Use After Free

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Views in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Accessibility in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Use-after-free in Linux kernel driver core allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system via race condition in device-driver binding operations. The vulnerability stems from inconsistent locking in driver_match_device() function calls, specifically affecting driver_override functionality where device_lock was not held during bind_store() and __driver_attach() operations. EPSS probability is very low (0.02%, 5th percentile), indicating minimal real-world exploitation observed. No active exploitation confirmed - no CISA KEV listing identified. Patch available in kernel 7.0+ and backport commit dc23806a7c47.

Use-after-free in Foxit PDF Reader and Foxit PDF Editor allows arbitrary code execution when specially crafted PDF documents trigger UI refresh operations after comment deletion via scripting. Local attackers can deliver malicious PDFs and achieve code execution with high integrity and confidentiality impact once a user opens the file. CVSS 7.8 indicates high severity but requires user interaction, limiting automated exploitation. No public exploit code or active exploitation confirmed at time of analysis.

Use-after-free vulnerability in Foxit PDF Editor and PDF Reader allows local attackers to crash the application by manipulating document page lifecycle events, causing internal component states to desynchronize and subsequent operations to reference invalidated memory objects. Attack requires user interaction to open a malicious PDF file and does not enable information disclosure or code execution; impact is denial of service with CVSS 5.5 (medium severity). No public exploit code or active exploitation confirmed at time of analysis.

Use-after-free in Foxit PDF Reader and Foxit PDF Editor allows local attackers to execute arbitrary code or crash the application via specially crafted PDF documents. When scripts modify document structures, the software fails to maintain valid object references during page information queries, enabling pointer dereference of freed memory. Successful exploitation requires user interaction to open a malicious PDF file, achieving high confidentiality, integrity, and availability impact with CVSS 7.8. No active exploitation or public exploit code identified at time of analysis, though CVSS vector indicates low attack complexity once victim interaction occurs.

Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows local attackers to crash the application or execute arbitrary code by opening a crafted XFA PDF file during calculate event processing. The vulnerability requires user interaction (opening a malicious PDF) but impacts both products across all versions listed in CPE data. No public exploit code or active exploitation has been confirmed at this time.

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0

In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: deallocate damon_call() failure leaking damon_ctx damon_stat_start() always allocates the module's damon_ctx object (damon_stat_context). Meanwhile, if damon_call() in the function fails, the damon_ctx object is not deallocated. Hence, if the damon_call() is failed, and the user writes Y to “enabled” again, the previously allocated damon_ctx object is leaked. This cannot simply be fixed by deallocating the damon_ctx object when damon_call() fails. That's because damon_call() failure doesn't guarantee the kdamond main function, which accesses the damon_ctx object, is completely finished. In other words, if damon_stat_start() deallocates the damon_ctx object after damon_call() failure, the not-yet-terminated kdamond could access the freed memory (use-after-free). Fix the leak while avoiding the use-after-free by keeping returning damon_stat_start() without deallocating the damon_ctx object after damon_call() failure, but deallocating it when the function is invoked again and the kdamond is completely terminated. If the kdamond is not yet terminated, simply return -EAGAIN, as the kdamond will soon be terminated. The issue was discovered [1] by sashiko.

In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix use-after-free on disconnect The vub300 driver maintains an explicit reference count for the controller and its driver data and the last reference can in theory be dropped after the driver has been unbound. This specifically means that the controller allocation must not be device managed as that can lead to use-after-free. Note that the lifetime is currently also incorrectly tied the parent USB device rather than interface, which can lead to memory leaks if the driver is unbound without its device being physically disconnected (e.g. on probe deferral). Fix both issues by reverting to non-managed allocation of the controller.

Use-after-free in Linux kernel's lan966x network driver allows local authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The flaw occurs in lan966x_fdma_reload() when RX buffer allocation fails - freed pages remain referenced by active DMA descriptors, causing hardware to write into memory now controlled by other kernel subsystems. Vendor patches available for stable branches 6.12.82, 6.18.23, 6.19.13, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis, but successful exploitation grants kernel-level privileges to local attackers.

Use-after-free in Linux kernel OCFS2 filesystem enables local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when filemap_fault() drops mmap_lock before returning VM_FAULT_RETRY, allowing concurrent munmap() to free the vm_area_struct while ocfs2_fault() still holds a dangling pointer. Vendor patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability is very low (0.02%, 5th percentile) with no public exploit identified at time of analysis.

Use-after-free in Linux kernel memory management allows remote code execution when the folio_unmap_invalidate() function incorrectly accesses freed mapping structures. Kernel versions between 1da177e4c3f4 and patches 6.19.14/7.0.1 are affected. Exploitation probability is low (EPSS 2%, percentile 5%), with no confirmed active exploitation or public POC at time of analysis. Despite the critical CVSS 9.8 score indicating network-based unauthenticated attack, the description suggests this is a kernel memory corruption bug requiring local kernel code paths to trigger, not direct remote network exploitation - CVSS vector conflicts with technical nature and should be validated against vendor guidance.

Use-after-free in Linux kernel KVM x86 MMIO emulation allows local authenticated users with low privileges to potentially execute arbitrary code, escalate privileges, or cause denial of service. The flaw occurs when KVM's emulator initiates MMIO writes using on-stack variables that cross page boundaries between two MMIO pages, creating dangling pointers when fragments are processed across separate KVM_RUN calls, especially when different tasks handle subsequent runs. EPSS exploitation probability is very low (0.02%, 5th percentile), and vendor patches are available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. No active exploitation or public POC identified at time of analysis.

Use-after-free in Linux kernel q6apm audio driver allows local authenticated attackers with low privileges to achieve arbitrary code execution, denial of service, or information disclosure with high impact to confidentiality, integrity, and availability. The flaw affects Qualcomm ASoC q6apm component registration code used in devices like Lenovo 21N2ZC5PUS laptops. Vendor-released patches are available across multiple kernel version branches (6.12.83, 6.18.24, 6.19.14, 7.0.1). EPSS score of 0.02% (5th percentile) indicates low probability of mass exploitation despite high CVSS 7.8, with no confirmed active exploitation or public POC identified at time of analysis.

Use-after-free in Linux kernel blk-cgroup subsystem allows local authenticated users to potentially execute arbitrary code, escalate privileges, or crash the system. The vulnerability occurs in cgwb_release_workfn() when releasing cgroup writeback structures, where a CSS reference is dropped before subsequent dereference, creating a race condition. Meta reports sporadic crashes in production across multiple kernel versions. Patches available for stable branches 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% suggests low widespread exploitation probability, and no active exploitation or public POC identified at time of analysis.

Use-after-free in Linux kernel MediaTek video encoder allows local authenticated users to corrupt memory and potentially execute arbitrary code. The flaw affects the vcodec driver's encoder release path where ctx memory is freed before canceling scheduled workqueue tasks, enabling race conditions between cleanup and worker threads that may dereference freed memory. KASAN-confirmed exploitation requires local access with low privileges (CVSS AV:L/PR:L). Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) indicates very low probability of automated exploitation, with no public exploit identified at time of analysis.

In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct and set dev->v4l2 to NULL under dev->lock. This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL. Fix this by moving the mutex_lock() before the dev->v4l2 read and adding a NULL check for dev->v4l2 under the lock.

In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mutex and call powerz_read_data(), which dereferences the freed URB pointer. Fix by: - Setting priv->urb to NULL in powerz_disconnect() so that powerz_read_data() can detect the disconnected state. - Adding a !priv->urb check at the start of powerz_read_data() to return -ENODEV on a disconnected device. - Moving usb_set_intfdata() before hwmon registration so the disconnect handler can always find the priv pointer.

In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed.

In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561] blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __complete_request+0x22/0x70 [libceph] [6888366.281032] osd_dispatch+0x15e/0xb40 [libceph] [6888366.281164] ? inet_recvmsg+0x5b/0xd0 [6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph] [6888366.281405] ceph_con_process_message+0x79/0x140 [libceph] [6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph] [6888366.281661] ceph_con_workfn+0x329/0x680 [libceph] ``` After analyzing the coredump file, we found that the address of dc->sb_bio has been freed. We know that cached_dev is only freed when it is stopped. Since sb_bio is a part of struct cached_dev, rather than an alloc every time. If the device is stopped while writing to the superblock, the released address will be accessed at endio. This patch hopes to wait for sb_write to complete in cached_dev_free. It should be noted that we analyzed the cause of the problem, then tell all details to the QWEN and adopted the modifications it made.

In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed.

In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly.

Use-after-free in Linux kernel AMD GPU driver allows local authenticated users to potentially execute arbitrary code, escalate privileges, or cause denial of service. The amdgpu_amdkfd_submit_ib() function in the AMD KFD (Kernel Fusion Driver) prematurely releases a DMA fence reference before waiting on it, creating a race condition where the fence memory may be freed before use. Vendor-released patches are available for multiple stable kernel branches (6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS exploitation probability is very low at 0.02% (7th percentile), and no public exploit or active exploitation has been identified at time of analysis.

Use-after-free in Linux kernel futex subsystem allows local authenticated attackers to achieve code execution, privilege escalation, or denial of service via sys_futex_requeue() with mismatched flags. Discovered through automated LLM analysis by Nicholas, this affects kernel versions 6.7 through 6.19.x, with patches available in 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified. The vulnerability requires local access with low-privilege authenticated user credentials (PR:L), making it a post-compromise escalation vector rather than a remote entry point.

Use-after-free in Linux kernel tracing subsystem allows local authenticated attackers to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability occurs when deleting tracing instances with copy_trace_marker enabled, where improper RCU synchronization leaves freed memory accessible. Exploitation requires local access with low privileges to manipulate kernel tracing facilities. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel versions (6.18.20, 6.19.10, 7.0).

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle backlogging of crypto requests"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.

Use-after-free in Linux kernel CAN raw socket implementation allows local authenticated attackers to corrupt memory and potentially achieve code execution. The vulnerability stems from premature deallocation of percpu uniq storage in raw_release() while raw_rcv() may still access it via deferred RCU callbacks. Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS exploitation probability remains low (0.02%, 5th percentile) with no active exploitation confirmed at time of analysis.

Use-after-free in Linux kernel CXL (Compute Express Link) subsystem allows local authenticated attackers to corrupt memory and potentially execute arbitrary code or cause kernel panics. The flaw occurs in cxl_detach_ep() during device removal when parent port references are freed prematurely, before child operations complete. Affects Linux kernel 6.3 through 7.0-rc5; patched in versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% indicates low exploitation probability. No active exploitation or public exploit code identified at time of analysis.

Use-after-free in Linux Kernel platform driver core allows local authenticated attackers to achieve high-severity impacts including code execution, privilege escalation, or denial of service. The vulnerability stems from unsafe access to the driver_override field during device probing when the bus match() callback executes without device lock protection. Patches are available across multiple kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0) per vendor commits. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no CISA KEV listing exists, suggesting this remains a theoretical risk rather than actively exploited threat despite the high CVSS 7.8 score.

Use-after-free in Linux kernel Bluetooth MGMT subsystem allows local authenticated users to achieve arbitrary code execution, privilege escalation, or denial of service. The vulnerability stems from improper condition checking in mgmt_add_adv_patterns_monitor_complete(), which can leave dangling pointers after freeing memory without unlinking from the list. Patches available across multiple kernel versions (6.12.80, 6.17, 6.18.21, 6.19.11, 7.0). No evidence of active exploitation (not in CISA KEV), low EPSS score (0.02%, 5th percentile) suggests limited attacker interest despite high CVSS severity.

Use-after-free in Linux kernel packet socket handling allows local attackers with low privileges to achieve kernel memory corruption, potentially leading to privilege escalation, information disclosure, or denial of service. The vulnerability stems from a race condition in packet_release() where NETDEV_UP events can re-register a socket into a fanout group's array after cleanup begins but before the socket number is zeroed, leaving dangling pointers. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score is low (0.02%, 7th percentile) and no active exploitation is confirmed (not in CISA KEV), suggesting limited real-world exploitation despite high CVSS 7.8 rating.

Use-after-free in Linux kernel ICSSG PRU Ethernet driver allows remote code execution with CVSS 9.8 scoring. Affects TI ICSSG network driver in kernels 6.15 through 7.0 (patched in 6.19.11 and 7.0). The flaw causes CPPI descriptors to be freed before timestamp processing completes on every received packet, creating a exploitable memory corruption condition. Despite critical CVSS scoring, EPSS probability is very low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. The network attack vector (AV:N) combined with zero-day timing suggests this may be scored for worst-case remote exploitation scenario, but actual exploitability via network packets requires deeper investigation of ICSSG hardware context and packet processing pipeline.

Use-after-free in Linux kernel Bluetooth Intel driver enables local privilege escalation to kernel code execution. Affects Linux kernel 4.3 through 7.0-rc5, with patches available in versions 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0. Exploitation requires local authenticated access with low privileges (CVSS PR:L). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No public exploit code or active exploitation confirmed at time of analysis, though technical details in CVE description provide implementation roadmap.

Use-after-free in Linux kernel RDMA/EFA driver allows local authenticated users with low privileges to execute arbitrary code with high confidentiality, integrity, and availability impact. The vulnerability affects the admin queue completion handling where completion context data is accessed after being freed, creating a window for memory corruption exploitation. Affects kernel versions from 5.12 through 7.0-rc7, with vendor patches available for stable branches 6.18.21, 6.19.11, and 7.0. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing identified at time of analysis.

Use-after-free in Linux kernel's xe GPU driver allows local authenticated users to execute arbitrary code with kernel privileges. The vulnerability occurs in the SR-IOV physical function migration restore path when error handling fails to nullify a freed data pointer, enabling subsequent write operations to reference deallocated memory. With CVSS 7.8 (High) and very low EPSS (0.02%), this represents typical kernel memory corruption risk requiring local access and low privileges. Vendor patches are available for affected 6.19 and 7.0-rc versions.

Use-after-free in Linux kernel AMD display driver allows local authenticated users to execute arbitrary code, corrupt memory, or cause denial of service. Affects systems with AMD graphics using Display Stream Compression (DSC) and multi-stream transport (MST), particularly laptops with integrated displays and external DP-MST monitors. The vulnerability arises when mode changes occur simultaneously with DSC reconfigurations, causing improper stream lifecycle management. Vendor patch available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% indicates low exploitation probability in the wild, with no CISA KEV listing or public exploit identified at time of analysis.

Use-after-free in Linux kernel SPI subsystem (fsl_lpspi driver) causes NULL pointer dereference when DMA channels are torn down while SPI transfers are active. Local attackers with low privileges can trigger denial of service or potentially execute arbitrary code on affected systems running Linux kernel versions from 4.10 through 7.0-rc2, particularly impacting embedded and IoT devices using Freescale LPSPI controllers. EPSS score of 0.02% indicates very low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0).

Use-after-free in Linux kernel ISO-TP CAN protocol driver allows local authenticated users to read freed memory, corrupt kernel state, or execute arbitrary code with kernel privileges. Affects kernels from commit 96d1c81e to 6.6.131, 6.12.80, 6.18.21, and 6.19.11. Vendor-released patches available across stable kernel branches. EPSS score 0.02% (5th percentile) indicates low probability of mass exploitation, and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local privilege escalation potential if successfully exploited.

Use-after-free in Linux kernel media subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or cause system crashes. The race condition between MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) affects request-capable V4L2 media devices in kernels since version 4.20. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0). EPSS score of 0.02% indicates very low likelihood of mass exploitation, and no active exploitation or public POC has been identified.

Use-after-free in Linux kernel virtio_net driver allows local authenticated attackers with low privileges to potentially achieve high confidentiality, integrity, and availability impact. The flaw triggers when virtio_net is configured with napi_tx=N (non-NAPI transmit mode) and the IFF_XMIT_DST_RELEASE flag is cleared by tc route filter rules. When a network namespace is destroyed while packets remain queued in the virtio transmit ring, the freed dst_ops structure is later dereferenced during packet cleanup, causing kernel memory corruption. Vendor patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.

Use-after-free in Linux Kernel XFS filesystem allows local authenticated users to execute arbitrary code, escalate privileges, or cause system crashes during filesystem unmount operations. The vulnerability stems from a race condition where background reclaim and inodegc processes continue running while the Active Item List (AIL) is being flushed during unmount, enabling concurrent access to freed memory structures. Patches are available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0). EPSS score of 0.02% suggests very low probability of mass exploitation, and no active exploitation or public POC is identified at time of analysis.

Use-after-free in Linux Kernel XFS file system allows local authenticated users to execute arbitrary code, escalate privileges, or cause denial of service. The vulnerability affects XFS implementations from kernel 5.9 onward due to improper handling of Active Item List (AIL) pointers when performing buffer I/O in inode and quota push callbacks. With EPSS exploitation probability at 0.02% and no confirmed active exploitation, this represents a moderate real-world risk limited by local access requirements and low attack complexity. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0).

Use-after-free in Linux kernel ext4 filesystem allows local attackers to potentially execute arbitrary code or cause denial of service during unmount operations. The vulnerability stems from a race condition between ext4_put_super() teardown and update_super_work() error notification, where sysfs_notify() accesses a freed kernfs_node object after kobject_del() has released it. Fixed in stable kernel releases 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. EPSS score of 0.02% (7th percentile) suggests low probability of exploitation in the wild, though CVSS vector indicates straightforward local exploitation requiring user interaction.

Use-after-free and NULL pointer dereference vulnerabilities in Linux kernel's ksmbd SMB server allow remote unauthenticated attackers to achieve arbitrary code execution, information disclosure, or denial of service. The flaws occur during oplock (opportunistic lock) publication when error handling frees memory still referenced by concurrent readers, and when global lease lists are accessed before critical pointers are initialized. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), this represents a critical remote attack surface, though EPSS score of 0.02% (5th percentile) suggests minimal observed exploitation activity. Vendor patches are available across affected kernel versions 6.6.130-6.19.9.

PowerDNS Recursor versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 suffer denial of service and potential data corruption when a malfunctioning RPZ provider causes concurrent transfers of the same RPZ zone, leading to use-after-free conditions, inconsistent zone data, and recursor crashes. The vulnerability requires high privilege attacker control over an RPZ provider and non-standard network conditions, resulting in availability and integrity impact with a CVSS score of 5.0.

Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploiting a use-after-free condition in the TIOCNOTTY ioctl implementation. When a process detaches from its controlling terminal and exits, a dangling pointer in the terminal structure references freed session memory, which attackers can manipulate to escalate privileges. This vulnerability affects multiple stable and release branches with CVSS 8.4 (High) but low EPSS probability (0.02%, 5th percentile), indicating theoretical severity without observed widespread exploitation. Not listed in CISA KEV, suggesting no confirmed active exploitation at time of analysis.

Use-after-free memory corruption (CWE-416) in Mozilla Firefox 149 and ESR 115.34/140.9, plus the shared Gecko engine in Thunderbird 149 and Thunderbird ESR 140.9, can lead to arbitrary code execution within the browser process when a victim renders attacker-controlled web content. This is a rolled-up batch of memory-safety bugs reported by Mozilla's own developers; Mozilla states some showed evidence of memory corruption presumed exploitable for code execution. There is no public exploit identified at time of analysis, the bug is not in CISA KEV, and EPSS is very low (0.06%, 17th percentile), consistent with the CVSS 7.5 rating being held down by high attack complexity (AC:H) and required user interaction (UI:R).

Memory corruption in Firefox's Widget: Cocoa component on macOS enables remote denial of service through use-after-free exploitation. Mozilla patched this in Firefox 150 and Firefox ESR 140.10 after internal discovery. The CVSS vector indicates network-accessible exploitation requiring no authentication or user interaction, though SSVC assessment classifies technical impact as partial and exploitation as non-automatable. No public exploit identified at time of analysis, with SSVC indicating no evidence of active exploitation.

Use-after-free in Firefox's WebAssembly JavaScript engine enables remote denial-of-service attacks against users running unpatched versions below Firefox 150. The vulnerability allows network-based attackers to crash the browser without authentication or user interaction by triggering memory corruption in WebAssembly processing. Mozilla patched this in Firefox 150 (MFSA2026-30). EPSS data not available, not listed in CISA KEV, and SSVC framework rates exploitation as 'none' with non-automatable, partial technical impact-suggesting lower real-world risk despite CVSS 7.5 severity.

Remote attackers can crash Mozilla Firefox by triggering a use-after-free in the JavaScript Engine, exploiting freed memory during JS execution to cause denial of service. Affects all unpatched Firefox versions below 150, ESR 115.35, and ESR 140.10. CVSS 7.5 (High) reflects network-accessible exploitation with no authentication required, though SSVC assessment indicates non-automatable exploitation with partial technical impact. No public exploit code or active exploitation (KEV) confirmed at time of analysis, and ENISA tracking suggests European-focused monitoring.

High-severity denial-of-service in Firefox WebRTC component allows remote unauthenticated attackers to crash the browser via network-based use-after-free memory corruption. Affects Firefox versions prior to 150 and Firefox ESR prior to 140.10. Vendor-released patches available (Firefox 150, Firefox ESR 140.10). CVSS 7.5 reflects high availability impact with low attack complexity and no privileges required. No public exploit identified at time of analysis, though SSVC framework classifies technical impact as partial and exploitation as none, suggesting limited real-world activity despite the theoretical ease of exploitation indicated by CVSS.

High-severity denial-of-service condition in Mozilla Firefox DOM processing allows remote attackers to crash the browser via network-delivered content without authentication or user interaction. Fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. CVSS 7.5 reflects network attack vector with low complexity (AV:N/AC:L/PR:N/UI:N) but impact limited to availability (A:H). EPSS data not provided. Not listed in CISA KEV, indicating no confirmed active exploitation. SSVC framework rates exploitation as 'none' and technical impact as 'partial', suggesting lower real-world priority despite high CVSS score.

Remote code execution in Google Chrome on Android versions prior to 147.0.7727.101 is possible through a use-after-free vulnerability in the Payments feature. Attackers who successfully convince users to perform specific UI interactions on a malicious webpage can achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), indicating social engineering is necessary. Google has released Chrome 147.0.7727.101 to address this issue. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code has been identified at time of analysis.

Arbitrary code execution within Chrome's sandbox affects all versions prior to 147.0.7727.101 via crafted HTML pages exploiting a use-after-free in codec processing. Remote attackers require user interaction (visiting a malicious page) but need no authentication. CVSS 8.8 (High) with network attack vector, low complexity, and high impact across confidentiality, integrity, and availability. Google patched this in the stable channel update released April 15, 2026. No public exploit code or CISA KEV listing identified at time of analysis, though Chromium issue tracker #495996858 indicates vendor-confirmed vulnerability. The sandbox containment limits initial exploitation to Chrome's restricted environment, not direct system compromise.

Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)

Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Arbitrary code execution within Google Chrome's sandbox affects all versions prior to 147.0.7727.101 through a use-after-free vulnerability in the codec processing components. Remote attackers can exploit this by tricking users into visiting a malicious webpage, achieving high-severity compromise of confidentiality, integrity, and availability within the sandboxed renderer process. Google has released version 147.0.7727.101 as a stable channel update to address this flaw. No evidence of active exploitation (not in CISA KEV) or public exploit code has been identified at time of analysis, though the simplicity of the attack vector (network-based, low complexity, requiring only user interaction) warrants prioritized patching.

Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in Video in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Arbitrary code execution in Adobe FrameMaker 2022.8 and earlier allows local attackers to execute malicious code with current user privileges by tricking victims into opening specially crafted files. This use-after-free memory corruption vulnerability requires no authentication but depends on user interaction. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, though the local attack vector and user interaction requirement reduce immediate remote threat surface compared to network-accessible vulnerabilities.

Heap use-after-free in libsixel 1.8.7 and earlier allows local code execution when processing malicious animated GIF files through the sixel_helper_load_image_file() API with multi-frame callbacks. The vulnerability triggers when gif_init_frame() unconditionally frees and reallocates frame->pixels between frames while client code retains references via the documented sixel_frame_ref() API, creating dangling pointers confirmed by AddressSanitizer. Fixed in version 1.8.7-r1. No public exploit iden

Use-after-free in libsixel's gdk-pixbuf2 loader enables local attackers to achieve code execution via crafted images. Affects libsixel versions through 1.8.7 when compiled with --with-gdk-pixbuf2 option. The vulnerability stems from inconsistent memory management in load_with_gdkpixbuf(), which manually frees reference-counted frame objects, leaving dangling pointers that callbacks can access post-cleanup. CVSS 7.8 (High) with local attack vector requiring user interaction. Fixed in version 1.8.7-r1. No confirmed active exploitation (CISA KEV), though proof-of-concept feasibility is high given the deterministic nature of the memory corruption.

Use-after-free in libsixel 1.8.7 and earlier enables local attackers to crash applications or execute arbitrary code via crafted SIXEL image frames. The vulnerability occurs when sixel_encoder_encode_bytes() processes resize operations that free caller-owned pixel buffers, creating dangling pointers exploitable through repeated, predictable frame manipulation. EPSS data not available; no confirmed active exploitation (not in CISA KEV), but the technical details suggest reliable exploitation potential for local privilege escalation or RCE scenarios.

Memory corruption in Microsoft Office Word enables local code execution through a use-after-free flaw affecting Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 for Windows and Mac. Despite the local attack vector (AV:L), the vulnerability requires no privileges (PR:N) or user interaction (UI:N), allowing unauthorized attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability (CVSS 8.4). Vendor-released patch available via Microsoft Security Response Center as of April 2026. No public exploit identified at time of analysis, though the technical simplicity (AC:L) and memory corruption primitive increase weaponization risk.

Local privilege escalation in Windows Print Spooler Components allows authenticated attackers with low privileges to achieve complete system compromise (high confidentiality, integrity, and availability impact) by exploiting a use-after-free memory corruption vulnerability. Affects Windows 11 versions 24H2, 25H2, 26H1, Windows Server 2022 23H2 Edition, and Windows Server 2025. CVSS score 7.8 reflects local attack vector with low complexity and no user interaction required. No public exploit or CISA KEV status identified at time of analysis, though use-after-free vulnerabilities in Print Spooler have historically been attractive exploitation targets.

Local privilege escalation in Windows Ancillary Function Driver for WinSock (AFD.sys) affects all supported Windows 10, Windows 11, and Windows Server versions from 2012 through 2025. The CWE-416 use-after-free memory corruption flaw allows low-privileged authenticated attackers with local access to elevate to SYSTEM privileges, achieving complete control over confidentiality, integrity, and availability. SSVC framework rates this as non-automatable with total technical impact. No public exploit

Local privilege escalation via use-after-free in Windows Ancillary Function Driver for WinSock (AFD.sys) allows authenticated low-privileged attackers to execute arbitrary code with SYSTEM privileges across all supported Windows versions. Microsoft has released patches for Windows 10 (versions 1607-22H2), Windows 11 (versions 22H3-25H2), and Windows Server (2012-2022 23H2). The vulnerability requires local access and low privileges (PR:L) with high attack complexity (AC:H), but no public exploit

Use-after-free memory corruption in Microsoft PowerPoint (versions 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise) enables local code execution when users open malicious files. An attacker with no privileges can achieve full system compromise (high confidentiality, integrity, and availability impact) by convincing a user to open a crafted PowerPoint document. Vendor patch available via Microsoft Security Response Center. No public exploit code or confirmed active exploitation (CISA KEV) identified at time of analysis, though CVSS 7.8 rating reflects high severity for local attack scenarios.

Microsoft Excel use-after-free vulnerability (CWE-416) enables arbitrary code execution when a user opens a specially crafted Excel file. Affects Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021/2024 (Windows and Mac), and Office Online Server. CVSS 7.8 (High) requires local access and user interaction but no authentication. No public exploit identified at time of analysis. Microsoft released patches addressing all affected product lines per MSRC update guide.

Use-after-free vulnerability in Microsoft Office Excel enables local code execution when users open maliciously crafted Excel files. Affects all major Office versions including Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021/2024 (Windows and Mac), and Office Online Server. Attack requires no authentication (PR:N) but demands user interaction (opening a weaponized document). CVSS 7.8 (High) reflects significant impact potential (code execution with high confidentiali

Use-after-free memory corruption in Microsoft Excel across Office 2016-2024 and Microsoft 365 enables local code execution when a user opens a malicious spreadsheet. Attackers must craft a weaponized Excel file and trick users into opening it, after which arbitrary code runs with the victim's privileges. No authentication is required, though user interaction is necessary. Exploitation probability remains moderate (CVSS 7.8) with no confirmed active exploitation (no CISA KEV listing) and no publi

Use-after-free memory corruption in Microsoft Office (versions 2016 through LTSC 2024, including Microsoft 365 Apps for Enterprise) enables local code execution with no authentication or user interaction required. Attackers with local system access can execute arbitrary code with high impact to confidentiality, integrity, and availability (CVSS 8.4). No public exploit identified at time of analysis. Vendor-released patch available via Microsoft Security Response Center for all affected versions.

Desktop Window Manager (DWM) privilege escalation via use-after-free memory corruption affects Windows 10 21H2/22H2, Windows 11 22H3 through 25H2, and Windows Server 2022/2025. Local authenticated attackers with low privileges can exploit this memory corruption flaw to gain SYSTEM-level access, achieving full compromise of confidentiality, integrity, and availability. Vendor-released patches are available across all affected platforms. No public exploit identified at time of analysis, though the

Use-after-free in Microsoft Windows Speech component enables local privilege escalation to SYSTEM on Windows 10 (versions 1809, 21H2, 22H2) and Windows 11 (versions 22H3 through 26H1). Authenticated local attackers with low privileges can exploit memory corruption to gain full system control with low attack complexity and no user interaction required. CVSS 7.8 (High). Vendor-released patches available for all affected versions. No public exploit identified at time of analysis, though the straigh