure Network Adapter (mana) driver allows a low-privileged local user to trigger a use-after-free via a double destroy_workqueue() call on the gc->service_wq pointer when mana_gd_setup() fails. The flaw, fixed in the 6.18.x and 6.19.x stable trees, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but carries a CVSS of 7.8 due to high confidentiality, integrity, and availability impact within the kernel.
Reference count underflow in Linux kernel sched_ext subsystem enables local privilege escalation to execute arbitrary code with kernel privileges. The flaw affects kernel versions 6.12 through 6.19.x (prior to patched releases 6.12.78, 6.18.19, 6.19.9, 7.0), scoring CVSS 7.8 with local attack vector requiring low privileges. Vendor patches available via stable kernel updates. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit code or active exploitation confirmed at time of analysis, though the Use-After-Free primitive could enable kernel memory corruption attacks.
Use-after-free in Linux kernel ALSA PCM subsystem allows local authenticated users to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in snd_pcm_drain() when a linked stream's runtime structure is freed via concurrent close() while still being dereferenced, enabling information disclosure, system crashes, or privilege escalation. With EPSS at 0.02% (7th percentile) and CVSS 7.8, this represents elevated theoretical risk but shows no evidence of active exploitation or public POC at time of analysis. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Use-after-free in the Linux kernel's Renesas USB host (renesas_usbhs) driver allows a local low-privileged attacker to potentially corrupt memory or escalate privileges during device removal. The flaw stems from the interrupt handler remaining registered while driver resources, including the pipe array, are freed in usbhs_remove(), creating a race window where the ISR can dereference freed memory. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the kernel-level memory corruption impact (CVSS 7.8) makes it a meaningful local risk on affected Renesas USB hardware.
Use-after-free in Linux kernel kthread subsystem enables memory corruption leading to arbitrary code execution or denial of service. The vulnerability arises when kernel threads exit via make_task_dead() instead of kthread_exit(), bypassing affinity_node cleanup. This causes dangling pointers in the global kthread_affinity_list that corrupt freed memory reused by the SLAB allocator, specifically overwriting RCU callback function pointers in struct pid objects. CVSS rates this 9.8 critical, though the network attack vector appears misclassified since kernel thread manipulation requires local code execution. EPSS score of 0.02% (4th percentile) indicates low predicted exploitation likelihood despite severity. Vendor patches available for Linux 6.18.19, 6.19.9, and 7.0 via upstream commits.
Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to potentially execute arbitrary code, disclose sensitive information, or cause denial of service. The vulnerability stems from improper RCU lock handling in smb_lazy_parent_lease_break_close() where opinfo pointer is dereferenced after RCU read unlock, creating a race condition. Patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). Despite critical CVSS 9.8 score, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC identified at time of analysis.
Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or cause denial of service by racing oplock_info access during concurrent RCU read operations. The vulnerability stems from immediate kfree() without RCU grace period, enabling opinfo_get() to call atomic_inc_not_zero() on freed memory. CVSS 9.8 reflects network exploitability without authentication, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. Vendor patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with fixes referenced in five upstream commits. Not listed in CISA KEV; no public exploit code identified at time of analysis.
Use-after-free in Linux kernel nexthop routing code allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs when removing a nexthop from a routing group, where percpu statistics memory is freed before the RCU grace period completes, allowing concurrent readers to access freed memory. Vendor patches available for stable kernel branches 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). CVSS 7.8 reflects local attack vector requiring authenticated access.
Use-after-free race condition in Linux kernel amdgpu driver allows local authenticated users to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The flaw occurs when parent and child processes sharing a drm_file both attempt to acquire the same virtual memory context after fork(), due to non-atomic vm->process_info assignment. Patches released across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (7th percentile) indicates very low predicted exploitation probability despite CVSS 7.8 severity, and no active exploitation or public POC identified.
In-place encryption in the Linux kernel's SMB client corrupts write payloads during retry attempts, potentially causing data integrity loss and denial of service when SMB connections experience transient failures. The flaw affects SMB3 encrypted writes where the encryption process modifies the original buffer in place; on replayable errors (like network interruptions), retries re-send already-encrypted data as if it were plaintext, resulting in double-encryption and corrupted writes. This particularly impacts special file operations (SFU mknod, MF symlinks) and sync writes on pre-6.10 kernels. Patches are available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score is very low (0.01%), indicating minimal observed exploitation likelihood, and no active exploitation or public POC is documented.
Local privilege escalation in Linux kernel IPv6 address configuration subsystem enables authenticated local users to gain high-level system access through a use-after-free (UaF) condition in addrconf_permanent_addr(). Patch available across all maintained stable kernel series (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with fixes backported from commit f1705ec197e7. EPSS score of 0.02% suggests minimal active exploitation likelihood, no KEV listing or public POC identified at time of analysis.
Buffer overflow in the Linux kernel's CAAM crypto driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with elevated privileges. The vulnerability occurs when HMAC keys exceeding the algorithm's block size are processed - the driver allocates DMA-aligned memory but uses kmemdup() to copy only the actual key length, then reads beyond the source buffer boundary during hashing. EPSS score of 0.02% (5th percentile) indicates low predicted exploitation likelihood. Patches are available across multiple stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, with fixes applied since kernel 6.3 introduced the vulnerable code.
Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.
Use-after-free in Linux kernel swap subsystem allows local authenticated users to achieve high-severity code execution, integrity violations, or denial of service. The vulnerability stems from multiple kernel subsystems (SLUB, shmem, TTM) failing to clear page->private fields before freeing memory, causing stale pointers to persist when pages are reallocated and split. The swap code then dereferences these uninitialized LIST_POISON values during swapoff operations, triggering KASAN-detected wild memory access. Patches available across kernel versions 6.18.16, 6.19.6, and 7.0, with EPSS score of 0.02% indicating low observed exploitation probability despite CVSS 7.8 rating.
Use-after-free in Linux kernel ESP (IPsec) allows local authenticated attackers to decrypt shared memory fragments improperly, potentially exposing encrypted network traffic or causing memory corruption. Affects kernel versions 6.5+ where MSG_SPLICE_PAGES can attach pipe pages directly to UDP socket buffers. The IPv4/IPv6 datagram paths fail to mark spliced pages as shared, causing ESP input decryption to modify memory not privately owned by the packet buffer. Public exploit code exists (POC available on GitHub), EPSS score is low (0.01%) indicating limited widespread exploitation risk, and vendor patches are available across affected stable kernel branches (6.6.138, 6.12.87, 6.18.28, 7.0.5).
The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.
Use-after-free memory corruption in PHP 8.2 prior to version 8.2.31 allows remote attackers to cause information disclosure or denial of service via network requests with low attack complexity. The vulnerability is addressed in PHP 8.2.31, released as a security update bundling fixes for eight CVEs including CVE-2026-7261. Patch availability is confirmed from the PHP development team.
Use-after-free memory corruption in PHP 8.2.x enables remote attackers to achieve high-impact exploitation through network-accessible attack vectors, despite high attack complexity and specific timing requirements. PHP 8.2.31 addresses this vulnerability along with seven other security issues in a coordinated security release. The CVSS v4.0 score of 9.5 reflects both confidentiality and integrity impact across vulnerable and subsequent systems, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, but the vendor urgency indicator (U:Red) and release coordinator emphasis (RE:M) signal critical priority for organizations running PHP 8.2.x in production environments.
Use-after-free memory corruption in Firefox's DOM Networking component enables remote attackers to achieve unauthorized information disclosure, data manipulation, and service disruption without authentication or user interaction. Affects Firefox mainline and both Extended Support Release (ESR) branches. Mozilla shipped patches in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2. SSVC analysis indicates no confirmed exploitation but the vulnerability is fully automatable with partial technical impact across confidentiality, integrity, and availability. EPSS data not available but the network attack vector (AV:N) with no prerequisites (AC:L/PR:N/UI:N) presents significant exposure for unpatched installations.
Out-of-bounds write in LibreOffice 26.2 before 26.2.3 and 25.8 before 25.8.7 allows local attackers to cause memory corruption and availability impact by opening crafted OOXML documents with mismatched encryption salt parameters. The vulnerability requires user interaction to open a malicious document and affects memory integrity with elevated scope impact on availability.
Arbitrary memory writes via USB in ZTE ZX297520V3 BootROM allow physical attackers with USB access to bypass Secure Boot signature verification and achieve unauthorized code execution by exploiting missing target address validation in USB download mode. The vulnerability requires physical device access and user interaction (device boot into download mode), resulting in a CVSS score of 5.1, but enables complete bypass of cryptographic security mechanisms and Secure Boot protections.
Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA KEV confirms active exploitation in the wild with publicly available exploit code. EPSS risk assessment is not provided, but the vulnerability achieves maximum impact with minimal attack complexity (CVSS 9.3, AV:N/AC:L/PR:N), making this a critical priority for immediate remediation. The attack surface is significantly reduced when access to the portal is restricted to trusted internal networks per vendor best practices.
Remote code execution within Chrome's sandbox allows arbitrary code execution via a malicious HTML page exploiting a use-after-free vulnerability in WebRTC. Affects Chrome versions prior to 148.0.7778.96. Despite high CVSS 8.8 scoring and RCE capability, exploitation requires user interaction (visiting a crafted page) and is confined to Chrome's sandbox, limiting system-level impact. Vendor patch released in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public POC at time of analysis, though Chromium security team rated this as Low severity internally, suggesting limited real-world exploitability despite the technical impact.
Remote code execution in Google Chrome on macOS versions prior to 148.0.7778.96 enables attackers to execute arbitrary code within the browser's sandbox through a malicious HTML page exploiting a use-after-free vulnerability in the Audio subsystem. The vulnerability requires user interaction (visiting a crafted webpage) but no authentication, with CVSS 8.8 rating reflecting high impact across confidentiality, integrity, and availability. Google has released patches in Chrome 148.0.7778.96; no active exploitation (KEV) or public POC has been identified at time of analysis, though the technical details are publicly accessible via Chromium issue tracker 495779613.
Sandbox escape in Google Chrome prior to 148.0.7778.96 on Linux, Mac, and ChromeOS allows remote attackers who have already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the printing subsystem. Despite the 8.3 CVSS score, Chromium rates this Low severity because exploitation requires a two-stage attack chain (initial renderer compromise followed by sandbox escape). Vendor patch released as Chrome 148.0.7778.96. No evidence of active exploitation or public POC identified at time of analysis.
Remote code execution in Google Chrome prior to 148.0.7778.96 through a use-after-free vulnerability in the UI component. Attackers who have already compromised the renderer process can escape sandbox restrictions and execute arbitrary code by delivering a specially crafted HTML page requiring user interaction. Google has released patch version 148.0.7778.96. No active exploitation confirmed in CISA KEV at time of analysis, though the vulnerability requires prior renderer compromise which increases attack complexity beyond the CVSS AC:L rating suggests.
Remote code execution in Google Chrome's WebRTC implementation (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox through a malicious HTML page exploiting type confusion in WebRTC. Patch available via Chrome 148.0.7778.96. Requires user interaction (visiting crafted page) but no authentication. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability within sandbox constraints. No confirmed active exploitation or public POC identified at time of analysis.
Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free memory corruption vulnerability via a malicious HTML page. While sandboxed, successful exploitation achieves high confidentiality, integrity, and availability impact within the renderer process. EPSS data unavailable; not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis. Vendor patch released as Chrome 148.0.7778.96.
Sandbox escape in Google Chrome's GPU component affects versions prior to 148.0.7778.96. An attacker who has already compromised the renderer process can escalate privileges to break out of Chrome's sandbox by exploiting a use-after-free memory corruption vulnerability via a specially crafted HTML page. This requires high attack complexity and user interaction (visiting a malicious page). No active exploitation confirmed at time of analysis, and vendor-released patch (version 148.0.7778.96) is available. EPSS data not provided, but the combination of network vector, changed scope (S:C in CVSS), and sandbox escape capability makes this a priority update for Chrome deployments despite Chromium's 'Medium' internal severity rating.
Remote code execution in Google Chrome's ReadingMode component (versions prior to 148.0.7778.96) allows attackers who have already compromised the renderer process to escape sandbox restrictions and execute arbitrary code on the underlying system. The vulnerability requires user interaction to visit a malicious webpage but exploitation complexity is low once renderer compromise is achieved. EPSS data not available; no CISA KEV listing identified at time of analysis, indicating no confirmed widespread exploitation. Vendor-released patch available in Chrome 148.0.7778.96.
Remote code execution in Google Chrome's WebAudio implementation (versions before 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox by exploiting a use-after-free vulnerability through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted page) but no authentication. Google has released Chrome 148.0.7778.96 to address this issue. EPSS data not available; no KEV listing or public POC identified at time of analysis, suggesting limited real-world exploitation observed despite the high CVSS score.
Remote code execution in Google Chrome versions prior to 148.0.7778.96 via malicious extension exploitation of use-after-free in Views component. Successful exploitation requires convincing a user to install a crafted Chrome extension, after which the attacker can execute arbitrary code with Chrome's privileges. Google has released Chrome 148.0.7778.96 to address this vulnerability. No evidence of active exploitation (not listed in CISA KEV) or public proof-of-concept code identified at time of analysis. CVSS 7.5 severity driven by high attack complexity and required user interaction, which moderates real-world exploitation risk despite potential for full system compromise.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.
Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
Use after free in Data Deduplication allows an authorized attacker to elevate privileges locally.
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
Use after free in Windows TCP/IP allows an unauthorized attacker to execute code over a network.
Use after free in Windows SMB Client allows an authorized attacker to elevate privileges locally.
Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.
Use after free in Windows TCP/IP allows an unauthorized attacker to disclose information over a network.
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows low-privileged authenticated users to execute arbitrary code with SYSTEM privileges via use-after-free memory corruption. Microsoft has released patches addressing Windows 10 (versions 1607 through 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2012. CVSS base score is 7.0 (High) with local attack vector and high attack complexity. EPSS data not available; no CISA KEV listing at time of analysis, suggesting exploitation has not been observed in the wild despite public disclosure.
Local privilege escalation in Windows Win32K graphics subsystem (Win32K - GRFX) allows authenticated users with low privileges to achieve SYSTEM-level access through a use-after-free memory corruption vulnerability. Affects multiple Windows 10, Windows 11, and Windows Server 2012 versions. Microsoft has released patches through their March 2026 security updates. The CVSS 7.0 (High) rating reflects high attack complexity (AC:H), requiring specific race condition timing or system state manipulation, though EPSS data is not yet available for this recently disclosed CVE.
Type confusion vulnerability in Windows Ancillary Function Driver for WinSock enables local authenticated users to escalate privileges to SYSTEM level on Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-26H1), and Windows Server 2012. Microsoft has released patches through their March 2026 security update cycle. The vulnerability requires low-privilege local access but no user interaction, making it a high-value target for post-compromise lateral movement and persistence. CVSS 7.8 reflects complete system compromise potential, though EPSS data and KEV status are not available for this future-dated CVE.
Local privilege escalation in Windows Win32K graphics subsystem affects Windows 10 (1607 through 22H2), Windows 11 (all versions including 26H1 preview), and Windows Server 2012 through authenticated low-privileged local users exploiting a use-after-free memory corruption flaw. Microsoft has released security updates addressing this CWE-416 vulnerability with CVSS 7.8 severity. The local attack vector and low complexity (AC:L) indicate straightforward exploitation once local access is achieved, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Privilege escalation in Windows Win32K ICOMP component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 via a use-after-free memory corruption flaw. Low-privileged authenticated local attackers can exploit this to gain SYSTEM-level privileges with low attack complexity and no user interaction required. Microsoft has released patches addressing this vulnerability, tracked under MSRC guidance. No active exploitation or public exploit code has been identified at time of analysis, with EPSS data not yet available for this recent CVE.
Remote code execution in Fortinet FortiOS 7.2.0-7.2.11, 7.4.0-7.4.8, and 7.6.0-7.6.3 enables authenticated attackers to execute arbitrary code via malformed network packets. The out-of-bounds write vulnerability (CWE-787) affects FortiOS firewall appliances and requires only low-privilege credentials to exploit over the network. Fortinet published advisory FG-IR-26-123 confirming the vulnerability. No CISA KEV listing or public exploit code identified at time of analysis, though the straightforward network attack vector (AV:N/AC:L) suggests moderate weaponization potential once details emerge.
Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.
Out-of-bounds write for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable data corruption. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (high) and availability (high) impacts.
Uninitialized pointer access in Siemens Solid Edge SE2026 enables arbitrary code execution when processing malicious PAR files. Attackers must deliver a crafted PAR file and convince users to open it (CVSS:4.0 AV:L/UI:P), achieving full compromise of the victim's workstation with high confidentiality, integrity, and availability impact. No active exploitation confirmed at time of analysis, though the local attack vector and user interaction requirement limit automated mass exploitation. EPSS data not available for risk calibration.
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Type confusion vulnerability in Apple's operating systems allows remote unauthenticated attackers to trigger denial of service across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has released patches addressing the issue in iOS/iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. The CVSS vector indicates network-accessible exploitation with low complexity and no privileges required, though EPSS score of 0.13% (32nd percentile) suggests relatively low likelihood of widespread exploitation. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
A use-after-free vulnerability in Apple's Wi-Fi stack allows attackers in a privileged network position to cause denial-of-service via crafted Wi-Fi packets. The vulnerability affects iOS and iPadOS versions prior to 26.5 and 18.7.9, macOS versions prior to 26.5, 15.7.7, and 14.8.7, and tvOS, watchOS versions prior to 26.5. Exploitation requires adjacent network access and specific radio conditions (AC:H) but results in high availability impact with no active public exploitation identified.
Remote attackers can crash Apple devices or corrupt kernel memory without authentication via a use-after-free vulnerability affecting iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has released patches across eight separate security bulletins (HT127110-127120) fixing this memory management flaw in all supported OS versions. EPSS score of 0.10% (28th percentile) suggests low exploitation probability despite the network-accessible attack vector and lack of authentication requirements. No active exploitation or public POC identified at time of analysis.
Denial of service in Apple macOS prior to version 26.5 allows remote attackers to crash Safari via maliciously crafted web content that triggers a use-after-free memory condition. The vulnerability requires user interaction (opening a malicious webpage) but no authentication, affecting all macOS versions before 26.5. EPSS exploitation probability is very low at 0.02%, suggesting limited real-world attack incentive despite the crash capability.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges.
Use-after-free in WebKit allows remote attackers to trigger Safari crashes and potentially achieve arbitrary code execution across Apple's entire ecosystem (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) via maliciously crafted web content. Users must visit or be tricked into visiting a malicious webpage (UI:R). Despite CVSS 8.8 (High) with theoretical code execution impact (C:H/I:H/A:H), EPSS probability is extremely low (0.02%, 5th percentile), indicating minimal observed exploitation activity. No public exploit identified at time of analysis, and vendor patches are available across all platforms as of version 26.5.
Use-after-free in WebKit across Apple's entire operating system ecosystem enables remote information disclosure via malicious web content. Affects iOS/iPadOS, macOS Tahoe, tvOS, visionOS, and watchOS versions prior to 26.5. The vulnerability allows network-based unauthenticated attackers to access high-value confidential information through crafted web pages, though the CVE description anomalously mentions process crash (availability impact) while the CVSS vector indicates confidentiality impact only. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) suggests low likelihood of imminent widespread exploitation despite the broad platform impact and network attack vector.
Out-of-bounds write in Apple operating systems allows network-based unauthenticated attackers to corrupt kernel memory or cause denial of service without user interaction. The vulnerability affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms, though the extremely low EPSS score (0.02%) suggests real-world exploitation risk is minimal despite the network attack vector.
Out-of-bounds write in Apple's file parsing component across iOS, iPadOS, and macOS enables remote code execution or denial of service via maliciously crafted files with no user interaction required. Exploitation probability is extremely low (EPSS 0.02%, 6th percentile) with no public exploit identified at time of analysis, despite the critical CVSS 7.3 score and network-based attack vector. Vendor patches available for all affected platforms (iOS/iPadOS 18.7.9, 26.5; macOS Sonoma 14.8.7, Sequoia 15.7.7, Tahoe 26.5). The CVSS vector indicating AV:N/PR:N/UI:N suggests automatic exploitation without user interaction, which contradicts the description's 'parsing a file' language - verify whether this requires user action to open/download the file or if background processes parse untrusted files automatically.
Use-after-free memory corruption in Apple operating systems allows high confidentiality impact through unexpected system termination. Affects iOS/iPadOS versions before 18.7.9 and 26.5, macOS Sequoia before 15.7.7, macOS Sonoma before 14.8.7, macOS Tahoe before 26.5, tvOS before 26.5, visionOS before 26.5, and watchOS before 26.5. Vendor-released patches are available across all affected platforms. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability in the wild, and no public exploit identified at time of analysis. CVSS vector indicates network-reachable attack surface with no authentication required, though the description states only 'an app' can trigger the condition, suggesting conflicting attack vector classification.
Safari on Apple platforms crashes when processing maliciously crafted web content due to a use-after-free vulnerability in memory management, resulting in denial of service. Affects iOS and iPadOS below 26.5, macOS Tahoe below 26.5, tvOS below 26.5, visionOS below 26.5, and watchOS below 26.5. Exploitation requires user interaction to visit a malicious webpage but does not allow code execution or information disclosure.
Out-of-bounds write in Apple operating systems allows local network attackers to cause denial-of-service via improved bounds checking bypass. Affects iOS/iPadOS (18.7.9+, 26.5+), macOS Sequoia (15.7.7+), Sonoma (14.8.7+), Tahoe (26.5+), tvOS (26.5+), visionOS (26.5+), and watchOS (26.5+). EPSS score of 0.02% indicates very low real-world exploitation probability despite local attack vector.
Buffer overflow in Linux kernel rxrpc subsystem allows local authenticated attackers to achieve arbitrary code execution with kernel privileges. The vulnerability stems from improper handling of shared fragment memory in DATA and RESPONSE packet processing, where the kernel fails to unshare externally-owned page fragments before in-place decryption operations. This creates a buffer overflow condition (CWE-787) exploitable by local users with low privileges. Patches are available for kernel versions 6.18.29, 7.0.6, and 7.1-rc3. EPSS and KEV status not provided in available data.
Use-after-free in Linux kernel ASoC (ALSA System on Chip) subsystem allows local authenticated users with open audio streams to trigger memory corruption during sound card unbind operations. The flaw occurs when PCM stream closure schedules delayed DAPM (Dynamic Audio Power Management) work after widgets are freed, enabling potential privilege escalation or denial of service. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public POC identified at time of analysis.
Local privilege escalation in the Linux kernel's CAIF serial driver allows attackers with local access to trigger a use-after-free condition in pty_write_room() via the caif_serial line discipline. The flaw stems from missing reference counting on tty->link, enabling memory corruption that can lead to arbitrary kernel code execution with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with an EPSS score of 0.02% (7th percentile) indicating low likelihood of widespread exploitation.
Use-after-free in the Linux kernel iavf driver allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system. The vulnerability affects Intel Ethernet Adaptive Virtual Function (iavf) driver's PTP implementation where a worker thread continues accessing freed memory during network adapter reset or disable operations. Patch available from kernel.org upstream commits across multiple stable branches (6.18.19, 6.19.9, 7.0+). EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood, and no CISA KEV listing confirms this remains a theoretical risk requiring local access with low privileges.
Local privilege escalation potential in the Linux kernel's Microsoft Azure Network Adapter (mana) driver allows a low-privileged local user to trigger a use-after-free via a double destroy_workqueue() call on the gc->service_wq pointer when mana_gd_setup() fails. The flaw, fixed in the 6.18.x and 6.19.x stable trees, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but carries a CVSS of 7.8 due to high confidentiality, integrity, and availability impact within the kernel.
Reference count underflow in Linux kernel sched_ext subsystem enables local privilege escalation to execute arbitrary code with kernel privileges. The flaw affects kernel versions 6.12 through 6.19.x (prior to patched releases 6.12.78, 6.18.19, 6.19.9, 7.0), scoring CVSS 7.8 with local attack vector requiring low privileges. Vendor patches available via stable kernel updates. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit code or active exploitation confirmed at time of analysis, though the Use-After-Free primitive could enable kernel memory corruption attacks.
Use-after-free in Linux kernel ALSA PCM subsystem allows local authenticated users to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in snd_pcm_drain() when a linked stream's runtime structure is freed via concurrent close() while still being dereferenced, enabling information disclosure, system crashes, or privilege escalation. With EPSS at 0.02% (7th percentile) and CVSS 7.8, this represents elevated theoretical risk but shows no evidence of active exploitation or public POC at time of analysis. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).
Use-after-free in the Linux kernel's Renesas USB host (renesas_usbhs) driver allows a local low-privileged attacker to potentially corrupt memory or escalate privileges during device removal. The flaw stems from the interrupt handler remaining registered while driver resources, including the pipe array, are freed in usbhs_remove(), creating a race window where the ISR can dereference freed memory. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the kernel-level memory corruption impact (CVSS 7.8) makes it a meaningful local risk on affected Renesas USB hardware.
Use-after-free in Linux kernel kthread subsystem enables memory corruption leading to arbitrary code execution or denial of service. The vulnerability arises when kernel threads exit via make_task_dead() instead of kthread_exit(), bypassing affinity_node cleanup. This causes dangling pointers in the global kthread_affinity_list that corrupt freed memory reused by the SLAB allocator, specifically overwriting RCU callback function pointers in struct pid objects. CVSS rates this 9.8 critical, though the network attack vector appears misclassified since kernel thread manipulation requires local code execution. EPSS score of 0.02% (4th percentile) indicates low predicted exploitation likelihood despite severity. Vendor patches available for Linux 6.18.19, 6.19.9, and 7.0 via upstream commits.
Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to potentially execute arbitrary code, disclose sensitive information, or cause denial of service. The vulnerability stems from improper RCU lock handling in smb_lazy_parent_lease_break_close() where opinfo pointer is dereferenced after RCU read unlock, creating a race condition. Patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). Despite critical CVSS 9.8 score, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC identified at time of analysis.
Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to execute arbitrary code, escalate privileges, or cause denial of service by racing oplock_info access during concurrent RCU read operations. The vulnerability stems from immediate kfree() without RCU grace period, enabling opinfo_get() to call atomic_inc_not_zero() on freed memory. CVSS 9.8 reflects network exploitability without authentication, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation attempts. Vendor patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0) with fixes referenced in five upstream commits. Not listed in CISA KEV; no public exploit code identified at time of analysis.
Use-after-free in Linux kernel nexthop routing code allows local authenticated attackers with low privileges to execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs when removing a nexthop from a routing group, where percpu statistics memory is freed before the RCU grace period completes, allowing concurrent readers to access freed memory. Vendor patches available for stable kernel branches 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV). CVSS 7.8 reflects local attack vector requiring authenticated access.
Use-after-free race condition in Linux kernel amdgpu driver allows local authenticated users to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The flaw occurs when parent and child processes sharing a drm_file both attempt to acquire the same virtual memory context after fork(), due to non-atomic vm->process_info assignment. Patches released across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% (7th percentile) indicates very low predicted exploitation probability despite CVSS 7.8 severity, and no active exploitation or public POC identified.
In-place encryption in the Linux kernel's SMB client corrupts write payloads during retry attempts, potentially causing data integrity loss and denial of service when SMB connections experience transient failures. The flaw affects SMB3 encrypted writes where the encryption process modifies the original buffer in place; on replayable errors (like network interruptions), retries re-send already-encrypted data as if it were plaintext, resulting in double-encryption and corrupted writes. This particularly impacts special file operations (SFU mknod, MF symlinks) and sync writes on pre-6.10 kernels. Patches are available across multiple stable kernel branches (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score is very low (0.01%), indicating minimal observed exploitation likelihood, and no active exploitation or public POC is documented.
Local privilege escalation in Linux kernel IPv6 address configuration subsystem enables authenticated local users to gain high-level system access through a use-after-free (UaF) condition in addrconf_permanent_addr(). Patch available across all maintained stable kernel series (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) with fixes backported from commit f1705ec197e7. EPSS score of 0.02% suggests minimal active exploitation likelihood, no KEV listing or public POC identified at time of analysis.
Buffer overflow in the Linux kernel's CAAM crypto driver allows local authenticated attackers to corrupt memory and potentially execute arbitrary code with elevated privileges. The vulnerability occurs when HMAC keys exceeding the algorithm's block size are processed - the driver allocates DMA-aligned memory but uses kmemdup() to copy only the actual key length, then reads beyond the source buffer boundary during hashing. EPSS score of 0.02% (5th percentile) indicates low predicted exploitation likelihood. Patches are available across multiple stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0) via upstream commits, with fixes applied since kernel 6.3 introduced the vulnerable code.
Use-after-free (UAF) in Linux kernel Bluetooth subsystem allows adjacent network attackers to trigger memory corruption via malformed LE Read Features Complete responses. The vulnerability occurs when hci_conn is freed before le_read_features_complete callback executes but after hci_le_read_remote_features_sync initiates, causing atomic operations on freed memory during hci_conn_drop. Active exploitation status not confirmed (no CISA KEV listing). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. Upstream patches committed to stable kernel branches 6.19.12+ and 7.0+.
Use-after-free in Linux kernel swap subsystem allows local authenticated users to achieve high-severity code execution, integrity violations, or denial of service. The vulnerability stems from multiple kernel subsystems (SLUB, shmem, TTM) failing to clear page->private fields before freeing memory, causing stale pointers to persist when pages are reallocated and split. The swap code then dereferences these uninitialized LIST_POISON values during swapoff operations, triggering KASAN-detected wild memory access. Patches available across kernel versions 6.18.16, 6.19.6, and 7.0, with EPSS score of 0.02% indicating low observed exploitation probability despite CVSS 7.8 rating.
Use-after-free in Linux kernel ESP (IPsec) allows local authenticated attackers to decrypt shared memory fragments improperly, potentially exposing encrypted network traffic or causing memory corruption. Affects kernel versions 6.5+ where MSG_SPLICE_PAGES can attach pipe pages directly to UDP socket buffers. The IPv4/IPv6 datagram paths fail to mark spliced pages as shared, causing ESP input decryption to modify memory not privately owned by the packet buffer. Public exploit code exists (POC available on GitHub), EPSS score is low (0.01%) indicating limited widespread exploitation risk, and vendor patches are available across affected stable kernel branches (6.6.138, 6.12.87, 6.18.28, 7.0.5).
The Go toolchain's 'go tool pack' subcommand fails to sanitize output filenames when extracting archive files, allowing local attackers with user privileges and user interaction to write files to arbitrary filesystem locations. Affected versions include Go 1.26.0 through 1.26.2 and all versions before 1.25.10. This vulnerability requires local access and user interaction to trigger, with a vendor-released patch available.
Use-after-free memory corruption in PHP 8.2 prior to version 8.2.31 allows remote attackers to cause information disclosure or denial of service via network requests with low attack complexity. The vulnerability is addressed in PHP 8.2.31, released as a security update bundling fixes for eight CVEs including CVE-2026-7261. Patch availability is confirmed from the PHP development team.
Use-after-free memory corruption in PHP 8.2.x enables remote attackers to achieve high-impact exploitation through network-accessible attack vectors, despite high attack complexity and specific timing requirements. PHP 8.2.31 addresses this vulnerability along with seven other security issues in a coordinated security release. The CVSS v4.0 score of 9.5 reflects both confidentiality and integrity impact across vulnerable and subsequent systems, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, but the vendor urgency indicator (U:Red) and release coordinator emphasis (RE:M) signal critical priority for organizations running PHP 8.2.x in production environments.
Use-after-free memory corruption in Firefox's DOM Networking component enables remote attackers to achieve unauthorized information disclosure, data manipulation, and service disruption without authentication or user interaction. Affects Firefox mainline and both Extended Support Release (ESR) branches. Mozilla shipped patches in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2. SSVC analysis indicates no confirmed exploitation but the vulnerability is fully automatable with partial technical impact across confidentiality, integrity, and availability. EPSS data not available but the network attack vector (AV:N) with no prerequisites (AC:L/PR:N/UI:N) presents significant exposure for unpatched installations.
Out-of-bounds write in LibreOffice 26.2 before 26.2.3 and 25.8 before 25.8.7 allows local attackers to cause memory corruption and availability impact by opening crafted OOXML documents with mismatched encryption salt parameters. The vulnerability requires user interaction to open a malicious document and affects memory integrity with elevated scope impact on availability.
Arbitrary memory writes via USB in ZTE ZX297520V3 BootROM allow physical attackers with USB access to bypass Secure Boot signature verification and achieve unauthorized code execution by exploiting missing target address validation in USB download mode. The vulnerability requires physical device access and user interaction (device boot into download mode), resulting in a CVSS score of 5.1, but enables complete bypass of cryptographic security mechanisms and Secure Boot protections.
Remote code execution in Palo Alto Networks PAN-OS User-ID Authentication Portal (Captive Portal) allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via specially crafted packets. CISA KEV confirms active exploitation in the wild with publicly available exploit code. EPSS risk assessment is not provided, but the vulnerability achieves maximum impact with minimal attack complexity (CVSS 9.3, AV:N/AC:L/PR:N), making this a critical priority for immediate remediation. The attack surface is significantly reduced when access to the portal is restricted to trusted internal networks per vendor best practices.
Remote code execution within Chrome's sandbox allows arbitrary code execution via a malicious HTML page exploiting a use-after-free vulnerability in WebRTC. Affects Chrome versions prior to 148.0.7778.96. Despite high CVSS 8.8 scoring and RCE capability, exploitation requires user interaction (visiting a crafted page) and is confined to Chrome's sandbox, limiting system-level impact. Vendor patch released in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public POC at time of analysis, though Chromium security team rated this as Low severity internally, suggesting limited real-world exploitability despite the technical impact.
Remote code execution in Google Chrome on macOS versions prior to 148.0.7778.96 enables attackers to execute arbitrary code within the browser's sandbox through a malicious HTML page exploiting a use-after-free vulnerability in the Audio subsystem. The vulnerability requires user interaction (visiting a crafted webpage) but no authentication, with CVSS 8.8 rating reflecting high impact across confidentiality, integrity, and availability. Google has released patches in Chrome 148.0.7778.96; no active exploitation (KEV) or public POC has been identified at time of analysis, though the technical details are publicly accessible via Chromium issue tracker 495779613.
Sandbox escape in Google Chrome prior to 148.0.7778.96 on Linux, Mac, and ChromeOS allows remote attackers who have already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the printing subsystem. Despite the 8.3 CVSS score, Chromium rates this Low severity because exploitation requires a two-stage attack chain (initial renderer compromise followed by sandbox escape). Vendor patch released as Chrome 148.0.7778.96. No evidence of active exploitation or public POC identified at time of analysis.
Remote code execution in Google Chrome prior to 148.0.7778.96 through a use-after-free vulnerability in the UI component. Attackers who have already compromised the renderer process can escape sandbox restrictions and execute arbitrary code by delivering a specially crafted HTML page requiring user interaction. Google has released patch version 148.0.7778.96. No active exploitation confirmed in CISA KEV at time of analysis, though the vulnerability requires prior renderer compromise which increases attack complexity beyond the CVSS AC:L rating suggests.
Remote code execution in Google Chrome's WebRTC implementation (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox through a malicious HTML page exploiting type confusion in WebRTC. Patch available via Chrome 148.0.7778.96. Requires user interaction (visiting crafted page) but no authentication. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability within sandbox constraints. No confirmed active exploitation or public POC identified at time of analysis.
Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free memory corruption vulnerability via a malicious HTML page. While sandboxed, successful exploitation achieves high confidentiality, integrity, and availability impact within the renderer process. EPSS data unavailable; not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis. Vendor patch released as Chrome 148.0.7778.96.
Sandbox escape in Google Chrome's GPU component affects versions prior to 148.0.7778.96. An attacker who has already compromised the renderer process can escalate privileges to break out of Chrome's sandbox by exploiting a use-after-free memory corruption vulnerability via a specially crafted HTML page. This requires high attack complexity and user interaction (visiting a malicious page). No active exploitation confirmed at time of analysis, and vendor-released patch (version 148.0.7778.96) is available. EPSS data not provided, but the combination of network vector, changed scope (S:C in CVSS), and sandbox escape capability makes this a priority update for Chrome deployments despite Chromium's 'Medium' internal severity rating.
Remote code execution in Google Chrome's ReadingMode component (versions prior to 148.0.7778.96) allows attackers who have already compromised the renderer process to escape sandbox restrictions and execute arbitrary code on the underlying system. The vulnerability requires user interaction to visit a malicious webpage but exploitation complexity is low once renderer compromise is achieved. EPSS data not available; no CISA KEV listing identified at time of analysis, indicating no confirmed widespread exploitation. Vendor-released patch available in Chrome 148.0.7778.96.
Remote code execution in Google Chrome's WebAudio implementation (versions before 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox by exploiting a use-after-free vulnerability through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted page) but no authentication. Google has released Chrome 148.0.7778.96 to address this issue. EPSS data not available; no KEV listing or public POC identified at time of analysis, suggesting limited real-world exploitation observed despite the high CVSS score.
Remote code execution in Google Chrome versions prior to 148.0.7778.96 via malicious extension exploitation of use-after-free in Views component. Successful exploitation requires convincing a user to install a crafted Chrome extension, after which the attacker can execute arbitrary code with Chrome's privileges. Google has released Chrome 148.0.7778.96 to address this vulnerability. No evidence of active exploitation (not listed in CISA KEV) or public proof-of-concept code identified at time of analysis. CVSS 7.5 severity driven by high attack complexity and required user interaction, which moderates real-world exploitation risk despite potential for full system compromise.