Use After Free
Monthly
Denial-of-service in FreeRDP's camera redirection (rdpecam) client channel allows a malicious or compromised RDP server to crash connected clients running versions prior to 3.22.0. The capture thread continues sending sample responses through a channel callback that was already freed when the device channel closed, producing a use-after-free in ecam_channel_write. EPSS is low (0.02%), it is not on CISA KEV, and no public exploit identified at time of analysis, but an upstream fix and multiple distro advisories exist.
FreeRDP prior to 3.22.0 has a use-after-free in ecam_encoder_compress allowing malicious RDP servers to crash or execute code on clients.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in audio format renegotiation that allows unauthenticated attackers to cause denial of service by triggering a crash through audio processing. The vulnerability occurs when the AUDIN format list is freed during renegotiation while the capture thread continues accessing the freed memory, affecting any system running vulnerable FreeRDP instances. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the libusb device interface selection code where error handling prematurely frees configuration data that subsequent code attempts to access, causing denial of service. This vulnerability affects systems using FreeRDP for remote desktop protocol operations and can be triggered remotely without authentication or user interaction. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 are vulnerable to a use-after-free condition where the video_timer component sends notifications after the control channel closes, dereferencing freed memory and causing denial of service. An unauthenticated remote attacker can trigger this crash by manipulating RDP session timing, making the vulnerability exploitable with no user interaction required. A patch is available in FreeRDP 3.22.0 and later.
Out-of-bounds access vulnerability in the frequency modulation module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.5 MEDIUM]
UAF vulnerability in the security module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.5 MEDIUM]
Type confusion vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.0 MEDIUM]
Espressif IoT Development Framework versions 5.1.6-5.5.2 contain a use-after-free vulnerability in the BLE provisioning layer that allows remote attackers to trigger memory corruption when provisioning is stopped with keep_ble_on enabled. A connected BLE client can exploit freed GATT metadata through read/write callbacks to cause denial of service or potential code execution. Patches are available for all affected versions.
A use-after-free vulnerability in the Linux kernel's ALSA USB audio mixer can be triggered by local attackers with low privileges when mixer initialization fails, causing the kernel to access freed memory during sound card registration and potentially leading to information disclosure or denial of service. The flaw affects Linux systems with USB audio devices and remains unpatched, exploitable without user interaction after initial access to the system.
Linux kernel memory corruption via use-after-free (UAF) in virtual memory area (VMA) handling allows local attackers with user privileges to cause denial of service or potentially execute code by triggering incorrect VMA merges during mremap() operations on faulted and unfaulted memory regions. The vulnerability stems from improper handling of anonymous VMA merges when remapping memory adjacent to unfaulted pages. No patch is currently available for this high-severity issue affecting the Linux kernel.
A use-after-free vulnerability in the Linux kernel's teql qdisc implementation allows local attackers with low privileges to trigger memory corruption and cause denial of service or potential code execution by improperly nesting teql as a non-root qdisc when it is designed to operate only as a root qdisc. The flaw exists due to missing validation of qdisc constraints and currently has no available patch. This affects all Linux systems using the vulnerable kernel versions.
In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq).
Android's imgsys component contains a use-after-free vulnerability that allows privilege escalation when exploited by an attacker who already has system-level access. The flaw requires no user interaction and could enable a malicious actor to escalate their privileges further within the device. Currently, no patch is available to address this vulnerability.
A use-after-free vulnerability in Android's cameraisp component allows privilege escalation to local denial of service for attackers with system-level access, requiring no user interaction. The flaw enables malicious actors to manipulate memory safety boundaries and execute arbitrary actions within the camera service context. No patch is currently available for this vulnerability.
A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. [CVSS 7.5 HIGH]
A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. [CVSS 7.5 HIGH]
NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. [CVSS 7.8 HIGH]
Heap use-after-free in Suricata prior to versions 8.0.3 and 7.0.14 can be triggered via integer overflow when processing packets that generate excessive alert conditions, allowing an attacker to crash the IDS/IPS engine or potentially achieve code execution. Affected deployments using large rulesets are at risk when processing malicious or crafted network traffic designed to trigger simultaneous signature matches. Patches are available for both affected versions.
Firefox versions prior to 147.0.2 contain a use-after-free vulnerability in the Layout: Scrolling and Overflow component that can be triggered by user interaction, allowing remote attackers to achieve code execution with high integrity and confidentiality impact. The vulnerability requires network access and user interaction but does not require authentication, making it exploitable through malicious web content. No patch is currently available for this vulnerability.
The Linux kernel's Octeon EP VF driver contains a use-after-free vulnerability in IRQ error handling where mismatched device IDs between request_irq() and free_irq() calls can leave IRQ handlers registered after their associated memory is freed. A local attacker with standard privileges can trigger an interrupt after the vulnerable ioq_vector structure is deallocated, causing a kernel crash or potential code execution. No patch is currently available.
A use-after-free vulnerability in Linux kernel DAMON subsystem allows local users with sysfs write permissions to trigger memory corruption by calling damon_call() against inactive contexts, causing dangling pointers in the call_controls list. An attacker could leverage this to achieve information disclosure or denial of service, though exploitation complexity is moderate due to permission requirements. The vulnerability currently lacks a patch and affects Linux kernel versions with the vulnerable DAMON code.
A use-after-free vulnerability in the Linux kernel's IPv6 address deletion function allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code or cause a denial of service. The flaw occurs when ipv6_del_addr() is called prematurely before temporary address flags are read, leaving a dangling pointer reference. No patch is currently available for this high-severity vulnerability affecting Linux systems.
A use-after-free vulnerability in the Linux kernel's macvlan driver allows local attackers with user privileges to cause memory corruption and potential privilege escalation through improper RCU synchronization in the macvlan_forward_source() function. The flaw stems from missing RCU protection when clearing vlan pointers during source entry deletion, enabling attackers to access freed memory structures. No patch is currently available for this HIGH severity vulnerability affecting Linux distributions.
In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. [CVSS 7.8 HIGH]
Write-after-free crash in GPU compiler process triggered by unusual GPU shader code loaded from the web. Browser vulnerability through WebGPU shader compilation.
Linux kernel ublk subsystem suffers from a use-after-free vulnerability in partition scan operations where a race condition between device teardown and asynchronous partition scanning allows local attackers with user privileges to access freed memory, potentially causing denial of service or information disclosure. The vulnerability stems from improper reference counting of disk objects during concurrent operations, affecting all Linux systems with the vulnerable ublk driver. A patch is available to resolve this issue by implementing proper disk reference management in the partition scan worker.
The Linux kernel NFSv4 grace period handler contains a use-after-free vulnerability in the v4_end_grace function that can be triggered by local attackers with unprivileged access, allowing them to read or modify sensitive kernel memory or cause a denial of service. The vulnerability arises from improper synchronization between the grace period shutdown logic and the NFSv4 client tracking mechanism, which can result in memory being accessed after it has been freed. A patch is available to add proper locking that prevents concurrent access to the vulnerable code path.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. [CVSS 7.8 HIGH]
ALGO 8180 has a use-after-free in SIP session handling (EPSS 1.1%) enabling remote code execution through crafted VoIP signaling sequences.
Trimble SketchUp SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations ...
Heap corruption in Google Chrome's ANGLE graphics library prior to version 144.0.7559.59 can be triggered through a crafted HTML page, enabling remote attackers to execute arbitrary code without user interaction beyond visiting a malicious website. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, though no patch is currently available. With a CVSS score of 8.8 and minimal exploit complexity, this presents a significant risk to the browser's security model.
Denial of service and potential remote code execution affects FreeRDP RDP clients prior to version 3.21.0, where deleting an offscreen bitmap leaves the gdi->drawing pointer referencing freed memory and subsequent update packets trigger a use-after-free (CWE-416). A malicious or compromised RDP server can drive a connected client into the freed-memory access, reliably crashing it and potentially corrupting the heap for code execution depending on allocator state. Publicly available exploit code exists, though EPSS exploitation probability is low (0.17%, 38th percentile) and the issue is not listed in CISA KEV.
Client-side denial of service in the FreeRDP RDP client (X11 frontend) prior to version 3.21.0 lets a malicious or compromised RDP server crash the connecting client and potentially corrupt its heap. The flaw is a double-free of the cursor pixel buffer in xf_Pointer_New: on an allocation/setup failure the function frees cursorPixels, and a later pointer_free call invokes xf_Pointer_Free which frees the same buffer again (CWE-416 use-after-free/double-free). Publicly available exploit code exists and an EPSS of 0.17% indicates currently low probability of widespread exploitation; impact is rated availability-only (VA:H), though the description notes heap-corruption could escalate to code execution depending on allocator behavior.
Repeated telemetry collector subscriptions in Juniper Junos OS and Junos OS Evolved trigger a use-after-free vulnerability in the chassis daemon, allowing authenticated network attackers to crash critical processes and cause denial of service. Affected versions prior to 22.4R3-S8, 23.2R2-S5, and 23.4R2 are vulnerable when telemetry-capable daemons experience continuous sensor subscription cycles. No patch is currently available, leaving affected systems exposed until updates are released.
Juniper Junos OS and Junos OS Evolved contain a use-after-free vulnerability in the 802.1X authentication daemon that allows authenticated, network-adjacent attackers to crash the process or achieve arbitrary code execution as root by triggering specific port state changes. Exploitation requires precise timing of a change-of-authorization event during port transitions, making reliable exploitation difficult but possible. Systems with 802.1X port-based network access control enabled are affected, and no patch is currently available.
CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody.
FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fixed in 3.20.1.
FreeRDP versions prior to 3.20.1 contain a race condition between the RDPGFX virtual channel and SDL rendering threads that enables heap use-after-free when graphics are reset. Public exploit code exists for this vulnerability, allowing attackers to crash the application or potentially execute code in industrial control systems and other environments using vulnerable FreeRDP implementations. A patch is not currently available, leaving affected systems exposed until an update is released.
FreeImage 3.18.0 has a use-after-free in the TARGA plugin's loadRLE function. Processing a malicious TGA file can lead to code execution. PoC available.
In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free().
Arbitrary code execution in Substance 3D Stager 3.1.5 and earlier stems from a use-after-free vulnerability that executes with the privileges of the current user. An attacker can exploit this by crafting a malicious file that triggers the vulnerability when opened by a victim, requiring user interaction to activate the attack. No patch is currently available for this vulnerability.
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. [CVSS 7.0 HIGH]
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]
Privilege escalation in Windows Management Services via use-after-free memory corruption affects Windows 10, Windows 11, and Windows Server 2019, enabling authenticated local attackers to gain elevated system privileges. An authorized user can exploit this vulnerability through a race condition to execute arbitrary code with higher privileges. No patch is currently available for this vulnerability.
Privilege escalation in Windows Management Services affects Windows Server 2019, 2022 23h2, and 2025 through a use-after-free vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low privileges and manual user interaction to trigger, potentially giving attackers complete system control. No patch is currently available for this vulnerability.
Windows Win32K use-after-free vulnerability in ICOMP affects Windows 11 23h2 and Windows Server 2022 23h2, enabling authenticated local attackers to achieve privilege escalation with high impact on confidentiality, integrity, and availability. Currently no patch is available, and exploitation requires local access with user-level privileges.
Privilege escalation in Windows Management Services affects Windows 10 22h2, Windows Server 2022 23h2, and Windows 11 23h2 through a use-after-free memory flaw. An authenticated local attacker can exploit this vulnerability to gain elevated system privileges. Currently, no patch is available.
Local privilege escalation in Windows Desktop Window Manager (DWM) through use-after-free memory corruption affects Windows 10 22H2, Windows Server 2022, and Windows Server 2025. An authenticated local attacker can exploit this vulnerability to gain system-level privileges with no user interaction required. No patch is currently available for this high-severity vulnerability.
Privilege escalation in Windows Win32K ICOMP component via use-after-free memory corruption affects Windows 11 (24h2, 25h2) and Windows Server 2025. An authenticated local attacker can exploit this vulnerability to gain SYSTEM-level privileges with no user interaction required. Currently no patch is available and exploitation requires local access with user-level permissions.
Privilege escalation in Windows Management Services affects Windows 11 24H2, Windows Server 2022, and 2025 through a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The vulnerability requires local access and manual user interaction is not required, making it exploitable by any authorized account on the system. Currently no patch is available to remediate this issue.
Kernel-mode driver use-after-free vulnerabilities in Windows 11 24H2 and Windows Server 2025 enable authenticated local attackers to achieve privilege escalation. An attacker with standard user privileges can exploit memory corruption in kernel drivers to gain SYSTEM-level access without user interaction. No patch is currently available.
Privilege escalation in Windows Management Services affects Windows 10, Windows 11, and Windows Server 2022 through a use-after-free memory vulnerability. An authenticated local attacker can exploit this flaw to gain elevated system privileges. Currently no patch is available and exploitation requires specific conditions to trigger.
Remote code execution in Windows LSASS (Local Security Authority Subsystem Service) on Windows 11 and Windows Server 2025 stems from a use-after-free memory vulnerability exploitable by authenticated attackers over the network. An attacker with valid credentials can trigger the flaw to execute arbitrary code with SYSTEM privileges, achieving complete system compromise. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a security update.
Windows Clipboard Server contains a use-after-free vulnerability affecting Windows 10 (versions 21H2 and 1809) and Windows Server 2022 (23H2) that enables local privilege escalation without requiring user interaction. An attacker with local access can exploit this memory safety flaw to gain elevated system privileges. No patch is currently available for this vulnerability.
Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
Privilege escalation in Microsoft Graphics Component on Windows 11 25h2 and Windows Server 2019 exploits a use-after-free condition, enabling authenticated local attackers to gain elevated system privileges. The vulnerability requires moderate complexity to exploit and affects confidentiality, integrity, and availability of affected systems. No patch is currently available.
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. [CVSS 7.8 HIGH]
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. [CVSS 8.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock.
In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability.
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields.
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors.
In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad.
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots.
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue's list.
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1].
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device.
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCA_PORTS component Clear hca_devcom_comp in device's private data after unregistering it in LAG teardown.
In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid unregistering PSP twice PSP is unregistered twice in: _mlx5e_remove -> mlx5e_psp_unregister mlx5e_nic_cleanup -> mlx5e_psp_unregister This leads to a refcount underflow in some conditions: ------------[ cut here ]------------ refcount_t: underflow; use-after-free.
Memory corruption in Firefox and Thunderbird's JavaScript garbage collection engine allows remote attackers to crash the application or potentially leak sensitive information without user interaction. The vulnerability affects Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7, with no patch currently available.
Firefox JavaScript engine has a use-after-free vulnerability. Affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 and < 140.7.
A use-after-free vulnerability in the IPC component of Firefox (versions below 147 and ESR versions below 115.32/140.7) and Thunderbird (versions below 147 and 140.7) enables remote code execution when users interact with malicious content. The flaw requires user interaction and network access, allowing attackers to achieve full system compromise with high integrity and confidentiality impact. No patch is currently available for this vulnerability.
Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. [CVSS 6.8 MEDIUM]
Arbitrary code execution in the Android PROCA driver before the January 2026 security update results from a use-after-free vulnerability accessible to local attackers with basic privileges. An attacker with local access can exploit this memory safety flaw to execute arbitrary code with elevated privileges on affected devices. No patch is currently available for this high-severity vulnerability.
Arbitrary code execution in Android's DualDAR component prior to the January 2026 security patch stems from a use-after-free memory vulnerability that can be exploited by local attackers with elevated privileges. An attacker with high-level device access could leverage this flaw to execute arbitrary code with system-level permissions. No patch is currently available, leaving affected devices vulnerable until the SMR January 2026 Release 1 update is deployed.
processing of DCE/RPC requests contains a vulnerability that allows attackers to unexpectedly restart the Snort 3 Detection Engine, which could cause a denial of (CVSS 5.8).
iccDEV versions 2.3.1.1 and earlier are vulnerable to use-after-free, heap buffer overflow, and integer overflow flaws in the CIccSparseMatrix function, allowing local attackers with user interaction to achieve arbitrary code execution. The vulnerability affects all systems using vulnerable iccDEV libraries for ICC color profile processing and is resolved in version 2.3.1.2.
iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint objects. Processing a malicious ICC profile can lead to code execution. PoC available, fixed in 2.3.1.1.
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
Denial-of-service in FreeRDP's camera redirection (rdpecam) client channel allows a malicious or compromised RDP server to crash connected clients running versions prior to 3.22.0. The capture thread continues sending sample responses through a channel callback that was already freed when the device channel closed, producing a use-after-free in ecam_channel_write. EPSS is low (0.02%), it is not on CISA KEV, and no public exploit identified at time of analysis, but an upstream fix and multiple distro advisories exist.
FreeRDP prior to 3.22.0 has a use-after-free in ecam_encoder_compress allowing malicious RDP servers to crash or execute code on clients.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in audio format renegotiation that allows unauthenticated attackers to cause denial of service by triggering a crash through audio processing. The vulnerability occurs when the AUDIN format list is freed during renegotiation while the capture thread continues accessing the freed memory, affecting any system running vulnerable FreeRDP instances. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 contain a use-after-free vulnerability in the libusb device interface selection code where error handling prematurely frees configuration data that subsequent code attempts to access, causing denial of service. This vulnerability affects systems using FreeRDP for remote desktop protocol operations and can be triggered remotely without authentication or user interaction. A patch is available in version 3.22.0 and later.
FreeRDP versions prior to 3.22.0 are vulnerable to a use-after-free condition where the video_timer component sends notifications after the control channel closes, dereferencing freed memory and causing denial of service. An unauthenticated remote attacker can trigger this crash by manipulating RDP session timing, making the vulnerability exploitable with no user interaction required. A patch is available in FreeRDP 3.22.0 and later.
Out-of-bounds access vulnerability in the frequency modulation module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.5 MEDIUM]
UAF vulnerability in the security module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.5 MEDIUM]
Type confusion vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.0 MEDIUM]
Espressif IoT Development Framework versions 5.1.6-5.5.2 contain a use-after-free vulnerability in the BLE provisioning layer that allows remote attackers to trigger memory corruption when provisioning is stopped with keep_ble_on enabled. A connected BLE client can exploit freed GATT metadata through read/write callbacks to cause denial of service or potential code execution. Patches are available for all affected versions.
A use-after-free vulnerability in the Linux kernel's ALSA USB audio mixer can be triggered by local attackers with low privileges when mixer initialization fails, causing the kernel to access freed memory during sound card registration and potentially leading to information disclosure or denial of service. The flaw affects Linux systems with USB audio devices and remains unpatched, exploitable without user interaction after initial access to the system.
Linux kernel memory corruption via use-after-free (UAF) in virtual memory area (VMA) handling allows local attackers with user privileges to cause denial of service or potentially execute code by triggering incorrect VMA merges during mremap() operations on faulted and unfaulted memory regions. The vulnerability stems from improper handling of anonymous VMA merges when remapping memory adjacent to unfaulted pages. No patch is currently available for this high-severity issue affecting the Linux kernel.
A use-after-free vulnerability in the Linux kernel's teql qdisc implementation allows local attackers with low privileges to trigger memory corruption and cause denial of service or potential code execution by improperly nesting teql as a non-root qdisc when it is designed to operate only as a root qdisc. The flaw exists due to missing validation of qdisc constraints and currently has no available patch. This affects all Linux systems using the vulnerable kernel versions.
In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq).
Android's imgsys component contains a use-after-free vulnerability that allows privilege escalation when exploited by an attacker who already has system-level access. The flaw requires no user interaction and could enable a malicious actor to escalate their privileges further within the device. Currently, no patch is available to address this vulnerability.
A use-after-free vulnerability in Android's cameraisp component allows privilege escalation to local denial of service for attackers with system-level access, requiring no user interaction. The flaw enables malicious actors to manipulate memory safety boundaries and execute arbitrary actions within the camera service context. No patch is currently available for this vulnerability.
A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. [CVSS 7.5 HIGH]
A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. [CVSS 7.5 HIGH]
NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. [CVSS 7.8 HIGH]
Heap use-after-free in Suricata prior to versions 8.0.3 and 7.0.14 can be triggered via integer overflow when processing packets that generate excessive alert conditions, allowing an attacker to crash the IDS/IPS engine or potentially achieve code execution. Affected deployments using large rulesets are at risk when processing malicious or crafted network traffic designed to trigger simultaneous signature matches. Patches are available for both affected versions.
Firefox versions prior to 147.0.2 contain a use-after-free vulnerability in the Layout: Scrolling and Overflow component that can be triggered by user interaction, allowing remote attackers to achieve code execution with high integrity and confidentiality impact. The vulnerability requires network access and user interaction but does not require authentication, making it exploitable through malicious web content. No patch is currently available for this vulnerability.
The Linux kernel's Octeon EP VF driver contains a use-after-free vulnerability in IRQ error handling where mismatched device IDs between request_irq() and free_irq() calls can leave IRQ handlers registered after their associated memory is freed. A local attacker with standard privileges can trigger an interrupt after the vulnerable ioq_vector structure is deallocated, causing a kernel crash or potential code execution. No patch is currently available.
A use-after-free vulnerability in Linux kernel DAMON subsystem allows local users with sysfs write permissions to trigger memory corruption by calling damon_call() against inactive contexts, causing dangling pointers in the call_controls list. An attacker could leverage this to achieve information disclosure or denial of service, though exploitation complexity is moderate due to permission requirements. The vulnerability currently lacks a patch and affects Linux kernel versions with the vulnerable DAMON code.
A use-after-free vulnerability in the Linux kernel's IPv6 address deletion function allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code or cause a denial of service. The flaw occurs when ipv6_del_addr() is called prematurely before temporary address flags are read, leaving a dangling pointer reference. No patch is currently available for this high-severity vulnerability affecting Linux systems.
A use-after-free vulnerability in the Linux kernel's macvlan driver allows local attackers with user privileges to cause memory corruption and potential privilege escalation through improper RCU synchronization in the macvlan_forward_source() function. The flaw stems from missing RCU protection when clearing vlan pointers during source entry deletion, enabling attackers to access freed memory structures. No patch is currently available for this HIGH severity vulnerability affecting Linux distributions.
In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. [CVSS 7.8 HIGH]
Write-after-free crash in GPU compiler process triggered by unusual GPU shader code loaded from the web. Browser vulnerability through WebGPU shader compilation.
Linux kernel ublk subsystem suffers from a use-after-free vulnerability in partition scan operations where a race condition between device teardown and asynchronous partition scanning allows local attackers with user privileges to access freed memory, potentially causing denial of service or information disclosure. The vulnerability stems from improper reference counting of disk objects during concurrent operations, affecting all Linux systems with the vulnerable ublk driver. A patch is available to resolve this issue by implementing proper disk reference management in the partition scan worker.
The Linux kernel NFSv4 grace period handler contains a use-after-free vulnerability in the v4_end_grace function that can be triggered by local attackers with unprivileged access, allowing them to read or modify sensitive kernel memory or cause a denial of service. The vulnerability arises from improper synchronization between the grace period shutdown logic and the NFSv4 client tracking mechanism, which can result in memory being accessed after it has been freed. A patch is available to add proper locking that prevents concurrent access to the vulnerable code path.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. [CVSS 7.8 HIGH]
ALGO 8180 has a use-after-free in SIP session handling (EPSS 1.1%) enabling remote code execution through crafted VoIP signaling sequences.
Trimble SketchUp SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations ...
Heap corruption in Google Chrome's ANGLE graphics library prior to version 144.0.7559.59 can be triggered through a crafted HTML page, enabling remote attackers to execute arbitrary code without user interaction beyond visiting a malicious website. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, though no patch is currently available. With a CVSS score of 8.8 and minimal exploit complexity, this presents a significant risk to the browser's security model.
Denial of service and potential remote code execution affects FreeRDP RDP clients prior to version 3.21.0, where deleting an offscreen bitmap leaves the gdi->drawing pointer referencing freed memory and subsequent update packets trigger a use-after-free (CWE-416). A malicious or compromised RDP server can drive a connected client into the freed-memory access, reliably crashing it and potentially corrupting the heap for code execution depending on allocator state. Publicly available exploit code exists, though EPSS exploitation probability is low (0.17%, 38th percentile) and the issue is not listed in CISA KEV.
Client-side denial of service in the FreeRDP RDP client (X11 frontend) prior to version 3.21.0 lets a malicious or compromised RDP server crash the connecting client and potentially corrupt its heap. The flaw is a double-free of the cursor pixel buffer in xf_Pointer_New: on an allocation/setup failure the function frees cursorPixels, and a later pointer_free call invokes xf_Pointer_Free which frees the same buffer again (CWE-416 use-after-free/double-free). Publicly available exploit code exists and an EPSS of 0.17% indicates currently low probability of widespread exploitation; impact is rated availability-only (VA:H), though the description notes heap-corruption could escalate to code execution depending on allocator behavior.
Repeated telemetry collector subscriptions in Juniper Junos OS and Junos OS Evolved trigger a use-after-free vulnerability in the chassis daemon, allowing authenticated network attackers to crash critical processes and cause denial of service. Affected versions prior to 22.4R3-S8, 23.2R2-S5, and 23.4R2 are vulnerable when telemetry-capable daemons experience continuous sensor subscription cycles. No patch is currently available, leaving affected systems exposed until updates are released.
Juniper Junos OS and Junos OS Evolved contain a use-after-free vulnerability in the 802.1X authentication daemon that allows authenticated, network-adjacent attackers to crash the process or achieve arbitrary code execution as root by triggering specific port state changes. Exploitation requires precise timing of a change-of-authorization event during port transitions, making reliable exploitation difficult but possible. Systems with 802.1X port-based network access control enabled are affected, and no patch is currently available.
CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody.
FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fixed in 3.20.1.
FreeRDP versions prior to 3.20.1 contain a race condition between the RDPGFX virtual channel and SDL rendering threads that enables heap use-after-free when graphics are reset. Public exploit code exists for this vulnerability, allowing attackers to crash the application or potentially execute code in industrial control systems and other environments using vulnerable FreeRDP implementations. A patch is not currently available, leaving affected systems exposed until an update is released.
FreeImage 3.18.0 has a use-after-free in the TARGA plugin's loadRLE function. Processing a malicious TGA file can lead to code execution. PoC available.
In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free().
Arbitrary code execution in Substance 3D Stager 3.1.5 and earlier stems from a use-after-free vulnerability that executes with the privileges of the current user. An attacker can exploit this by crafting a malicious file that triggers the vulnerability when opened by a victim, requiring user interaction to activate the attack. No patch is currently available for this vulnerability.
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. [CVSS 7.0 HIGH]
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]
Privilege escalation in Windows Management Services via use-after-free memory corruption affects Windows 10, Windows 11, and Windows Server 2019, enabling authenticated local attackers to gain elevated system privileges. An authorized user can exploit this vulnerability through a race condition to execute arbitrary code with higher privileges. No patch is currently available for this vulnerability.
Privilege escalation in Windows Management Services affects Windows Server 2019, 2022 23h2, and 2025 through a use-after-free vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low privileges and manual user interaction to trigger, potentially giving attackers complete system control. No patch is currently available for this vulnerability.
Windows Win32K use-after-free vulnerability in ICOMP affects Windows 11 23h2 and Windows Server 2022 23h2, enabling authenticated local attackers to achieve privilege escalation with high impact on confidentiality, integrity, and availability. Currently no patch is available, and exploitation requires local access with user-level privileges.
Privilege escalation in Windows Management Services affects Windows 10 22h2, Windows Server 2022 23h2, and Windows 11 23h2 through a use-after-free memory flaw. An authenticated local attacker can exploit this vulnerability to gain elevated system privileges. Currently, no patch is available.
Local privilege escalation in Windows Desktop Window Manager (DWM) through use-after-free memory corruption affects Windows 10 22H2, Windows Server 2022, and Windows Server 2025. An authenticated local attacker can exploit this vulnerability to gain system-level privileges with no user interaction required. No patch is currently available for this high-severity vulnerability.
Privilege escalation in Windows Win32K ICOMP component via use-after-free memory corruption affects Windows 11 (24h2, 25h2) and Windows Server 2025. An authenticated local attacker can exploit this vulnerability to gain SYSTEM-level privileges with no user interaction required. Currently no patch is available and exploitation requires local access with user-level permissions.
Privilege escalation in Windows Management Services affects Windows 11 24H2, Windows Server 2022, and 2025 through a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The vulnerability requires local access and manual user interaction is not required, making it exploitable by any authorized account on the system. Currently no patch is available to remediate this issue.
Kernel-mode driver use-after-free vulnerabilities in Windows 11 24H2 and Windows Server 2025 enable authenticated local attackers to achieve privilege escalation. An attacker with standard user privileges can exploit memory corruption in kernel drivers to gain SYSTEM-level access without user interaction. No patch is currently available.
Privilege escalation in Windows Management Services affects Windows 10, Windows 11, and Windows Server 2022 through a use-after-free memory vulnerability. An authenticated local attacker can exploit this flaw to gain elevated system privileges. Currently no patch is available and exploitation requires specific conditions to trigger.
Remote code execution in Windows LSASS (Local Security Authority Subsystem Service) on Windows 11 and Windows Server 2025 stems from a use-after-free memory vulnerability exploitable by authenticated attackers over the network. An attacker with valid credentials can trigger the flaw to execute arbitrary code with SYSTEM privileges, achieving complete system compromise. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a security update.
Windows Clipboard Server contains a use-after-free vulnerability affecting Windows 10 (versions 21H2 and 1809) and Windows Server 2022 (23H2) that enables local privilege escalation without requiring user interaction. An attacker with local access can exploit this memory safety flaw to gain elevated system privileges. No patch is currently available for this vulnerability.
Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
Privilege escalation in Microsoft Graphics Component on Windows 11 25h2 and Windows Server 2019 exploits a use-after-free condition, enabling authenticated local attackers to gain elevated system privileges. The vulnerability requires moderate complexity to exploit and affects confidentiality, integrity, and availability of affected systems. No patch is currently available.
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. [CVSS 7.8 HIGH]
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. [CVSS 8.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock.
In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability.
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields.
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors.
In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad.
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots.
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue's list.
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1].
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device.
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCA_PORTS component Clear hca_devcom_comp in device's private data after unregistering it in LAG teardown.
In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1.
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid unregistering PSP twice PSP is unregistered twice in: _mlx5e_remove -> mlx5e_psp_unregister mlx5e_nic_cleanup -> mlx5e_psp_unregister This leads to a refcount underflow in some conditions: ------------[ cut here ]------------ refcount_t: underflow; use-after-free.
Memory corruption in Firefox and Thunderbird's JavaScript garbage collection engine allows remote attackers to crash the application or potentially leak sensitive information without user interaction. The vulnerability affects Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7, with no patch currently available.
Firefox JavaScript engine has a use-after-free vulnerability. Affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 and < 140.7.
A use-after-free vulnerability in the IPC component of Firefox (versions below 147 and ESR versions below 115.32/140.7) and Thunderbird (versions below 147 and 140.7) enables remote code execution when users interact with malicious content. The flaw requires user interaction and network access, allowing attackers to achieve full system compromise with high integrity and confidentiality impact. No patch is currently available for this vulnerability.
Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. [CVSS 6.8 MEDIUM]
Arbitrary code execution in the Android PROCA driver before the January 2026 security update results from a use-after-free vulnerability accessible to local attackers with basic privileges. An attacker with local access can exploit this memory safety flaw to execute arbitrary code with elevated privileges on affected devices. No patch is currently available for this high-severity vulnerability.
Arbitrary code execution in Android's DualDAR component prior to the January 2026 security patch stems from a use-after-free memory vulnerability that can be exploited by local attackers with elevated privileges. An attacker with high-level device access could leverage this flaw to execute arbitrary code with system-level permissions. No patch is currently available, leaving affected devices vulnerable until the SMR January 2026 Release 1 update is deployed.
processing of DCE/RPC requests contains a vulnerability that allows attackers to unexpectedly restart the Snort 3 Detection Engine, which could cause a denial of (CVSS 5.8).
iccDEV versions 2.3.1.1 and earlier are vulnerable to use-after-free, heap buffer overflow, and integer overflow flaws in the CIccSparseMatrix function, allowing local attackers with user interaction to achieve arbitrary code execution. The vulnerability affects all systems using vulnerable iccDEV libraries for ICC color profile processing and is resolved in version 2.3.1.2.
iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint objects. Processing a malicious ICC profile can lead to code execution. PoC available, fixed in 2.3.1.1.
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]