Use After Free
Monthly
Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.
Use-after-free in wolfSSL's TLS 1.3 PQC hybrid KeyShare processing exposes clients built with post-quantum hybrid support to a crash or memory corruption when connecting to a malicious server. This is a bypass of the incomplete fix for CVE-2026-5460 shipped in 5.9.1 - the pointer alias between keyShareEntry->key and ecc_kse->key in TLSX_KeyShare_ProcessPqcHybridClient is not re-synchronized after the inner ECC processing function frees its copy, leaving a dangling pointer that TLSX_KeyShare_FreeAll later passes to wc_ecc_free and XFREE. No public exploit or CISA KEV listing exists; the CVSS 4.0 score of 2.3 reflects limited real-world impact due to high attack complexity and non-default build requirements.
Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. No public exploit is identified at time of analysis and the CVE is not in CISA KEV, but it carries a high CVSS 4.0 base score of 8.4 driven by full confidentiality, integrity, and availability impact.
Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointing at freed libxml2 memory after `#do_xinclude` is called on a document whose nodes have already been exposed to Ruby. An application that triggers this condition may experience invalid memory reads or writes, potentially resulting in a crash or memory disclosure. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.2 reflects the high attack complexity driven by an unusual, non-default API usage pattern required to reach the vulnerable code path.
Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault when an `XML::XPathContext` object outlives its source document and that document is freed by Ruby's garbage collector. Only CRuby is affected; JRuby is not. This is not triggerable by malicious document input and cannot be reached through the standard `Document#xpath`, `#css`, or related methods - it requires an unusual direct API usage pattern in application code. No public exploit has been identified, this is not listed in CISA KEV, and the CVSS 4.0 score of 1.7 reflects the tightly constrained triggering conditions.
Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application code assigns a DTD node as a document root via `Document#root=`. The root cause is insufficient type validation in the setter, which accepted any `Nokogiri::XML::Node` subclass rather than restricting to element nodes, leaving libxml2 in an inconsistent internal state that triggers a dangling pointer dereference during Ruby garbage collection or finalization. No active exploitation is confirmed (not in CISA KEV), no public exploit is identified, and the Nokogiri maintainers rate this low severity; the CVSS 4.0 score of 1.7 with E:U corroborates that assessment.
Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a segfault when an application accesses an XML attribute's child node and subsequently replaces that attribute's value via `Attr#value=` or `#content=`. The underlying libxml2 wrapper frees the native child node while a Ruby object in the document node cache retains a stale pointer, which a later GC mark pass or direct access can dereference. With a CVSS 4.0 score of 1.7, no KEV listing, and no public exploit identified at time of analysis, real-world risk is low and constrained to application availability.
Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 1.7 accurately reflects the low real-world priority.
Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. There is no public exploit identified at time of analysis and EPSS is low (0.15%, 5th percentile), but a kernel UAF reachable by a local user warrants timely patching.
Use-after-free in the Linux kernel's IPv6 multicast (MLD) query processing path allows an adjacent-network attacker to corrupt or read freed kernel slab memory by sending a crafted MLD query. The flaw stems from a stale pointer to the multicast group address being dereferenced in __mld_query_work() after pskb_may_pull() reallocated the skb header, confirmed by a KASAN slab-use-after-free report. Carries an 8.8 CVSS (adjacent vector); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).
Local privilege escalation or kernel memory corruption in the Linux kernel's OP-TEE (Trusted Execution Environment) driver arises from a use-after-free in the supplicant request path on ARM TrustZone systems. After commit 70b0d6b0a199 made the client wait killable, a client task can exit and kfree() its request while its ID still lives in supp->idr, so a later supplicant lookup dereferences freed memory. CVSS 7.8 (local, low privilege) with EPSS at 0.17% (7th percentile); no public exploit identified at time of analysis and not listed in CISA KEV.
Use-after-free in the Linux kernel's EROFS filesystem lets a local attacker who can trigger a decompression I/O race during unmount corrupt kernel memory. When z_erofs_decompress_kickoff() queues asynchronous decompression work, a concurrent unmount can free the superblock info (sbi) before the kworker accesses sbi->sync_decompress, producing a CWE-416 use-after-free with high confidentiality, integrity and availability impact (CVSS 7.8). EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the flaw is not on CISA KEV.
Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). This issue has no public exploit identified at time of analysis and carries a low EPSS exploitation probability (0.17%, 7th percentile).
Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.
Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.
Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. KASAN confirmed a slab-use-after-free in lock_sock_nested(); EPSS is low (0.17%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.
Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.
Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 7th percentile).
Local privilege escalation via use-after-free in the Linux kernel's XFRM (IPsec) policy subsystem allows a local low-privileged attacker to corrupt kernel memory by racing XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO netlink operations. In xfrm_policy_bysel_ctx(), the inexact policy bin was pruned after dropping xfrm_policy_lock, leaving a window where a concurrent xfrm_hash_rebuild() could kfree_rcu() the same bin, leading to a use-after-free. No public exploit identified at time of analysis; EPSS probability is low (0.18%) and it is not listed in CISA KEV.
Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. This is a fixed regression window on IBM PowerPC EMAC hardware; no public exploit identified at time of analysis and EPSS risk is low (0.18%, 7th percentile).
Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. netem) later call dst_release() on freed memory. CVSS is 7.8 (high) with CVSS:3.1 vector AV:L/PR:L; EPSS is low at 0.18% (7th percentile), it is not in CISA KEV, and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. The flaw was reproduced on mainline with KASAN by an authenticated client, EPSS is low (0.18%), and there is no public exploit identified at time of analysis.
Local privilege escalation via use-after-free in the Linux kernel ALSA timer subsystem (sound/core/timer.c) allows an authenticated local user to corrupt kernel memory by triggering dangling references to a freed snd_timer object. When snd_timer_free() unlinked pending instances it left slave timer instances still pointing at the freed master timer; the flaw is readily reachable through the userspace-driven timer interface (CONFIG_SND_UTIMER), where opening/closing a file creates and destroys timer objects while other processes keep accessing them. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis, but kernel UAF bugs of this class are historically a strong primitive for local privilege escalation.
Local privilege escalation or memory corruption in the Linux kernel's ALSA timer subsystem stems from a use-after-free in snd_timer_user_params() reachable via the SNDRV_TIMER_IOCTL_PARAMS ioctl. A low-privileged local user with access to a timer device (notably userspace timers under CONFIG_SND_UTIMER) can race a concurrent ioctl against timer object release to access freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%), reflecting the local-only, race-dependent nature of the bug.
Slab use-after-free in the Linux kernel's IP fragment reassembly (inet frags) layer occurs during network namespace teardown: fqdir_pre_exit() flushes incomplete fragment queues via inet_frag_queue_flush() without clearing q->fragments_tail/last_run_head, so a fragment reassembly already in flight resumes after the flush and dereferences freed skbs. IPv4, IPv6, nf_conntrack_reasm6, and 6lowpan reassembly all share the affected flush path. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile); NVD scores it CVSS 9.8 (AV:N), but the bug is fundamentally a teardown-vs-reassembly race, so the network-unauthenticated framing overstates practical reachability.
Local privilege escalation and memory corruption in the Linux kernel's Qualcomm FastRPC misc driver (drivers/misc/fastrpc) arises from a use-after-free of the fastrpc_user structure during concurrent file-descriptor close and DSP response processing. A local user with access to the FastRPC device can race fastrpc_device_release() against the put_work workqueue so that fastrpc_context_free() dereferences an already-freed user object, enabling kernel memory corruption with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.18%), consistent with a hard-to-win kernel race on Qualcomm-only hardware.
Local privilege escalation and memory corruption in the Linux kernel's fastrpc misc driver allows an attacker with local low-privileged access to a FastRPC device to trigger a use-after-free in fastrpc_map_create by racing a concurrent MEM_UNMAP against map lookup. The flaw stems from fastrpc_map_lookup returning an unprotected raw pointer after dropping fl->lock, which a concurrent unmap can free before the reference is taken. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.17%, 7th percentile), consistent with a kernel race condition requiring local access and precise timing.
Slab use-after-free in the Linux kernel's Phonet subsystem (net/phonet) allows a local privileged actor to trigger memory corruption when a phonet_device is torn down. phonet_device_destroy() unlinks the object from the per-net device list with list_del_rcu() but frees it immediately, so concurrent RCU readers can still dereference the freed object; the fix converts the free to kfree_rcu(). No public exploit identified at time of analysis, EPSS is very low (0.17%, 7th percentile), and it is not on CISA KEV, but the CVSS 3.1 base score is 7.8 (High) reflecting full confidentiality, integrity and availability impact from local exploitation.
Local privilege escalation and memory corruption in the Linux kernel's nvmem core subsystem arises from use-after-free bugs in multiple error paths where __nvmem_device_put() releases the nvmem device (and its backing memory/resources) but the code continues to dereference the freed structure before returning. A local, low-privileged user able to trigger these error paths can corrupt kernel memory, potentially leading to code execution or information disclosure. Fix is upstream in stable kernel trees; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).
Remote denial-of-service in NLnet Labs NSD (authoritative DNS name server) version 4.13.0 and later allows an unauthenticated attacker to crash the server process by exploiting a heap use-after-free in the TLS error-logging path. By sending a DNS query over a DNS-over-TLS (DoT) connection and closing the socket before reading the response, an attacker triggers the freed-memory access trivially; no public exploit identified at time of analysis, and the issue is not in CISA KEV. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity exposure.
Local privilege escalation to root in OpenBSD through 7.9 arises from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c). An authenticated local user calling sys_semget() can trigger a context-switch use-after-free after tsleep(), where a freed semid_ds_kern structure is reused, enabling kernel memory corruption and full root compromise. There is no public exploit identified at time of analysis, EPSS probability is low (0.12%), and the issue is not listed in CISA KEV; the upstream fix adds reference counting (sem_ref/sem_rele) around the sleep window.
Use-after-free in MP4Box's filter pipeline (gf_filter_pid_get_packet, filter_core/filter_pid.c) crashes the application when processing a crafted media file, resulting in Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0. A publicly available proof-of-concept exploit exists, though exploitation requires local access and user interaction - the CVSS vector (AV:L/UI:R) and low EPSS score of 0.17% indicate limited real-world automated exploitation risk. No confirmed active exploitation (CISA KEV not listed).
Use-after-free in MP4Box's filter pipeline core (gf_filter_pid_inst_swap in filter_pid.c) allows local attackers to crash the application - and potentially achieve memory corruption beyond DoS - by supplying a crafted media file. Publicly available exploit code exists for this vulnerability, hosted on GitHub in a dedicated proof-of-concept repository. The EPSS score is low (0.17%, 6th percentile) with no CISA KEV listing, suggesting the public POC is research-grade rather than part of active exploitation campaigns, but the barrier to triggering a crash is low for any attacker with file delivery capability.
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_load_from_state_internal function of the SEI loader filter (src/filters/sei_load.c). Processing a maliciously crafted MPEG-2 Transport Stream file causes the parser to dereference a dangling pointer, crashing the application. Publicly available exploit code (a PoC test case and write-up) exists, though the issue is not listed in CISA KEV and carries a low EPSS exploitation probability (0.17%, 6th percentile).
Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none, but a vendor patch is already available.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS of 8.8; it requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with the CISA SSVC framework recording exploitation status as none.
Remote code execution in Google Chrome for macOS prior to 149.0.7827.197 stems from a use-after-free in the browser's Bluetooth subsystem, letting a malicious Bluetooth peripheral corrupt memory and execute arbitrary code in the browser process. The flaw is rated High severity by Chromium with a CVSS 8.8, requires user interaction (UI:R) but no privileges, and currently has no public exploit identified at time of analysis; CISA SSVC marks exploitation status as none.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome browser bugs of this class are historically high-value targets. Exploitation requires user interaction (loading a malicious page) but no authentication.
Heap corruption in Google Chrome's Web Authentication (WebAuthn) component affects all desktop builds prior to 149.0.7827.197, where a use-after-free (CWE-416) can be triggered by a malicious browser extension. An attacker who first convinces a victim to install a crafted extension can reach the freed object and potentially achieve code execution. Rated High by Chromium with a CVSS 7.5; there is no public exploit identified at time of analysis and CISA SSVC marks exploitation as none.
Renderer-side heap corruption in Google Chrome's FileSystem component (versions prior to 149.0.7827.197) lets a remote attacker who lures a victim to a crafted HTML page trigger a use-after-free, potentially leading to arbitrary code execution within the renderer. Rated High severity by Chromium with a CVSS of 8.8; no public exploit identified at time of analysis, and CISA's SSVC framework currently records exploitation status as 'none'. EPSS data was not provided, but the user-interaction requirement (visiting a page) is the only meaningful barrier, making this a routine but real browser-patch priority.
Heap corruption via use-after-free in Google Chrome's Digital Credentials component on macOS allows a remote attacker to potentially execute code by luring a victim to a crafted HTML page, affecting Chrome builds prior to 149.0.7827.197. The flaw was reported internally by Google's Chrome team, and per CISA's SSVC framework exploitation is currently 'none', so this is no public exploit identified at time of analysis despite a high (8.8) CVSS score requiring user interaction. EPSS data was not provided, but the absence of KEV listing and no observed exploitation point to risk driven by Chrome's massive install base rather than confirmed in-the-wild abuse.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.197 stems from a use-after-free condition in the Autofill component, letting a remote attacker run arbitrary code in the renderer when a victim opens a malicious web page. Chromium rates the flaw Critical and CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, tempered by the requirement that the user load attacker-controlled content. There is no public exploit identified at time of analysis, and SSVC records exploitation status as none, but the 'total' technical impact makes prompt patching important.
Sandbox escape in Google Chrome on Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics subsystem, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Rated Critical by Chromium with a CVSS 9.6 reflecting scope change and total compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though Google has shipped a fix.
Sandbox escape in Google Chrome for Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics component, letting a remote attacker who lures a victim to a crafted HTML page break out of the renderer sandbox. Rated Critical by Chromium and carrying a CVSS 9.6 with scope change, the flaw threatens full compromise of the browser process boundary on affected Android devices. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none.
Use-after-free in libcurl 8.13.0 through 8.20.0 occurs when an application calls curl_easy_pause() from inside an event-based CURLMOPT_SOCKETFUNCTION callback, causing libcurl to write a flag through a struct pointer whose backing memory was just freed. Affected are applications built on the curl multi interface using event-based socket callbacks; the flaw can lead to memory corruption or limited information disclosure (tagged Information Disclosure) with low confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low at 0.21% (11th percentile), consistent with a niche triggering pattern rather than mass exploitation.
Use-after-free in libcurl's HTTP/2 stream-dependency handling affects a wide range of curl releases (7.88.0 through 8.20.0) when an application sets CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, then calls curl_easy_reset() before curl_easy_cleanup(); the reset frees an internal priority structure that cleanup later re-accesses. Despite the NVD 9.8 CVSS rating, the flaw is only reachable through a specific application-controlled API call sequence rather than remote attacker input, and is tagged Information Disclosure. No public exploit identified at time of analysis, EPSS is low (0.21%, 11th percentile), and it is not listed in CISA KEV.
Local privilege-dependent use-after-free in the Linux kernel's fs/mbcache subsystem allows a privileged user (root or CAP_SYS_ADMIN) to trigger memory corruption when unmounting an ext2, ext4, or ocfs2 filesystem. mb_cache_destroy() frees the cache without cancelling the pending c_shrink_work item, so a still-running mb_cache_shrink_worker() accesses freed memory (CWE-416), potentially leading to kernel code execution or crash. No public exploit identified at time of analysis; EPSS is low (0.16%, 5th percentile) and it is not on CISA KEV.
Out-of-bounds memory read in the Linux kernel's OCFS2 filesystem driver allows a local user to leak kernel memory or crash the system by issuing the OCFS2_IOC_INFO ioctl with the OCFS2_INFO_FL_NON_COHERENT flag against a crafted or malicious OCFS2 image. The non-coherent freefrag scan path trusts the on-disk bg_bits group-descriptor field as a bitmap limit without validation, driving the bitmap walk past the end of the block buffer. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a local, filesystem-mount-dependent kernel bug rather than a remotely scanned threat.
Use-after-free in the Linux kernel's greybus 'raw' driver (drivers/staging/greybus/raw.c) allows a local user holding an open character-device handle to trigger memory corruption when the underlying raw bundle is disconnected and the application later closes the cdev. The flaw stems from the gb_raw structure (which embeds the cdev) being freed in the disconnect callback while a userspace reference remains, causing cdev_put to operate on freed memory and a refcount underflow/panic, especially with CONFIG_INIT_ON_FREE_DEFAULT_ON=y. No public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile), consistent with a local, niche-driver issue.
Local privilege-level denial of service in the Linux kernel's Greybus 'raw' character device driver (gb_raw) allows a user with access to the chardev to trigger a use-after-free by writing to the device after a disconnect has freed the underlying gb_connection object, causing a kernel NULL pointer dereference and panic (observed reliably with CONFIG_INIT_ON_FREE_DEFAULT_ON=y). The flaw is a race between the raw_write() path calling gb_operation_sync_timeout() and gb_connection_destroy() running during disconnect. EPSS is low (0.16%, 6th percentile) with no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation and memory corruption in the Linux kernel's taprio traffic scheduler (net/sched) arises from a use-after-free in advance_sched() during an admin-to-oper schedule switch, affecting kernels from 5.2 through the fixed releases. After switch_schedules() queues the old oper schedule for RCU freeing, the 'next' pointer still references a freed entry that is then written to and published via rcu_assign_pointer(), letting a local user with network-configuration capability corrupt kernel memory for potential code execution. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a complex local-only TSN feature rather than mass exploitation.
Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. An attacker with SMB access can trigger memory corruption potentially leading to information disclosure, denial of service, or code execution in kernel context.
Local use-after-free in the Linux kernel's AF_UNIX subsystem occurs when SOCKMAP (BPF socket map) redirects skbs carrying inflight file descriptors, hiding them from the AF_UNIX garbage collector and breaking the Tarjan-based GC's assumption that unix_edge.successor stays alive — producing a slab use-after-free in unix_del_edges() plus inflight-socket leaks and incorrect fdinfo accounting. Affected are kernels supporting SOCKMAP/sk_psock redirect (roughly 5.15 through pre-fix 7.x trees); a local attacker who can set up SOCKMAP redirection and pass SCM_RIGHTS descriptors can corrupt kernel memory toward privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV.
Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. There is no public exploit identified at time of analysis (not in CISA KEV, EPSS 0.18%/8th percentile), and the issue was found and fixed via upstream syzbot fuzzing.
Use-after-free in the Linux kernel's Amazon ENA (Elastic Network Adapter) PTP Hardware Clock (PHC) get_timestamp path lets a local low-privileged user trigger a NULL/dangling pointer dereference via a race between timestamp reads and clock teardown. The driver checked phc->active and cached the resp pointer from ena_dev->phc.virt_addr before taking the spinlock, so a concurrent ena_com_phc_destroy() could free the DMA memory and NULL virt_addr mid-operation. With a CVSS of 7.8 (high) but EPSS of only 0.17% (7th percentile), this is a memory-safety race with no public exploit identified at time of analysis; it is fixed upstream and patched in stable releases.
Local privilege escalation and memory corruption is possible in the Linux kernel's QRTR (Qualcomm IPC Router) networking subsystem (net/qrtr/af_qrtr.c), where qrtr_port_remove() decrements a socket's reference count via __sock_put() before erasing the port from the qrtr_ports XArray and before the RCU grace period elapses, violating the RCU update ordering. A concurrent RCU reader (qrtr_reset_ports() or qrtr_port_lookup()) can retrieve the socket and call sock_hold() on an object whose refcount has already reached zero, producing refcount saturation and a use-after-free. The issue was reproduced by syzkaller fuzzing; it carries a CVSS of 7.8 (AV:L), EPSS is low at 0.18% (8th percentile), it is not on CISA KEV, and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's netfilter NFQUEUE subsystem affects bridge LOCAL_IN packet handling, where br_pass_frame_up() rewrites skb->dev to the bridge master before queuing without holding a reference on that device. A local attacker who can influence queued bridge traffic and trigger bridge teardown (NETDEV_DOWN) can cause the kernel to re-enter the receive path with a freed bridge master device, yielding a use-after-free with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).
Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted media file that triggers a use-after-free in gf_filter_pid_inst_swap_delete_task within the filter-core PID handling code. Any pipeline or user that parses untrusted media through GPAC is affected, with publicly available proof-of-concept code, though no active exploitation has been reported and EPSS exploitation probability is low (0.17%, 6th percentile). Impact is limited to availability - there is no confidentiality or integrity loss per the CVSS vector.
Use-after-free in GPAC MP4Box before version 26.02.0 allows a local attacker to crash the application by supplying a crafted media file, resulting in Denial of Service. The flaw resides in the filter PID lifecycle management within filter_pid.c, where a PID instance could be freed prematurely while a pending reconfiguration task still held a reference to it. Publicly available exploit code exists, though the attack requires user interaction to process the malicious file and exploitation is limited to DoS with no confidentiality or integrity impact.
Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. No public exploit code or CISA KEV listing exists at time of analysis; the upstream fix is available as commit 78ea09e.
Heap use-after-free in dhcpcd through 10.3.2 enables unauthenticated same-link attackers - acting as or impersonating a DHCPv6 server - to crash the daemon by sending a crafted DHCPv6 RENEW reply exploiting a pointer lifecycle flaw in delegated prefix deprecation. The flaw triggers dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still retains the freed pointer, causing a use-after-free when TAILQ_REMOVE is subsequently reached. Impact is limited to availability (daemon crash); no public exploit or CISA KEV listing exists at time of analysis, but the adjacent-network attack vector and zero-privilege requirement lower the bar for local segment adversaries.
Heap use-after-free in ImageMagick's meta coder allows remote attackers to crash the process by submitting a specially crafted image file that triggers a memory allocation failure, causing a single byte write to a stale (freed) pointer. Affected versions are ImageMagick before 7.1.2-15 and 6.9.13-40, as well as Magick.NET NuGet wrapper packages before 14.10.3. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that reliable exploitation requires specific memory allocation failure conditions rather than straightforward request-and-crash triggering.
Use-after-free in libxml2's xmlParseInternalSubset function affects GNOME libxml2 versions 2.9.11 through 2.11.0 and can be triggered remotely by crafted XML containing abusive entity resolution, leading to denial of service of any application that parses untrusted XML with this library. Publicly available exploit code exists (CVSS 4.0 E:P) but the issue is not listed in CISA KEV, indicating proof-of-concept demonstration rather than confirmed active exploitation. The flaw was disclosed by Canonical and tracked in GNOME GitLab work item 1058 and Ubuntu Launchpad bug 2141260.
Use-after-free in libexpat before 2.8.2 arises from the `doCdataSection` function omitting `beforeHandler`/`afterHandler` depth-tracking calls for `XML_TOK_DATA_CHARS` tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. An attacker supplying specially crafted XML to any libexpat-consuming application may trigger limited memory corruption, information disclosure, or availability impact under high-complexity conditions; no public exploit is identified at time of analysis and no CISA KEV listing exists.
Use-after-free in the Oj Ruby JSON gem's SAJ parser allows an attacker who can influence parsed JSON content and the SAJ callback handler to crash the Ruby process and potentially corrupt memory. Oj::Parser fails to protect heap-allocated cached object keys of 35 bytes or more from garbage collection, so a GC cycle triggered from inside a hash_end callback frees the key while C code still holds a dangling VALUE pointer. No public exploit identified at time of analysis, but a working reproducer is published in the GHSA advisory.
Use-after-free in the Oj Ruby JSON gem (≤ 3.17.1) crashes the host process when Oj::Parser is configured in :usual mode with a custom array_class or hash_class. Because parser_mark fails to register those VALUEs with the Ruby GC, the class object can be reclaimed and the next parse() dereferences freed memory, producing a segfault. A reproducer is published in the GHSA advisory; there is no public exploit identified for remote use and the issue is not listed in CISA KEV.
Heap corruption in the Oj Ruby JSON parser allows remote attackers to crash or potentially corrupt memory in applications that parse untrusted JSON with `Oj::Parser` in `:usual` mode when the `create_id` option is enabled. A 65,535-byte object key triggers an integer truncation in `form_attr` (ext/oj/usual.c:63) that turns the buffer length into `(size_t)-1`, causing `memcpy` to write `SIZE_MAX` bytes onto a fixed 65,536-byte cache slab. No public exploit identified at time of analysis beyond the maintainer-supplied reproduction script in GHSA-9cv6-qcjw-4grx.
Heap use-after-free in the Oj Ruby JSON parser allows malicious SAJ/SAJ2 callback handlers to dereference freed memory by mutating the input JSON string mid-parse, potentially leading to memory disclosure or arbitrary code execution within the Ruby process. The flaw affects the oj gem at versions below 3.17.2 and is triggered when a callback such as hash_start invokes String#replace with a larger payload, causing Ruby to reallocate the backing buffer that the C parser still references. No public exploit identified at time of analysis, but a fully working reproducer is published in the upstream GHSA advisory.
Heap use-after-free in the Oj Ruby gem's `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) allows a Ruby block executed during iteration to free the underlying document buffer via `doc.close`, after which the native C iterator in `ext/oj/fast.c` dereferences the freed region. The flaw is reachable from pure Ruby and confirmed by an AddressSanitizer report against version 3.17.1, with no public exploit identified at time of analysis but a clear reproducer published in the GHSA advisory. Applications that parse attacker-influenced JSON with Oj::Doc and pass user-supplied callbacks into these iterators are most at risk.
Heap use-after-free in the Oj Ruby JSON parser (versions prior to 3.17.3) is triggered when an application toggles the symbol_keys option from true to false on a reused Oj::Parser instance. The opt_symbol_keys_set function frees the internal key cache via cache_free but fails to NULL the d->key_cache pointer, so the next parse call dereferences freed memory through cache_intern, potentially leading to memory disclosure, crashes, or controlled corruption. No public exploit identified at time of analysis, and the issue is documented in GitHub Security Advisory GHSA-2cw7-v8ff-p88r.
Use-after-free in FFmpeg's RASC video decoder exposes Red Hat Enterprise Linux AI 3 and Red Hat OpenShift AI deployments to denial-of-service attacks via crafted media files. The decode_move() function retains a raw pointer into a heap-allocated decompressed buffer that is subsequently reallocated during move-table processing, leaving the pointer dangling; reading through it crashes the process. No public exploit or KEV listing has been identified at time of analysis, but the network-accessible attack vector (file delivery over the internet) and lack of authentication prerequisites make this a realistic threat to any environment that processes untrusted AVI content using the affected FFmpeg builds.
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-free between the CPU-side driver and GPU firmware, where the driver frees a shared memory page before the GPU firmware finishes accessing it. Any unprivileged local user able to issue GPU system calls can trigger the race against multiple released DDK branches (1.18, 23.2, 24.2, 25.1-25.3, 26.1). No public exploit identified at time of analysis, but SSVC rates technical impact as total.
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows non-privileged users to trigger a use-after-free of GPU MMU page tables via crafted GPU system calls. An error path fails to clean up before freeing the physical page-table allocation, enabling memory corruption that can be leveraged for kernel-context impact. No public exploit identified at time of analysis and SSVC reports no observed exploitation.
Use-after-free in libexpat before 2.8.2 allows memory corruption when XML_ResumeParser is called from within a handler callback during a policy-violation scenario. The missing call-depth guard permits re-entrant parser invocation, leaving dangling pointers in the parser's internal heap state and enabling potential information disclosure or memory corruption with low confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, and the high attack complexity (AC:H) reflects the specific re-entrant handler pattern required to trigger the flaw.
Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race against active LDAP query worker threads. The `attr_syntax_swap_ht()` function bypasses the refcount-based deferred deletion mechanism used throughout the attribute syntax subsystem, directly freeing nodes that concurrent worker threads may still hold references to. Affected products span Red Hat Directory Server 11, 12, and 13 across RHEL 6 through 10; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.0 reflects the high-complexity, high-privilege prerequisites that substantially reduce real-world risk.
Use-after-free in Eclipse 4diac FORTE versions 3.0.0-3.1.0 allows adjacent, unauthenticated attackers to corrupt process memory by sending a specially crafted DELETE connection command to the management interface, leaving a dangling pointer exploitable by subsequent commands. The impact spans memory integrity corruption and availability loss (runtime crash), with a minor confidentiality exposure from stale freed-memory reads - meaningful risks in industrial automation deployments where FORTE orchestrates IEC 61499 distributed control logic. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the CVSS 4.0 supplemental Safety metric is marked Partial (S:P), flagging potential downstream safety consequences in OT environments.
Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker processes and potentially execute arbitrary code on hosts where HTTP/3 QUIC is enabled. Exploitation requires a specially crafted HTTP/3 session that reopens a QPACK encoder stream, with code execution contingent on ASLR being disabled or bypassed; no public exploit identified at time of analysis, though SSVC technical impact is rated total.
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.
Use-after-free in wolfSSL's TLS 1.3 PQC hybrid KeyShare processing exposes clients built with post-quantum hybrid support to a crash or memory corruption when connecting to a malicious server. This is a bypass of the incomplete fix for CVE-2026-5460 shipped in 5.9.1 - the pointer alias between keyShareEntry->key and ecc_kse->key in TLSX_KeyShare_ProcessPqcHybridClient is not re-synchronized after the inner ECC processing function frees its copy, leaving a dangling pointer that TLSX_KeyShare_FreeAll later passes to wc_ecc_free and XFREE. No public exploit or CISA KEV listing exists; the CVSS 4.0 score of 2.3 reflects limited real-world impact due to high attack complexity and non-default build requirements.
Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. No public exploit is identified at time of analysis and the CVE is not in CISA KEV, but it carries a high CVSS 4.0 base score of 8.4 driven by full confidentiality, integrity, and availability impact.
Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointing at freed libxml2 memory after `#do_xinclude` is called on a document whose nodes have already been exposed to Ruby. An application that triggers this condition may experience invalid memory reads or writes, potentially resulting in a crash or memory disclosure. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.2 reflects the high attack complexity driven by an unusual, non-default API usage pattern required to reach the vulnerable code path.
Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault when an `XML::XPathContext` object outlives its source document and that document is freed by Ruby's garbage collector. Only CRuby is affected; JRuby is not. This is not triggerable by malicious document input and cannot be reached through the standard `Document#xpath`, `#css`, or related methods - it requires an unusual direct API usage pattern in application code. No public exploit has been identified, this is not listed in CISA KEV, and the CVSS 4.0 score of 1.7 reflects the tightly constrained triggering conditions.
Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application code assigns a DTD node as a document root via `Document#root=`. The root cause is insufficient type validation in the setter, which accepted any `Nokogiri::XML::Node` subclass rather than restricting to element nodes, leaving libxml2 in an inconsistent internal state that triggers a dangling pointer dereference during Ruby garbage collection or finalization. No active exploitation is confirmed (not in CISA KEV), no public exploit is identified, and the Nokogiri maintainers rate this low severity; the CVSS 4.0 score of 1.7 with E:U corroborates that assessment.
Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a segfault when an application accesses an XML attribute's child node and subsequently replaces that attribute's value via `Attr#value=` or `#content=`. The underlying libxml2 wrapper frees the native child node while a Ruby object in the document node cache retains a stale pointer, which a later GC mark pass or direct access can dereference. With a CVSS 4.0 score of 1.7, no KEV listing, and no public exploit identified at time of analysis, real-world risk is low and constrained to application availability.
Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 1.7 accurately reflects the low real-world priority.
Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. There is no public exploit identified at time of analysis and EPSS is low (0.15%, 5th percentile), but a kernel UAF reachable by a local user warrants timely patching.
Use-after-free in the Linux kernel's IPv6 multicast (MLD) query processing path allows an adjacent-network attacker to corrupt or read freed kernel slab memory by sending a crafted MLD query. The flaw stems from a stale pointer to the multicast group address being dereferenced in __mld_query_work() after pskb_may_pull() reallocated the skb header, confirmed by a KASAN slab-use-after-free report. Carries an 8.8 CVSS (adjacent vector); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).
Local privilege escalation or kernel memory corruption in the Linux kernel's OP-TEE (Trusted Execution Environment) driver arises from a use-after-free in the supplicant request path on ARM TrustZone systems. After commit 70b0d6b0a199 made the client wait killable, a client task can exit and kfree() its request while its ID still lives in supp->idr, so a later supplicant lookup dereferences freed memory. CVSS 7.8 (local, low privilege) with EPSS at 0.17% (7th percentile); no public exploit identified at time of analysis and not listed in CISA KEV.
Use-after-free in the Linux kernel's EROFS filesystem lets a local attacker who can trigger a decompression I/O race during unmount corrupt kernel memory. When z_erofs_decompress_kickoff() queues asynchronous decompression work, a concurrent unmount can free the superblock info (sbi) before the kworker accesses sbi->sync_decompress, producing a CWE-416 use-after-free with high confidentiality, integrity and availability impact (CVSS 7.8). EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the flaw is not on CISA KEV.
Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). This issue has no public exploit identified at time of analysis and carries a low EPSS exploitation probability (0.17%, 7th percentile).
Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.
Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.
Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. KASAN confirmed a slab-use-after-free in lock_sock_nested(); EPSS is low (0.17%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.
Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.
Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 7th percentile).
Local privilege escalation via use-after-free in the Linux kernel's XFRM (IPsec) policy subsystem allows a local low-privileged attacker to corrupt kernel memory by racing XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO netlink operations. In xfrm_policy_bysel_ctx(), the inexact policy bin was pruned after dropping xfrm_policy_lock, leaving a window where a concurrent xfrm_hash_rebuild() could kfree_rcu() the same bin, leading to a use-after-free. No public exploit identified at time of analysis; EPSS probability is low (0.18%) and it is not listed in CISA KEV.
Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. This is a fixed regression window on IBM PowerPC EMAC hardware; no public exploit identified at time of analysis and EPSS risk is low (0.18%, 7th percentile).
Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. netem) later call dst_release() on freed memory. CVSS is 7.8 (high) with CVSS:3.1 vector AV:L/PR:L; EPSS is low at 0.18% (7th percentile), it is not in CISA KEV, and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. The flaw was reproduced on mainline with KASAN by an authenticated client, EPSS is low (0.18%), and there is no public exploit identified at time of analysis.
Local privilege escalation via use-after-free in the Linux kernel ALSA timer subsystem (sound/core/timer.c) allows an authenticated local user to corrupt kernel memory by triggering dangling references to a freed snd_timer object. When snd_timer_free() unlinked pending instances it left slave timer instances still pointing at the freed master timer; the flaw is readily reachable through the userspace-driven timer interface (CONFIG_SND_UTIMER), where opening/closing a file creates and destroys timer objects while other processes keep accessing them. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis, but kernel UAF bugs of this class are historically a strong primitive for local privilege escalation.
Local privilege escalation or memory corruption in the Linux kernel's ALSA timer subsystem stems from a use-after-free in snd_timer_user_params() reachable via the SNDRV_TIMER_IOCTL_PARAMS ioctl. A low-privileged local user with access to a timer device (notably userspace timers under CONFIG_SND_UTIMER) can race a concurrent ioctl against timer object release to access freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%), reflecting the local-only, race-dependent nature of the bug.
Slab use-after-free in the Linux kernel's IP fragment reassembly (inet frags) layer occurs during network namespace teardown: fqdir_pre_exit() flushes incomplete fragment queues via inet_frag_queue_flush() without clearing q->fragments_tail/last_run_head, so a fragment reassembly already in flight resumes after the flush and dereferences freed skbs. IPv4, IPv6, nf_conntrack_reasm6, and 6lowpan reassembly all share the affected flush path. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile); NVD scores it CVSS 9.8 (AV:N), but the bug is fundamentally a teardown-vs-reassembly race, so the network-unauthenticated framing overstates practical reachability.
Local privilege escalation and memory corruption in the Linux kernel's Qualcomm FastRPC misc driver (drivers/misc/fastrpc) arises from a use-after-free of the fastrpc_user structure during concurrent file-descriptor close and DSP response processing. A local user with access to the FastRPC device can race fastrpc_device_release() against the put_work workqueue so that fastrpc_context_free() dereferences an already-freed user object, enabling kernel memory corruption with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.18%), consistent with a hard-to-win kernel race on Qualcomm-only hardware.
Local privilege escalation and memory corruption in the Linux kernel's fastrpc misc driver allows an attacker with local low-privileged access to a FastRPC device to trigger a use-after-free in fastrpc_map_create by racing a concurrent MEM_UNMAP against map lookup. The flaw stems from fastrpc_map_lookup returning an unprotected raw pointer after dropping fl->lock, which a concurrent unmap can free before the reference is taken. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.17%, 7th percentile), consistent with a kernel race condition requiring local access and precise timing.
Slab use-after-free in the Linux kernel's Phonet subsystem (net/phonet) allows a local privileged actor to trigger memory corruption when a phonet_device is torn down. phonet_device_destroy() unlinks the object from the per-net device list with list_del_rcu() but frees it immediately, so concurrent RCU readers can still dereference the freed object; the fix converts the free to kfree_rcu(). No public exploit identified at time of analysis, EPSS is very low (0.17%, 7th percentile), and it is not on CISA KEV, but the CVSS 3.1 base score is 7.8 (High) reflecting full confidentiality, integrity and availability impact from local exploitation.
Local privilege escalation and memory corruption in the Linux kernel's nvmem core subsystem arises from use-after-free bugs in multiple error paths where __nvmem_device_put() releases the nvmem device (and its backing memory/resources) but the code continues to dereference the freed structure before returning. A local, low-privileged user able to trigger these error paths can corrupt kernel memory, potentially leading to code execution or information disclosure. Fix is upstream in stable kernel trees; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).
Remote denial-of-service in NLnet Labs NSD (authoritative DNS name server) version 4.13.0 and later allows an unauthenticated attacker to crash the server process by exploiting a heap use-after-free in the TLS error-logging path. By sending a DNS query over a DNS-over-TLS (DoT) connection and closing the socket before reading the response, an attacker triggers the freed-memory access trivially; no public exploit identified at time of analysis, and the issue is not in CISA KEV. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity exposure.
Local privilege escalation to root in OpenBSD through 7.9 arises from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c). An authenticated local user calling sys_semget() can trigger a context-switch use-after-free after tsleep(), where a freed semid_ds_kern structure is reused, enabling kernel memory corruption and full root compromise. There is no public exploit identified at time of analysis, EPSS probability is low (0.12%), and the issue is not listed in CISA KEV; the upstream fix adds reference counting (sem_ref/sem_rele) around the sleep window.
Use-after-free in MP4Box's filter pipeline (gf_filter_pid_get_packet, filter_core/filter_pid.c) crashes the application when processing a crafted media file, resulting in Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0. A publicly available proof-of-concept exploit exists, though exploitation requires local access and user interaction - the CVSS vector (AV:L/UI:R) and low EPSS score of 0.17% indicate limited real-world automated exploitation risk. No confirmed active exploitation (CISA KEV not listed).
Use-after-free in MP4Box's filter pipeline core (gf_filter_pid_inst_swap in filter_pid.c) allows local attackers to crash the application - and potentially achieve memory corruption beyond DoS - by supplying a crafted media file. Publicly available exploit code exists for this vulnerability, hosted on GitHub in a dedicated proof-of-concept repository. The EPSS score is low (0.17%, 6th percentile) with no CISA KEV listing, suggesting the public POC is research-grade rather than part of active exploitation campaigns, but the barrier to triggering a crash is low for any attacker with file delivery capability.
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_load_from_state_internal function of the SEI loader filter (src/filters/sei_load.c). Processing a maliciously crafted MPEG-2 Transport Stream file causes the parser to dereference a dangling pointer, crashing the application. Publicly available exploit code (a PoC test case and write-up) exists, though the issue is not listed in CISA KEV and carries a low EPSS exploitation probability (0.17%, 6th percentile).
Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none, but a vendor patch is already available.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS of 8.8; it requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with the CISA SSVC framework recording exploitation status as none.
Remote code execution in Google Chrome for macOS prior to 149.0.7827.197 stems from a use-after-free in the browser's Bluetooth subsystem, letting a malicious Bluetooth peripheral corrupt memory and execute arbitrary code in the browser process. The flaw is rated High severity by Chromium with a CVSS 8.8, requires user interaction (UI:R) but no privileges, and currently has no public exploit identified at time of analysis; CISA SSVC marks exploitation status as none.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome browser bugs of this class are historically high-value targets. Exploitation requires user interaction (loading a malicious page) but no authentication.
Heap corruption in Google Chrome's Web Authentication (WebAuthn) component affects all desktop builds prior to 149.0.7827.197, where a use-after-free (CWE-416) can be triggered by a malicious browser extension. An attacker who first convinces a victim to install a crafted extension can reach the freed object and potentially achieve code execution. Rated High by Chromium with a CVSS 7.5; there is no public exploit identified at time of analysis and CISA SSVC marks exploitation as none.
Renderer-side heap corruption in Google Chrome's FileSystem component (versions prior to 149.0.7827.197) lets a remote attacker who lures a victim to a crafted HTML page trigger a use-after-free, potentially leading to arbitrary code execution within the renderer. Rated High severity by Chromium with a CVSS of 8.8; no public exploit identified at time of analysis, and CISA's SSVC framework currently records exploitation status as 'none'. EPSS data was not provided, but the user-interaction requirement (visiting a page) is the only meaningful barrier, making this a routine but real browser-patch priority.
Heap corruption via use-after-free in Google Chrome's Digital Credentials component on macOS allows a remote attacker to potentially execute code by luring a victim to a crafted HTML page, affecting Chrome builds prior to 149.0.7827.197. The flaw was reported internally by Google's Chrome team, and per CISA's SSVC framework exploitation is currently 'none', so this is no public exploit identified at time of analysis despite a high (8.8) CVSS score requiring user interaction. EPSS data was not provided, but the absence of KEV listing and no observed exploitation point to risk driven by Chrome's massive install base rather than confirmed in-the-wild abuse.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.197 stems from a use-after-free condition in the Autofill component, letting a remote attacker run arbitrary code in the renderer when a victim opens a malicious web page. Chromium rates the flaw Critical and CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, tempered by the requirement that the user load attacker-controlled content. There is no public exploit identified at time of analysis, and SSVC records exploitation status as none, but the 'total' technical impact makes prompt patching important.
Sandbox escape in Google Chrome on Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics subsystem, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Rated Critical by Chromium with a CVSS 9.6 reflecting scope change and total compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not on CISA KEV, though Google has shipped a fix.
Sandbox escape in Google Chrome for Android before 149.0.7827.197 stems from a use-after-free in the WebGL graphics component, letting a remote attacker who lures a victim to a crafted HTML page break out of the renderer sandbox. Rated Critical by Chromium and carrying a CVSS 9.6 with scope change, the flaw threatens full compromise of the browser process boundary on affected Android devices. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none.
Use-after-free in libcurl 8.13.0 through 8.20.0 occurs when an application calls curl_easy_pause() from inside an event-based CURLMOPT_SOCKETFUNCTION callback, causing libcurl to write a flag through a struct pointer whose backing memory was just freed. Affected are applications built on the curl multi interface using event-based socket callbacks; the flaw can lead to memory corruption or limited information disclosure (tagged Information Disclosure) with low confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low at 0.21% (11th percentile), consistent with a niche triggering pattern rather than mass exploitation.
Use-after-free in libcurl's HTTP/2 stream-dependency handling affects a wide range of curl releases (7.88.0 through 8.20.0) when an application sets CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, then calls curl_easy_reset() before curl_easy_cleanup(); the reset frees an internal priority structure that cleanup later re-accesses. Despite the NVD 9.8 CVSS rating, the flaw is only reachable through a specific application-controlled API call sequence rather than remote attacker input, and is tagged Information Disclosure. No public exploit identified at time of analysis, EPSS is low (0.21%, 11th percentile), and it is not listed in CISA KEV.
Local privilege-dependent use-after-free in the Linux kernel's fs/mbcache subsystem allows a privileged user (root or CAP_SYS_ADMIN) to trigger memory corruption when unmounting an ext2, ext4, or ocfs2 filesystem. mb_cache_destroy() frees the cache without cancelling the pending c_shrink_work item, so a still-running mb_cache_shrink_worker() accesses freed memory (CWE-416), potentially leading to kernel code execution or crash. No public exploit identified at time of analysis; EPSS is low (0.16%, 5th percentile) and it is not on CISA KEV.
Out-of-bounds memory read in the Linux kernel's OCFS2 filesystem driver allows a local user to leak kernel memory or crash the system by issuing the OCFS2_IOC_INFO ioctl with the OCFS2_INFO_FL_NON_COHERENT flag against a crafted or malicious OCFS2 image. The non-coherent freefrag scan path trusts the on-disk bg_bits group-descriptor field as a bitmap limit without validation, driving the bitmap walk past the end of the block buffer. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a local, filesystem-mount-dependent kernel bug rather than a remotely scanned threat.
Use-after-free in the Linux kernel's greybus 'raw' driver (drivers/staging/greybus/raw.c) allows a local user holding an open character-device handle to trigger memory corruption when the underlying raw bundle is disconnected and the application later closes the cdev. The flaw stems from the gb_raw structure (which embeds the cdev) being freed in the disconnect callback while a userspace reference remains, causing cdev_put to operate on freed memory and a refcount underflow/panic, especially with CONFIG_INIT_ON_FREE_DEFAULT_ON=y. No public exploit identified at time of analysis, and EPSS is low (0.16%, 6th percentile), consistent with a local, niche-driver issue.
Local privilege-level denial of service in the Linux kernel's Greybus 'raw' character device driver (gb_raw) allows a user with access to the chardev to trigger a use-after-free by writing to the device after a disconnect has freed the underlying gb_connection object, causing a kernel NULL pointer dereference and panic (observed reliably with CONFIG_INIT_ON_FREE_DEFAULT_ON=y). The flaw is a race between the raw_write() path calling gb_operation_sync_timeout() and gb_connection_destroy() running during disconnect. EPSS is low (0.16%, 6th percentile) with no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation and memory corruption in the Linux kernel's taprio traffic scheduler (net/sched) arises from a use-after-free in advance_sched() during an admin-to-oper schedule switch, affecting kernels from 5.2 through the fixed releases. After switch_schedules() queues the old oper schedule for RCU freeing, the 'next' pointer still references a freed entry that is then written to and published via rcu_assign_pointer(), letting a local user with network-configuration capability corrupt kernel memory for potential code execution. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a complex local-only TSN feature rather than mass exploitation.
Use-after-free in the Linux kernel's ksmbd in-kernel SMB3 server occurs during durable handle reconnect, where smb2_open prematurely drops the durable file reference via ksmbd_put_durable_fd(fp); a subsequent error path or scavenger access then dereferences freed fp fields (e.g., fp->create_time). Affecting Linux ksmbd across multiple stable branches and fixed in releases such as 6.6.32, 6.18.33, 7.0.10, and 7.1, the flaw is rated CVSS 9.8 but carries a low EPSS of 0.17% (6th percentile); it is not in CISA KEV and no public exploit identified at time of analysis. An attacker with SMB access can trigger memory corruption potentially leading to information disclosure, denial of service, or code execution in kernel context.
Local use-after-free in the Linux kernel's AF_UNIX subsystem occurs when SOCKMAP (BPF socket map) redirects skbs carrying inflight file descriptors, hiding them from the AF_UNIX garbage collector and breaking the Tarjan-based GC's assumption that unix_edge.successor stays alive — producing a slab use-after-free in unix_del_edges() plus inflight-socket leaks and incorrect fdinfo accounting. Affected are kernels supporting SOCKMAP/sk_psock redirect (roughly 5.15 through pre-fix 7.x trees); a local attacker who can set up SOCKMAP redirection and pass SCM_RIGHTS descriptors can corrupt kernel memory toward privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is low (0.16%, 6th percentile), and it is not in CISA KEV.
Use-after-free in the Linux kernel rtl8150 USB-to-Ethernet driver (drivers/net/usb/rtl8150.c) lets the transmit path read freed socket-buffer memory: rtl8150_start_xmit() reads skb->len for TX byte accounting after usb_submit_urb(), but the URB completion handler write_bulk_callback() can free the skb on another CPU first, producing a slab-use-after-free read flagged by KASAN/syzbot. Affected systems are those using an RTL8150-based USB Ethernet adapter; the practical impact is a stale/garbage stat read or a potential crash from freed-memory access rather than reliable info disclosure. There is no public exploit identified at time of analysis (not in CISA KEV, EPSS 0.18%/8th percentile), and the issue was found and fixed via upstream syzbot fuzzing.
Use-after-free in the Linux kernel's Amazon ENA (Elastic Network Adapter) PTP Hardware Clock (PHC) get_timestamp path lets a local low-privileged user trigger a NULL/dangling pointer dereference via a race between timestamp reads and clock teardown. The driver checked phc->active and cached the resp pointer from ena_dev->phc.virt_addr before taking the spinlock, so a concurrent ena_com_phc_destroy() could free the DMA memory and NULL virt_addr mid-operation. With a CVSS of 7.8 (high) but EPSS of only 0.17% (7th percentile), this is a memory-safety race with no public exploit identified at time of analysis; it is fixed upstream and patched in stable releases.
Local privilege escalation and memory corruption is possible in the Linux kernel's QRTR (Qualcomm IPC Router) networking subsystem (net/qrtr/af_qrtr.c), where qrtr_port_remove() decrements a socket's reference count via __sock_put() before erasing the port from the qrtr_ports XArray and before the RCU grace period elapses, violating the RCU update ordering. A concurrent RCU reader (qrtr_reset_ports() or qrtr_port_lookup()) can retrieve the socket and call sock_hold() on an object whose refcount has already reached zero, producing refcount saturation and a use-after-free. The issue was reproduced by syzkaller fuzzing; it carries a CVSS of 7.8 (AV:L), EPSS is low at 0.18% (8th percentile), it is not on CISA KEV, and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's netfilter NFQUEUE subsystem affects bridge LOCAL_IN packet handling, where br_pass_frame_up() rewrites skb->dev to the bridge master before queuing without holding a reference on that device. A local attacker who can influence queued bridge traffic and trigger bridge teardown (NETDEV_DOWN) can cause the kernel to re-enter the receive path with a freed bridge master device, yielding a use-after-free with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).
Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted media file that triggers a use-after-free in gf_filter_pid_inst_swap_delete_task within the filter-core PID handling code. Any pipeline or user that parses untrusted media through GPAC is affected, with publicly available proof-of-concept code, though no active exploitation has been reported and EPSS exploitation probability is low (0.17%, 6th percentile). Impact is limited to availability - there is no confidentiality or integrity loss per the CVSS vector.
Use-after-free in GPAC MP4Box before version 26.02.0 allows a local attacker to crash the application by supplying a crafted media file, resulting in Denial of Service. The flaw resides in the filter PID lifecycle management within filter_pid.c, where a PID instance could be freed prematurely while a pending reconfiguration task still held a reference to it. Publicly available exploit code exists, though the attack requires user interaction to process the malicious file and exploitation is limited to DoS with no confidentiality or integrity impact.
Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. No public exploit code or CISA KEV listing exists at time of analysis; the upstream fix is available as commit 78ea09e.
Heap use-after-free in dhcpcd through 10.3.2 enables unauthenticated same-link attackers - acting as or impersonating a DHCPv6 server - to crash the daemon by sending a crafted DHCPv6 RENEW reply exploiting a pointer lifecycle flaw in delegated prefix deprecation. The flaw triggers dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still retains the freed pointer, causing a use-after-free when TAILQ_REMOVE is subsequently reached. Impact is limited to availability (daemon crash); no public exploit or CISA KEV listing exists at time of analysis, but the adjacent-network attack vector and zero-privilege requirement lower the bar for local segment adversaries.
Heap use-after-free in ImageMagick's meta coder allows remote attackers to crash the process by submitting a specially crafted image file that triggers a memory allocation failure, causing a single byte write to a stale (freed) pointer. Affected versions are ImageMagick before 7.1.2-15 and 6.9.13-40, as well as Magick.NET NuGet wrapper packages before 14.10.3. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that reliable exploitation requires specific memory allocation failure conditions rather than straightforward request-and-crash triggering.
Use-after-free in libxml2's xmlParseInternalSubset function affects GNOME libxml2 versions 2.9.11 through 2.11.0 and can be triggered remotely by crafted XML containing abusive entity resolution, leading to denial of service of any application that parses untrusted XML with this library. Publicly available exploit code exists (CVSS 4.0 E:P) but the issue is not listed in CISA KEV, indicating proof-of-concept demonstration rather than confirmed active exploitation. The flaw was disclosed by Canonical and tracked in GNOME GitLab work item 1058 and Ubuntu Launchpad bug 2141260.
Use-after-free in libexpat before 2.8.2 arises from the `doCdataSection` function omitting `beforeHandler`/`afterHandler` depth-tracking calls for `XML_TOK_DATA_CHARS` tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. An attacker supplying specially crafted XML to any libexpat-consuming application may trigger limited memory corruption, information disclosure, or availability impact under high-complexity conditions; no public exploit is identified at time of analysis and no CISA KEV listing exists.
Use-after-free in the Oj Ruby JSON gem's SAJ parser allows an attacker who can influence parsed JSON content and the SAJ callback handler to crash the Ruby process and potentially corrupt memory. Oj::Parser fails to protect heap-allocated cached object keys of 35 bytes or more from garbage collection, so a GC cycle triggered from inside a hash_end callback frees the key while C code still holds a dangling VALUE pointer. No public exploit identified at time of analysis, but a working reproducer is published in the GHSA advisory.
Use-after-free in the Oj Ruby JSON gem (≤ 3.17.1) crashes the host process when Oj::Parser is configured in :usual mode with a custom array_class or hash_class. Because parser_mark fails to register those VALUEs with the Ruby GC, the class object can be reclaimed and the next parse() dereferences freed memory, producing a segfault. A reproducer is published in the GHSA advisory; there is no public exploit identified for remote use and the issue is not listed in CISA KEV.
Heap corruption in the Oj Ruby JSON parser allows remote attackers to crash or potentially corrupt memory in applications that parse untrusted JSON with `Oj::Parser` in `:usual` mode when the `create_id` option is enabled. A 65,535-byte object key triggers an integer truncation in `form_attr` (ext/oj/usual.c:63) that turns the buffer length into `(size_t)-1`, causing `memcpy` to write `SIZE_MAX` bytes onto a fixed 65,536-byte cache slab. No public exploit identified at time of analysis beyond the maintainer-supplied reproduction script in GHSA-9cv6-qcjw-4grx.
Heap use-after-free in the Oj Ruby JSON parser allows malicious SAJ/SAJ2 callback handlers to dereference freed memory by mutating the input JSON string mid-parse, potentially leading to memory disclosure or arbitrary code execution within the Ruby process. The flaw affects the oj gem at versions below 3.17.2 and is triggered when a callback such as hash_start invokes String#replace with a larger payload, causing Ruby to reallocate the backing buffer that the C parser still references. No public exploit identified at time of analysis, but a fully working reproducer is published in the upstream GHSA advisory.
Heap use-after-free in the Oj Ruby gem's `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) allows a Ruby block executed during iteration to free the underlying document buffer via `doc.close`, after which the native C iterator in `ext/oj/fast.c` dereferences the freed region. The flaw is reachable from pure Ruby and confirmed by an AddressSanitizer report against version 3.17.1, with no public exploit identified at time of analysis but a clear reproducer published in the GHSA advisory. Applications that parse attacker-influenced JSON with Oj::Doc and pass user-supplied callbacks into these iterators are most at risk.
Heap use-after-free in the Oj Ruby JSON parser (versions prior to 3.17.3) is triggered when an application toggles the symbol_keys option from true to false on a reused Oj::Parser instance. The opt_symbol_keys_set function frees the internal key cache via cache_free but fails to NULL the d->key_cache pointer, so the next parse call dereferences freed memory through cache_intern, potentially leading to memory disclosure, crashes, or controlled corruption. No public exploit identified at time of analysis, and the issue is documented in GitHub Security Advisory GHSA-2cw7-v8ff-p88r.
Use-after-free in FFmpeg's RASC video decoder exposes Red Hat Enterprise Linux AI 3 and Red Hat OpenShift AI deployments to denial-of-service attacks via crafted media files. The decode_move() function retains a raw pointer into a heap-allocated decompressed buffer that is subsequently reallocated during move-table processing, leaving the pointer dangling; reading through it crashes the process. No public exploit or KEV listing has been identified at time of analysis, but the network-accessible attack vector (file delivery over the internet) and lack of authentication prerequisites make this a realistic threat to any environment that processes untrusted AVI content using the affected FFmpeg builds.
Use-after-free memory corruption in Cloudflare Quiche's FFI layer exposes applications built with the non-default FFI feature flag to remote denial of service and limited heap disclosure. Two FFI iterator functions - quiche_connection_id_iter_next and quiche_conn_retired_scid_next - return raw pointers to ConnectionId values that are immediately freed when their owning Rust scope exits, leaving callers holding dangling pointers. No public exploit has been identified at time of analysis and there is no CISA KEV listing, but the CVSS 5.6 (AV:N/AC:H) score correctly reflects the constrained preconditions imposed by the opt-in build flag.
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK arises from a write use-after-free between the CPU-side driver and GPU firmware, where the driver frees a shared memory page before the GPU firmware finishes accessing it. Any unprivileged local user able to issue GPU system calls can trigger the race against multiple released DDK branches (1.18, 23.2, 24.2, 25.1-25.3, 26.1). No public exploit identified at time of analysis, but SSVC rates technical impact as total.
Local privilege escalation and denial of service in Imagination Technologies Graphics DDK (PowerVR GPU driver) allows non-privileged users to trigger a use-after-free of GPU MMU page tables via crafted GPU system calls. An error path fails to clean up before freeing the physical page-table allocation, enabling memory corruption that can be leveraged for kernel-context impact. No public exploit identified at time of analysis and SSVC reports no observed exploitation.
Use-after-free in libexpat before 2.8.2 allows memory corruption when XML_ResumeParser is called from within a handler callback during a policy-violation scenario. The missing call-depth guard permits re-entrant parser invocation, leaving dangling pointers in the parser's internal heap state and enabling potential information disclosure or memory corruption with low confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis, and the high attack complexity (AC:H) reflects the specific re-entrant handler pattern required to trigger the flaw.
Use-after-free in 389 Directory Server's schema reload path crashes the server when administrative schema reloads race against active LDAP query worker threads. The `attr_syntax_swap_ht()` function bypasses the refcount-based deferred deletion mechanism used throughout the attribute syntax subsystem, directly freeing nodes that concurrent worker threads may still hold references to. Affected products span Red Hat Directory Server 11, 12, and 13 across RHEL 6 through 10; no public exploit or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.0 reflects the high-complexity, high-privilege prerequisites that substantially reduce real-world risk.
Use-after-free in Eclipse 4diac FORTE versions 3.0.0-3.1.0 allows adjacent, unauthenticated attackers to corrupt process memory by sending a specially crafted DELETE connection command to the management interface, leaving a dangling pointer exploitable by subsequent commands. The impact spans memory integrity corruption and availability loss (runtime crash), with a minor confidentiality exposure from stale freed-memory reads - meaningful risks in industrial automation deployments where FORTE orchestrates IEC 61499 distributed control logic. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the CVSS 4.0 supplemental Safety metric is marked Partial (S:P), flagging potential downstream safety consequences in OT environments.
Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker processes and potentially execute arbitrary code on hosts where HTTP/3 QUIC is enabled. Exploitation requires a specially crafted HTTP/3 session that reopens a QPACK encoder stream, with code execution contingent on ASLR being disabled or bypassed; no public exploit identified at time of analysis, though SSVC technical impact is rated total.
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)