Use After Free
Monthly
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.
libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.
PJSIP versions 2.16 and earlier contain a heap use-after-free vulnerability in ICE session handling caused by race conditions between session destruction and callback execution, enabling memory corruption and potential code execution. This flaw affects all systems using vulnerable PJSIP versions for multimedia communication and currently has no available patch. With a CVSS score of 8.1, the vulnerability is remotely exploitable without authentication or user interaction.
Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.
A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.
Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.
Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.
Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.
Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.
Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.
SAMtools mpileup command contains a use-after-free vulnerability in reference data management that can leak sensitive program state information or trigger application crashes when processing aligned DNA sequences. The vulnerability affects versions prior to 1.2 and requires no authentication or user interaction to exploit, though a patch is not yet available. An attacker could leverage this to obtain information disclosure or cause denial of service against systems processing bioinformatics data with vulnerable SAMtools versions.
This vulnerability in the Linux kernel's XFS filesystem code involves improper pointer validation in xfarray and xfblob destructor functions, where the destructors can be called with invalid (dangling) pointers if the pointer is not properly nulled after deallocation. The vulnerability affects Linux kernel versions 6.9 through 6.10 and later patch versions, potentially allowing information disclosure or system instability. While no CVSS score or exploitation data is publicly available, the fix was backported across multiple kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0-rc1) indicating recognition of the issue's significance across the kernel maintenance community.
MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read permissions execute malicious $lookup or $graphLookup aggregation pipeline operations. An attacker can exploit this vulnerability to achieve high-impact outcomes including information disclosure, data manipulation, and denial of service. No patch is currently available for this vulnerability.
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available() function caused by a race condition between the MAVLink receiver and telemetry sender threads. Remote attackers can trigger this vulnerability by sending crafted SERIAL_CONTROL messages (ID 126) via MAVLink, leading to denial of service of the flight control system. The vulnerability affects drone operators and systems accepting MAVLink telemetry from untrusted ground stations or networks.
Use after free in WebView in Google Chrome on Android versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
use after free in WindowDialog in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 7.5).
Use after free in WebMIDI in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in MediaStream in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in TextEncoding in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in Extensions in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in WebMCP in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in Agents in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Curl's SMB implementation contains a use-after-free vulnerability that causes denial of service when processing consecutive requests to the same host, as the library incorrectly dereferences freed memory on subsequent connections. Public exploit code exists for this vulnerability affecting Curl installations. An attacker can crash Curl-based applications or services by triggering multiple SMB requests, though remote code execution is not possible due to the nature of the memory corruption.
Arbitrary code execution in Adobe Acrobat and Acrobat Reader versions 24.001.30307 and earlier stems from a use-after-free memory vulnerability triggered when users open specially crafted files. An attacker can achieve code execution with the privileges of the current user, though exploitation requires victim interaction. No patch is currently available for affected versions.
Arbitrary code execution in Adobe Acrobat Reader and Acrobat (versions 24.001.30307 and earlier) via a use-after-free vulnerability requires victims to open a malicious file. Local attackers can exploit this to execute code with the privileges of the current user. No patch is currently available.
Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.
Envoy proxy versions before 1.37.1, 1.36.5, 1.35.8, and 1.34.13 contain a use-after-free vulnerability in the HTTP connection manager that allows attackers to trigger denial of service by sending data frames on streams after they have been reset. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables filter callbacks to execute on logically cleaned-up streams, potentially causing service disruption or state corruption.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through a use-after-free memory vulnerability that triggers when users open specially crafted malicious files. An attacker can exploit this to execute code with the privileges of the affected user, though no patch is currently available to remediate the issue.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier stems from a use-after-free vulnerability that executes with the privileges of the current user. An attacker can exploit this by crafting a malicious file that, when opened by a victim, triggers memory corruption and code execution. No patch is currently available for this high-severity vulnerability.
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by use after free (CVSS 7.8).
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]
Privilege escalation in Windows DWM Core Library affects Windows 10 versions 21H2 and 1809 through a use-after-free memory corruption vulnerability that allows authenticated local attackers to gain system-level privileges. The vulnerability requires local access and valid user credentials but no user interaction, creating a significant risk for multi-user systems. No patch is currently available.
Windows Ancillary Function Driver for WinSock (AFD) in Windows 11 versions 24h2 and 26h1 contains a use-after-free vulnerability (CWE-416) that allows authenticated local attackers to escalate privileges through memory corruption. An attacker with local access could exploit this flaw to gain elevated system permissions, though no official patch is currently available.
Privilege escalation in Windows Authentication Methods (Windows 10 22H2, Windows 11 26H1) stems from a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low user privileges and manual interaction but provides complete system compromise through code execution. No patch is currently available for this high-severity vulnerability.
Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
Privilege escalation in Microsoft's Brokering File System on Windows 11 (24h2 and 25h2) stems from a use-after-free vulnerability that allows local attackers to gain elevated system privileges. An attacker with local access can exploit memory corruption to execute arbitrary code with higher privileges, potentially compromising system integrity. No patch is currently available for this vulnerability.
Privilege escalation in Windows Connected Devices Platform Service (Cdpsvc) exploits a use-after-free memory vulnerability, affecting Windows 10 22h2 and Windows 11 (25h2, 26h1). An authenticated local attacker can leverage this flaw to gain system-level privileges on vulnerable systems. No patch is currently available for this high-severity vulnerability.
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]
Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
Remote code execution in Microsoft Windows Print Spooler Components via use-after-free memory corruption enables authenticated network attackers to execute arbitrary code with high privileges. The vulnerability requires valid credentials but no user interaction, presenting a significant risk to organizations where print services are accessible to untrusted internal or remote users. No patch is currently available.
Use after free in Broadcast DVR allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
ImageMagick versions prior to 7.1.2-16 and 6.9.13-41 contain a heap-use-after-free vulnerability in the MSL encoder that can be triggered by local attackers to cause denial of service through double-free conditions on cloned images. The vulnerability requires local access with no special privileges or user interaction, resulting in application crashes or potential memory corruption. No patch is currently available for affected versions.
Heap use-after-free in ImageMagick's MSL decoder (versions before 7.1.2-16 and 6.9.13-41) allows remote attackers to trigger memory access violations via specially crafted MSL files, resulting in denial of service. The vulnerability requires no authentication or user interaction and affects systems processing untrusted image files. No patch is currently available for this MEDIUM severity issue.
PJSIP versions prior to 2.17 contain a heap use-after-free vulnerability in the event subscription framework that can be triggered through presence unsubscription requests, allowing remote attackers without authentication to cause denial of service. The vulnerability resides in the evsub.c component and is exploitable over the network with no user interaction required. A patch is available in version 2.17 and later.
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privile...
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. [CVSS 5.3 MEDIUM]
A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables chain registration allows local attackers with user privileges to trigger memory corruption and cause a denial of service, potentially leading to privilege escalation. The flaw occurs when hook registration fails during chain addition, allowing concurrent operations to access freed memory without proper RCU synchronization. The vulnerability affects systems running vulnerable Linux kernels with netfilter enabled, and no patch is currently available.
The ARM SMMU v3 driver in Android contains a use-after-free vulnerability in the smmu_detach_dev function that could allow a local privileged attacker to execute arbitrary code with system privileges. An attacker with high-level system access can trigger an out-of-bounds write to escalate privileges without requiring user interaction. A patch is available to address this issue.
In multiple functions of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.0 HIGH]
Local privilege escalation in Android's display subsystem exploits a use-after-free memory corruption vulnerability to elevate from system-level privileges, requiring no user interaction. An attacker with pre-existing system access can trigger the memory corruption to gain complete control over the affected device. No patch is currently available to remediate this issue.
Android's display subsystem crashes due to a use-after-free memory error that allows a privileged local attacker to trigger a denial of service without user interaction. Exploitation requires pre-existing system-level access, limiting impact to scenarios where an attacker has already compromised the device at the highest privilege level. No patch is currently available for this vulnerability.
Android's imgsys component is vulnerable to a use-after-free condition that enables local denial of service attacks. Exploitation requires system-level privileges and causes immediate system crashes without user interaction. No patch is currently available for this vulnerability.
Android MAE component is vulnerable to a use-after-free condition that can trigger a system crash, resulting in denial of service for devices where an attacker has already obtained system-level privileges. No user interaction is required for exploitation. Currently, no patch is available for this vulnerability.
FreeRDP versions prior to 3.23.0 contain an incomplete fix for a heap-use-after-free vulnerability that affects only the SDL2 code path, where freed memory pointers are not properly nulled, allowing an unauthenticated attacker to trigger a denial of service condition. Users running FreeRDP with SDL2 backends remain vulnerable despite the advisory claiming the issue was resolved. Upgrade to version 3.23.0 or later to obtain the complete fix.
Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth FreeRDP UAF. PoC and patch available.
Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers memory corruption. PoC and patch available.
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and patch available.
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corruption. PoC and patch available.
A use-after-free vulnerability in Firefox and Thunderbird's JavaScript WebAssembly engine allows remote attackers to achieve information disclosure or data manipulation through a malicious webpage or email attachment that requires user interaction. Affected versions include Firefox below 148 and Thunderbird below 148, with no patch currently available. The vulnerability has a network attack vector with low complexity and carries a CVSS score of 5.4.
Use-after-free in Firefox DOM Core & HTML before 148. DOM object lifecycle error.
A use-after-free vulnerability in Firefox and Thunderbird's DOM processing allows remote attackers to execute arbitrary code through a malicious webpage or email attachment, requiring only user interaction to trigger. This affects Firefox versions below 148 and Thunderbird versions below 148, with no patch currently available.
Use-after-free in Firefox JavaScript GC before 148. Second GC UAF, different from CVE-2026-2795.
Use-after-free in Firefox JavaScript GC component before 148. GC-specific UAF affecting only mainline Firefox and Thunderbird.
Use-after-free in Firefox ImageLib graphics component before 148. Image processing triggers use of freed memory.
Use-after-free in Firefox DOM Window and Location component before 148. Window/Location lifecycle management error.
Use-after-free in Firefox JavaScript Engine before 148. Fourth distinct JS engine UAF in this release.
Use-after-free in Firefox Audio/Video Playback component before 148. Media playback triggers memory corruption.
Use-after-free in Firefox DOM Bindings (WebIDL) component before 148. Memory corruption in the interface between JavaScript and native DOM objects.
A use-after-free vulnerability in the IndexedDB storage component of Firefox and Thunderbird allows remote attackers to achieve arbitrary code execution through user interaction. Affected versions include Firefox below 148, Firefox ESR below 115.33 and 140.8, and Thunderbird below 148 and 140.8. No patch is currently available for this high-severity flaw.
Use-after-free in Firefox JavaScript WebAssembly component before 148. WebAssembly-specific memory management bug.
Use-after-free in Firefox JavaScript JIT compiler before 148. Second JIT-related UAF in this release, different from CVE-2026-2764.
Use-after-free in Firefox JavaScript Engine before 148 and Thunderbird ESR 140.8. Separate UAF from CVE-2026-2763 and CVE-2026-2758.
JIT miscompilation causing use-after-free in Firefox JavaScript JIT compiler before 148. JIT bugs are highly exploitable due to their deterministic nature.
Use-after-free in Firefox JavaScript Engine before 148. One of multiple JS engine UAFs fixed in this release.
Use-after-free in Firefox JavaScript garbage collector before 148 allows remote code execution through crafted JavaScript.
ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to a heap-use-after-free condition when processing specially crafted MSL scripts, allowing unauthenticated remote attackers to cause denial of service. The vulnerability occurs when the operation element handler frees image data while the parser continues accessing it, leading to memory corruption during subsequent parsing operations. No patch is currently available for affected versions.
A vulnerability was detected in CCExtractor versions up to 0.96.5. is affected by buffer overflow (CVSS 3.3).
Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce client extension. [CVSS 4.7 MEDIUM]
PJSIP versions before 2.17 contain a use-after-free vulnerability in the H.264 packetizer that allows local attackers with user privileges to cause denial of service through malformed H.264 bitstreams lacking proper NAL unit markers. The flaw stems from inadequate pointer validation during packet processing, enabling out-of-bounds memory access that crashes the application. A patch is available in version 2.17 and later.
A vulnerability was identified in FascinatedBox lily up to 2.3. Affected by this issue is the function shorthash_for_name of the file src/lily_symtab.c. [CVSS 3.3 LOW]
The Exynos Virtual Display driver in the Linux kernel lacks proper synchronization when allocating and freeing memory structures, enabling use-after-free conditions through race conditions between concurrent operations. A local attacker with unprivileged access can exploit this vulnerability to cause memory corruption or achieve information disclosure by manipulating display connector operations. No patch is currently available for this high-severity vulnerability affecting Linux systems with Samsung Exynos graphics hardware.
The Linux kernel ksmbd subsystem contains a use-after-free vulnerability in multi-channel session handling due to missing synchronization on the ksmbd_chann_list xarray, allowing a local attacker with user privileges to cause memory corruption and potentially execute arbitrary code. The vulnerability affects the channel lookup and deletion operations between multiple concurrent sessions. A patch is available to add proper locking mechanisms to protect xarray access.
The Linux kernel erofs file system contains a use-after-free vulnerability in direct I/O file-backed mount operations that allows local attackers with user privileges to cause memory corruption and potentially achieve code execution or denial of service. The vulnerability occurs when accessing files through the directio option, where freed memory is subsequently accessed during I/O operations. A patch is not currently available, making this a critical concern for systems running affected Linux kernel versions.
Use-after-free vulnerability in Linux kernel XFS subsystem allows local attackers with unprivileged access to cause memory corruption and potential privilege escalation through improper pointer dereferencing in the btree block owner checking function. The flaw stems from attempting to access freed memory due to incorrect temporal ordering of operations when determining cursor aliases. This vulnerability affects all Linux systems using XFS and currently lacks a patch.
The Linux kernel's fsl-mc bus driver contains a use-after-free vulnerability in the driver_override_show() function that reads device configuration without proper locking, allowing a local privileged user to trigger memory corruption by concurrently modifying the same data. This vulnerability affects Linux systems running vulnerable kernel versions and could enable local denial of service or potential privilege escalation through heap memory manipulation. No patch is currently available for this issue.
A flaw has been found in ChaiScript up to 6.1.0. This affects the function chaiscript::Type_Info::bare_equal of the file include/chaiscript/dispatchkit/type_info.hpp. [CVSS 2.5 LOW]
Sandboxed code execution in Google Chrome's WebGPU implementation (prior to 146.0.7680.165) stems from a use-after-free memory vulnerability that can be triggered via malicious HTML pages. An unauthenticated remote attacker can exploit this to execute arbitrary code within the Chrome sandbox without user interaction beyond viewing a crafted webpage. A patch is available for affected users.
Sandbox escape in Google Chrome prior to version 146.0.7680.165 via a use-after-free vulnerability in the Dawn graphics component enables remote attackers to execute arbitrary code when users visit malicious HTML pages. The vulnerability affects multiple platforms including Debian systems and requires only user interaction to trigger, bypassing Chrome's sandbox isolation. A patch is available to remediate this high-severity memory corruption flaw.
XnSoft NConvert version 7.230 contains a Use-After-Free vulnerability triggered by processing specially crafted TIFF files, which can lead to information disclosure and potential code execution. The vulnerability affects NConvert image conversion software and has been publicly documented with proof-of-concept code available on GitHub. An attacker can exploit this by providing a malicious TIFF file to an NConvert user or service, potentially causing a crash or unauthorized memory access.
libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.
PJSIP versions 2.16 and earlier contain a heap use-after-free vulnerability in ICE session handling caused by race conditions between session destruction and callback execution, enabling memory corruption and potential code execution. This flaw affects all systems using vulnerable PJSIP versions for multimedia communication and currently has no available patch. With a CVSS score of 8.1, the vulnerability is remotely exploitable without authentication or user interaction.
Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.
A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.
Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.
Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.
Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.
Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.
Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.
SAMtools mpileup command contains a use-after-free vulnerability in reference data management that can leak sensitive program state information or trigger application crashes when processing aligned DNA sequences. The vulnerability affects versions prior to 1.2 and requires no authentication or user interaction to exploit, though a patch is not yet available. An attacker could leverage this to obtain information disclosure or cause denial of service against systems processing bioinformatics data with vulnerable SAMtools versions.
This vulnerability in the Linux kernel's XFS filesystem code involves improper pointer validation in xfarray and xfblob destructor functions, where the destructors can be called with invalid (dangling) pointers if the pointer is not properly nulled after deallocation. The vulnerability affects Linux kernel versions 6.9 through 6.10 and later patch versions, potentially allowing information disclosure or system instability. While no CVSS score or exploitation data is publicly available, the fix was backported across multiple kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0-rc1) indicating recognition of the issue's significance across the kernel maintenance community.
MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read permissions execute malicious $lookup or $graphLookup aggregation pipeline operations. An attacker can exploit this vulnerability to achieve high-impact outcomes including information disclosure, data manipulation, and denial of service. No patch is currently available for this vulnerability.
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available() function caused by a race condition between the MAVLink receiver and telemetry sender threads. Remote attackers can trigger this vulnerability by sending crafted SERIAL_CONTROL messages (ID 126) via MAVLink, leading to denial of service of the flight control system. The vulnerability affects drone operators and systems accepting MAVLink telemetry from untrusted ground stations or networks.
Use after free in WebView in Google Chrome on Android versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
use after free in WindowDialog in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 7.5).
Use after free in WebMIDI in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in MediaStream in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in TextEncoding in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in Extensions in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in WebMCP in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Use after free in Agents in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 8.8).
Curl's SMB implementation contains a use-after-free vulnerability that causes denial of service when processing consecutive requests to the same host, as the library incorrectly dereferences freed memory on subsequent connections. Public exploit code exists for this vulnerability affecting Curl installations. An attacker can crash Curl-based applications or services by triggering multiple SMB requests, though remote code execution is not possible due to the nature of the memory corruption.
Arbitrary code execution in Adobe Acrobat and Acrobat Reader versions 24.001.30307 and earlier stems from a use-after-free memory vulnerability triggered when users open specially crafted files. An attacker can achieve code execution with the privileges of the current user, though exploitation requires victim interaction. No patch is currently available for affected versions.
Arbitrary code execution in Adobe Acrobat Reader and Acrobat (versions 24.001.30307 and earlier) via a use-after-free vulnerability requires victims to open a malicious file. Local attackers can exploit this to execute code with the privileges of the current user. No patch is currently available.
Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.
Envoy proxy versions before 1.37.1, 1.36.5, 1.35.8, and 1.34.13 contain a use-after-free vulnerability in the HTTP connection manager that allows attackers to trigger denial of service by sending data frames on streams after they have been reset. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables filter callbacks to execute on logically cleaned-up streams, potentially causing service disruption or state corruption.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through a use-after-free memory vulnerability that triggers when users open specially crafted malicious files. An attacker can exploit this to execute code with the privileges of the affected user, though no patch is currently available to remediate the issue.
Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier stems from a use-after-free vulnerability that executes with the privileges of the current user. An attacker can exploit this by crafting a malicious file that, when opened by a victim, triggers memory corruption and code execution. No patch is currently available for this high-severity vulnerability.
iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by use after free (CVSS 7.8).
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]
Privilege escalation in Windows DWM Core Library affects Windows 10 versions 21H2 and 1809 through a use-after-free memory corruption vulnerability that allows authenticated local attackers to gain system-level privileges. The vulnerability requires local access and valid user credentials but no user interaction, creating a significant risk for multi-user systems. No patch is currently available.
Windows Ancillary Function Driver for WinSock (AFD) in Windows 11 versions 24h2 and 26h1 contains a use-after-free vulnerability (CWE-416) that allows authenticated local attackers to escalate privileges through memory corruption. An attacker with local access could exploit this flaw to gain elevated system permissions, though no official patch is currently available.
Privilege escalation in Windows Authentication Methods (Windows 10 22H2, Windows 11 26H1) stems from a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low user privileges and manual interaction but provides complete system compromise through code execution. No patch is currently available for this high-severity vulnerability.
Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
Privilege escalation in Microsoft's Brokering File System on Windows 11 (24h2 and 25h2) stems from a use-after-free vulnerability that allows local attackers to gain elevated system privileges. An attacker with local access can exploit memory corruption to execute arbitrary code with higher privileges, potentially compromising system integrity. No patch is currently available for this vulnerability.
Privilege escalation in Windows Connected Devices Platform Service (Cdpsvc) exploits a use-after-free memory vulnerability, affecting Windows 10 22h2 and Windows 11 (25h2, 26h1). An authenticated local attacker can leverage this flaw to gain system-level privileges on vulnerable systems. No patch is currently available for this high-severity vulnerability.
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]
Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
Remote code execution in Microsoft Windows Print Spooler Components via use-after-free memory corruption enables authenticated network attackers to execute arbitrary code with high privileges. The vulnerability requires valid credentials but no user interaction, presenting a significant risk to organizations where print services are accessible to untrusted internal or remote users. No patch is currently available.
Use after free in Broadcast DVR allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]
ImageMagick versions prior to 7.1.2-16 and 6.9.13-41 contain a heap-use-after-free vulnerability in the MSL encoder that can be triggered by local attackers to cause denial of service through double-free conditions on cloned images. The vulnerability requires local access with no special privileges or user interaction, resulting in application crashes or potential memory corruption. No patch is currently available for affected versions.
Heap use-after-free in ImageMagick's MSL decoder (versions before 7.1.2-16 and 6.9.13-41) allows remote attackers to trigger memory access violations via specially crafted MSL files, resulting in denial of service. The vulnerability requires no authentication or user interaction and affects systems processing untrusted image files. No patch is currently available for this MEDIUM severity issue.
PJSIP versions prior to 2.17 contain a heap use-after-free vulnerability in the event subscription framework that can be triggered through presence unsubscription requests, allowing remote attackers without authentication to cause denial of service. The vulnerability resides in the evsub.c component and is exploitable over the network with no user interaction required. A patch is available in version 2.17 and later.
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privile...
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. [CVSS 5.3 MEDIUM]
A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.
A use-after-free vulnerability in the Linux kernel's netfilter nf_tables chain registration allows local attackers with user privileges to trigger memory corruption and cause a denial of service, potentially leading to privilege escalation. The flaw occurs when hook registration fails during chain addition, allowing concurrent operations to access freed memory without proper RCU synchronization. The vulnerability affects systems running vulnerable Linux kernels with netfilter enabled, and no patch is currently available.
The ARM SMMU v3 driver in Android contains a use-after-free vulnerability in the smmu_detach_dev function that could allow a local privileged attacker to execute arbitrary code with system privileges. An attacker with high-level system access can trigger an out-of-bounds write to escalate privileges without requiring user interaction. A patch is available to address this issue.
In multiple functions of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.0 HIGH]
Local privilege escalation in Android's display subsystem exploits a use-after-free memory corruption vulnerability to elevate from system-level privileges, requiring no user interaction. An attacker with pre-existing system access can trigger the memory corruption to gain complete control over the affected device. No patch is currently available to remediate this issue.
Android's display subsystem crashes due to a use-after-free memory error that allows a privileged local attacker to trigger a denial of service without user interaction. Exploitation requires pre-existing system-level access, limiting impact to scenarios where an attacker has already compromised the device at the highest privilege level. No patch is currently available for this vulnerability.
Android's imgsys component is vulnerable to a use-after-free condition that enables local denial of service attacks. Exploitation requires system-level privileges and causes immediate system crashes without user interaction. No patch is currently available for this vulnerability.
Android MAE component is vulnerable to a use-after-free condition that can trigger a system crash, resulting in denial of service for devices where an attacker has already obtained system-level privileges. No user interaction is required for exploitation. Currently, no patch is available for this vulnerability.
FreeRDP versions prior to 3.23.0 contain an incomplete fix for a heap-use-after-free vulnerability that affects only the SDL2 code path, where freed memory pointers are not properly nulled, allowing an unauthenticated attacker to trigger a denial of service condition. Users running FreeRDP with SDL2 backends remain vulnerable despite the advisory claiming the issue was resolved. Upgrade to version 3.23.0 or later to obtain the complete fix.
Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth FreeRDP UAF. PoC and patch available.
Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers memory corruption. PoC and patch available.
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and patch available.
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corruption. PoC and patch available.
A use-after-free vulnerability in Firefox and Thunderbird's JavaScript WebAssembly engine allows remote attackers to achieve information disclosure or data manipulation through a malicious webpage or email attachment that requires user interaction. Affected versions include Firefox below 148 and Thunderbird below 148, with no patch currently available. The vulnerability has a network attack vector with low complexity and carries a CVSS score of 5.4.
Use-after-free in Firefox DOM Core & HTML before 148. DOM object lifecycle error.
A use-after-free vulnerability in Firefox and Thunderbird's DOM processing allows remote attackers to execute arbitrary code through a malicious webpage or email attachment, requiring only user interaction to trigger. This affects Firefox versions below 148 and Thunderbird versions below 148, with no patch currently available.
Use-after-free in Firefox JavaScript GC before 148. Second GC UAF, different from CVE-2026-2795.
Use-after-free in Firefox JavaScript GC component before 148. GC-specific UAF affecting only mainline Firefox and Thunderbird.
Use-after-free in Firefox ImageLib graphics component before 148. Image processing triggers use of freed memory.
Use-after-free in Firefox DOM Window and Location component before 148. Window/Location lifecycle management error.
Use-after-free in Firefox JavaScript Engine before 148. Fourth distinct JS engine UAF in this release.
Use-after-free in Firefox Audio/Video Playback component before 148. Media playback triggers memory corruption.
Use-after-free in Firefox DOM Bindings (WebIDL) component before 148. Memory corruption in the interface between JavaScript and native DOM objects.
A use-after-free vulnerability in the IndexedDB storage component of Firefox and Thunderbird allows remote attackers to achieve arbitrary code execution through user interaction. Affected versions include Firefox below 148, Firefox ESR below 115.33 and 140.8, and Thunderbird below 148 and 140.8. No patch is currently available for this high-severity flaw.
Use-after-free in Firefox JavaScript WebAssembly component before 148. WebAssembly-specific memory management bug.
Use-after-free in Firefox JavaScript JIT compiler before 148. Second JIT-related UAF in this release, different from CVE-2026-2764.
Use-after-free in Firefox JavaScript Engine before 148 and Thunderbird ESR 140.8. Separate UAF from CVE-2026-2763 and CVE-2026-2758.
JIT miscompilation causing use-after-free in Firefox JavaScript JIT compiler before 148. JIT bugs are highly exploitable due to their deterministic nature.
Use-after-free in Firefox JavaScript Engine before 148. One of multiple JS engine UAFs fixed in this release.
Use-after-free in Firefox JavaScript garbage collector before 148 allows remote code execution through crafted JavaScript.
ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to a heap-use-after-free condition when processing specially crafted MSL scripts, allowing unauthenticated remote attackers to cause denial of service. The vulnerability occurs when the operation element handler frees image data while the parser continues accessing it, leading to memory corruption during subsequent parsing operations. No patch is currently available for affected versions.
A vulnerability was detected in CCExtractor versions up to 0.96.5. is affected by buffer overflow (CVSS 3.3).
Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce client extension. [CVSS 4.7 MEDIUM]
PJSIP versions before 2.17 contain a use-after-free vulnerability in the H.264 packetizer that allows local attackers with user privileges to cause denial of service through malformed H.264 bitstreams lacking proper NAL unit markers. The flaw stems from inadequate pointer validation during packet processing, enabling out-of-bounds memory access that crashes the application. A patch is available in version 2.17 and later.
A vulnerability was identified in FascinatedBox lily up to 2.3. Affected by this issue is the function shorthash_for_name of the file src/lily_symtab.c. [CVSS 3.3 LOW]
The Exynos Virtual Display driver in the Linux kernel lacks proper synchronization when allocating and freeing memory structures, enabling use-after-free conditions through race conditions between concurrent operations. A local attacker with unprivileged access can exploit this vulnerability to cause memory corruption or achieve information disclosure by manipulating display connector operations. No patch is currently available for this high-severity vulnerability affecting Linux systems with Samsung Exynos graphics hardware.
The Linux kernel ksmbd subsystem contains a use-after-free vulnerability in multi-channel session handling due to missing synchronization on the ksmbd_chann_list xarray, allowing a local attacker with user privileges to cause memory corruption and potentially execute arbitrary code. The vulnerability affects the channel lookup and deletion operations between multiple concurrent sessions. A patch is available to add proper locking mechanisms to protect xarray access.
The Linux kernel erofs file system contains a use-after-free vulnerability in direct I/O file-backed mount operations that allows local attackers with user privileges to cause memory corruption and potentially achieve code execution or denial of service. The vulnerability occurs when accessing files through the directio option, where freed memory is subsequently accessed during I/O operations. A patch is not currently available, making this a critical concern for systems running affected Linux kernel versions.
Use-after-free vulnerability in Linux kernel XFS subsystem allows local attackers with unprivileged access to cause memory corruption and potential privilege escalation through improper pointer dereferencing in the btree block owner checking function. The flaw stems from attempting to access freed memory due to incorrect temporal ordering of operations when determining cursor aliases. This vulnerability affects all Linux systems using XFS and currently lacks a patch.
The Linux kernel's fsl-mc bus driver contains a use-after-free vulnerability in the driver_override_show() function that reads device configuration without proper locking, allowing a local privileged user to trigger memory corruption by concurrently modifying the same data. This vulnerability affects Linux systems running vulnerable kernel versions and could enable local denial of service or potential privilege escalation through heap memory manipulation. No patch is currently available for this issue.
A flaw has been found in ChaiScript up to 6.1.0. This affects the function chaiscript::Type_Info::bare_equal of the file include/chaiscript/dispatchkit/type_info.hpp. [CVSS 2.5 LOW]