Memory Corruption
Memory corruption occurs when a program writes data beyond the boundaries of allocated memory regions or accesses memory in unintended ways, violating the integrity of the process's address space.
How It Works
Memory corruption occurs when a program writes data beyond the boundaries of allocated memory regions or accesses memory in unintended ways, violating the integrity of the process's address space. Attackers exploit these flaws by carefully crafting inputs that trigger the corruption, allowing them to overwrite critical data structures like function pointers, return addresses, or object metadata. The corrupted memory then causes the program to execute attacker-controlled code or leak sensitive information when that memory is subsequently accessed.
Several common variants exist with distinct mechanisms. Buffer overflows write past array boundaries, overwriting adjacent memory. Use-after-free bugs occur when code accesses memory after it's been deallocated, allowing attackers to reallocate that space with malicious data. Type confusion tricks programs into treating objects as different types, causing field accesses at incorrect offsets that can leak data or enable writes to arbitrary locations. Double-free vulnerabilities free the same memory twice, corrupting heap metadata structures that allocate memory, ultimately enabling arbitrary writes when the corrupted allocator is used again.
The typical attack flow involves reconnaissance to identify the corruption primitive, heap manipulation to position target structures in predictable locations, triggering the vulnerability to corrupt specific memory, and finally leveraging the corruption to hijack control flow or extract data. Modern exploits often chain multiple primitives together, using information leaks to defeat ASLR before achieving code execution.
Impact
- Arbitrary code execution: Execute attacker-supplied machine code or reuse existing code (ROP/JOP) with full privileges of the vulnerable process
- Privilege escalation: Exploit kernel memory corruption to escalate from user to root/SYSTEM privileges
- Information disclosure: Leak cryptographic keys, passwords, authentication tokens, or bypass ASLR by reading memory layout
- Denial of service: Crash critical services by corrupting essential data structures
- Sandbox escape: Break out of browser or application isolation boundaries to compromise the host system
Real-World Examples
The Chrome V8 JavaScript engine has suffered numerous type confusion vulnerabilities where JavaScript objects are mishandled, allowing attackers to achieve browser compromise through malicious websites. CVE-2021-30551 exemplified this, enabling remote code execution via crafted web content.
Windows kernel vulnerabilities like CVE-2020-17087 demonstrated use-after-free exploitation, where local attackers triggered memory reuse in the kernel to escalate privileges to SYSTEM. This was actively exploited in targeted attacks before patching.
The Heartbleed vulnerability (CVE-2014-0160) in OpenSSL showed devastating information disclosure through a buffer over-read, leaking 64KB chunks of server memory containing private keys, passwords, and session tokens across millions of servers.
Mitigation
- Memory-safe languages: Use Rust, Go, or Swift for new code to eliminate entire classes of corruption bugs
- Sanitizers in development: Deploy AddressSanitizer (ASAN) and MemorySanitizer (MSAN) during testing to detect corruption immediately
- Fuzzing with coverage feedback: Continuously fuzz parsers and input handlers using AFL++ or libFuzzer to discover corruption bugs
- Control Flow Integrity (CFI): Enable compiler-based CFI to restrict indirect call targets and prevent ROP
- Exploit mitigations: Deploy stack canaries, ASLR, DEP/NX, and shadow stacks on all platforms
- Sandboxing: Isolate vulnerable components using seccomp, pledge, or process isolation to contain successful exploits
Recent CVEs (15288)
Use-after-free memory corruption in Safari's web content processing causes an unexpected application crash across Apple platforms. Affected are Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2; exploitation requires only that a user visits or loads maliciously crafted web content, making drive-by delivery via a malicious webpage the primary vector. Impact is confined to availability - a forced Safari crash (denial of service) - with no confirmed confidentiality or integrity consequences. No public exploit code or active exploitation has been identified at time of analysis.
Use-after-free in Safari's web content processing engine causes denial of service across Apple platforms, affecting Safari, iOS/iPadOS, and macOS prior to the 26.5.2 release line. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms remote, unauthenticated triggering requiring only that a user visit attacker-controlled web content, with impact limited to availability - specifically an unexpected Safari crash. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.
Memory corruption via use-after-free in Apple's WebKit browser engine allows remote attackers to corrupt memory when a victim processes maliciously crafted web content on Safari, iOS/iPadOS, or macOS prior to 26.5.2. The CVSS 3.1 score of 8.8 reflects network-reachable exploitation requiring only that a user open a malicious page; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Successful exploitation typically serves as the initial stage of a browser-based attack chain (often paired with a sandbox escape) to achieve code execution in the renderer.
Safari's web content processing engine on iOS, iPadOS, and macOS Tahoe contains an out-of-bounds write (CWE-787) that causes an unexpected crash when rendering maliciously crafted web content. All Safari versions prior to 26.5.2 - and the underlying WebKit engine shipping with iOS/iPadOS and macOS Tahoe prior to 26.5.2 - are affected. Apple has released patched versions across all three platforms; no public exploit code or CISA KEV listing has been identified at time of analysis, and available impact is limited to a denial-of-service crash with no confirmed code execution path.
Use-after-free memory corruption in Apple Safari (and the broader iOS/iPadOS/macOS Tahoe platform) allows a malicious web extension to trigger an unexpected process crash, resulting in a denial-of-service condition. Affected versions span all Safari, iOS/iPadOS, and macOS Tahoe releases prior to 26.5.2, with Apple-confirmed fixes available across all three platforms. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; the high attack complexity and requirement for a pre-installed malicious extension meaningfully constrain real-world risk.
Memory corruption via type confusion in Apple's WebKit browser engine allows attackers to corrupt memory by luring a victim to maliciously crafted web content, affecting Safari, iOS/iPadOS, and macOS before version 26.5.2. The flaw (CWE-843) is network-reachable but requires user interaction (visiting a page), and no public exploit has been identified at time of analysis. Apple has shipped patches across Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2.
Use-after-free memory corruption in Apple's WebKit engine causes unexpected process crashes when processing maliciously crafted web content. Affected platforms include Safari, iOS 26, iPadOS 26, and macOS Tahoe - all versions prior to 26.5.2. An unauthenticated remote attacker can trigger a denial-of-service condition by luring a user to a malicious web page; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Use-after-free memory corruption in WebKit's web content processing causes unexpected process crashes across Safari, iOS, and iPadOS on all versions prior to 26.5.2. An unauthenticated remote attacker who can lure a user to visit a maliciously crafted web page can trigger this condition, resulting in a denial-of-service via browser process termination. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV, though the use-after-free class in WebKit has historically been chained with other primitives to escalate impact.
Use-after-free memory corruption in Safari's web content processing engine causes an unexpected process crash when rendering maliciously crafted web pages. Affected products include Safari, iOS and iPadOS, and macOS Tahoe, all prior to version 26.5.2. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low attack complexity and no-privileges-required vector make user-targeted delivery straightforward.
Use-after-free memory corruption in Apple's WebKit rendering engine causes unexpected process crashes when processing maliciously crafted web content across Safari, iOS/iPadOS, and macOS Tahoe. All three platform variants prior to the 26.5.2 release train are affected, covering a substantial portion of Apple's consumer and enterprise device fleet. An unauthenticated remote attacker can trigger a denial-of-service condition by enticing a victim to visit a specially crafted webpage; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Memory corruption in Apple's WebKit browser engine (Safari and the system WebView on iOS, iPadOS, and macOS before 26.5.2) allows a remote attacker to corrupt process memory when a victim loads maliciously crafted web content. The flaw is a use-after-free (CWE-416) and carries a CVSS 8.8 with required user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though Apple reported and patched it in coordinated releases on 2026 advisories.
Heap use-after-free read in libblkid (util-linux) enables unauthenticated local attackers to crash udisks or leak root-process heap data by presenting a crafted block device image during nested partition probing. BSD, Minix, Solaris x86, and UnixWare partition table parsers cache raw pointers into a dynamically allocated partition array; when subsequent partition additions trigger array reallocation, those pointers become stale and dereference freed memory. Because udev and udisks invoke libblkid automatically as root on block-device hot-plug events, USB insertion alone is sufficient to trigger the flaw without any user interaction or authentication. No public exploit identified at time of analysis.
Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() implementation, where a timed-out DNS query is retried without cancelling the prior query, leaving a callback holding a pointer into a stack frame that goes out of scope after getaddrinfo() returns. A network-delivered DNS response matched by its spoofable 16-bit transaction id, or the resolver's own delayed timeout work, then writes through that stale pointer, enabling crashes or reused-stack corruption. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; exploitation is gated by a timing/race window reflected in CVSS AC:H.
Out-of-bounds write in Zephyr RTOS's Microchip SERCOM-G1 UART driver (introduced in v4.4.0) allows an adjacent attacker who can send serial data to corrupt one byte of memory immediately beyond the caller-supplied RX buffer, potentially causing a crash or denial of service. The flaw exists only when CONFIG_UART_MCHP_ASYNC is enabled (non-default on in-tree PIC32CM-JH board configs) and the consuming application calls uart_rx_enable() with a one-byte buffer - a narrow but real embedded firmware scenario. No exploit code is publicly available and this vulnerability is not listed in CISA KEV; the upstream fix has been committed but a tagged patched release version has not been independently confirmed.
Out-of-bounds heap write in FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) allows attackers to corrupt memory when libavcodec decodes a crafted stream using the RASC FourCC. The decoder performs 32-bit reads/writes at the row cursor before the NEXT_LINE boundary check and validates DLTA regions in pixel rather than byte units, letting a DLTA run on a PAL8 frame write and read several bytes past the row allocation. Publicly available exploit code exists (reported by VulnCheck); no public active exploitation has been identified at time of analysis.
Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspace thread corrupt kernel-heap memory on builds using CONFIG_USERSPACE. Affecting Zephyr v3.6.0 through v4.4.0, the flaw is triggered when an application calls recvmsg() with an undersized ancillary (msg_control) buffer on a UDP/IP socket that has IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled and a datagram arrives. There is no public exploit identified at time of analysis and EPSS is low (0.12%), but the memory-corruption primitive gives full C/I/A impact locally.
Local privilege escalation in the FreeBSD kernel arises from a use-after-free in the IPv6 multicast source-filter handler (IPV6_MSFILTER), affecting FreeBSD 14.3, 14.4, and 15.0 releases before their respective patch levels. An unprivileged local user can win a race against the handler's dropped-then-reacquired serializing lock to free the multicast filter structure out from under the kernel, corrupting memory to gain root-level control. There is no public exploit identified at time of analysis, and EPSS is very low (0.13%), consistent with CISA SSVC marking exploitation as 'none' and not automatable.
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Denial of service in the Go golang.org/x/image/tiff decoder allows remote attackers to crash any application that parses untrusted TIFF images. A maliciously crafted image with an out-of-bounds strip offset triggers a panic in the decoder, terminating the goroutine or process (CVSS 7.5, availability-only impact). There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), indicating no observed mass exploitation, but the bug is trivially triggerable wherever the library decodes attacker-supplied images.
Local memory corruption in the Linux kernel's NXP ENETC (enetc) network driver stems from a DMA use-after-free in the NTMP command path: when netc_xmit_ntmp_cmd() times out, the pending hardware command is not aborted yet ntmp_free_data_mem() frees the associated DMA buffer, so the device later DMA-writes its response into the freed (possibly reallocated) physical address, producing silent kernel memory corruption. Only systems running NXP ENETC networking hardware on kernels from 6.16 through the fixed stable releases are affected. There is no public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.17%, 6th percentile).
Use-after-free in the Linux kernel's mailbox-test debug driver (mailbox-test.c) allows a local privileged attacker to corrupt kernel memory when the driver's probe routine fails, because previously acquired mailbox channels are not released while the devm-allocated client structure is freed anyway. The flaw carries a CVSS of 7.8 with high confidentiality, integrity, and availability impact, but exploitation is local and requires the mailbox-test module to load and hit a probe error path. No public exploit is identified at time of analysis and EPSS estimates exploitation probability at only 0.18%.
Use-after-free in the Linux kernel's Intel Xe GPU driver (drm/xe EU stall sampling) lets a local low-privileged user with access to the render/DRM device trigger memory corruption during stream close. In xe_eu_stall_stream_close() the driver calls drm_dev_put() before disabling the stream and freeing its resources, so if that call drops the last reference the device structures may be freed while subsequent cleanup still dereferences them. The defect is patched upstream, no public exploit is identified at time of analysis, and EPSS rates exploitation probability very low (0.17%, 6th percentile).
Use-after-free in Envoy's HTTP OAuth2 filter (envoy.filters.http.oauth2) across versions 1.37.0-1.37.4 and 1.38.0-1.38.2 enables unauthenticated remote attackers to crash Envoy worker threads by racing a connection teardown against an in-flight async token exchange. When a downstream client disconnects while the filter is awaiting an async OAuth2 token response, the late AsyncClient callback invokes StreamDecoderFilterCallbacks on an already-freed object, producing undefined behavior and worker crashes. The reporter explicitly disclaims RCE - confirmed impact is availability loss (DoS); allocator-dependent memory corruption effects beyond crash are theoretically possible but not demonstrated. No public exploit or CISA KEV listing identified at time of analysis.
Use-After-Free crash in Envoy's ext_authz HTTP filter allows remote unauthenticated attackers to trigger a segmentation fault and process crash by rapidly establishing and tearing down downstream connections when per-route authorization overrides are configured. Affected are Envoy versions 1.36.0-1.36.8, 1.37.0-1.37.4, and 1.38.0-1.38.2. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, though the race condition exploitability is constrained by requiring specific ext_authz per-route override configuration.
Envoy proxy's External Processing (ext_proc) filter crashes with a use-after-free when an ext_proc gRPC server sends a single batched gRPC message containing multiple specially crafted ProcessingResponse objects. Affected versions span 1.34.0 through pre-fix releases across four maintained branches; fixed releases are 1.35.13, 1.36.9, 1.37.5, and 1.38.3. With CVSS PR:L, exploitation requires control of or compromise of the ext_proc gRPC server endpoint, limiting the realistic attacker population but making this a high-priority patch for any deployment running ext_proc. No public exploit code and no CISA KEV listing exist at time of analysis.
Out-of-bounds write in Imagination Technologies' Graphics DDK GPU shader compiler lets a crafted web page containing unusual or edge-case shader code (e.g. WebGL/compute shaders using a very small value) corrupt memory and crash the GPU compiler process. On platforms where that compiler process runs with system privileges, the memory corruption could be chained toward privilege escalation or further device exploitation. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; impact is integrity and availability (CVSS 7.7, CWE-823).
Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote, unauthenticated attackers crash the device by sending a crafted HTTP request to onvif.cgi. The ONVIF CGI handler fails to bounds-check HTTP request body data, so oversized input triggers an out-of-bounds write and memory corruption. No public exploit identified at time of analysis, and the flaw yields availability impact only — no code execution or data disclosure is claimed by the vendor.
Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Use-after-free memory corruption in Google Chrome's Payments component on Android (prior to 149.0.7827.201) enables a local attacker with physical access to the device to trigger heap corruption, yielding high impact across confidentiality, integrity, and availability. The physical-access requirement (CVSS AV:P) substantially constrains the exploitable population to scenarios such as unattended or stolen devices. No public exploit identified at time of analysis, and no CISA KEV listing exists, indicating this has not been observed in active exploitation campaigns.
Out-of-bounds write in wolfSSL's SetSuitesHashSigAlgo function corrupts memory when an application passes an oversized signature algorithms list to the wolfSSL_CTX_set1_sigalgs_list or wolfSSL_set1_sigalgs_list APIs, writing past the end of the internal suites buffer (CWE-787). All wolfSSL versions prior to the bounds-check fix in PR #10204 are affected; the CVSS 4.0 score of 2.0 reflects a local-only vector, high complexity, and constrained impact limited to low integrity and availability degradation within the consuming process. No public exploit has been identified and this vulnerability is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.
Use-after-free in wolfSSL's TLS 1.3 PQC hybrid KeyShare processing exposes clients built with post-quantum hybrid support to a crash or memory corruption when connecting to a malicious server. This is a bypass of the incomplete fix for CVE-2026-5460 shipped in 5.9.1 - the pointer alias between keyShareEntry->key and ecc_kse->key in TLSX_KeyShare_ProcessPqcHybridClient is not re-synchronized after the inner ECC processing function frees its copy, leaving a dangling pointer that TLSX_KeyShare_FreeAll later passes to wc_ecc_free and XFREE. No public exploit or CISA KEV listing exists; the CVSS 4.0 score of 2.3 reflects limited real-world impact due to high attack complexity and non-default build requirements.
Pre-authentication heap buffer overflow in wolfSSL 5.9.0 and earlier affects builds compiled with DTLS 1.3 support, where an integer truncation in the ACK record-number list length computation (Dtls13GetAckListLength using a word16) allocates an undersized buffer that is then overrun during ACK serialization. Because the flaw is reachable before the connecting peer is authenticated, a remote unauthenticated attacker can trigger memory corruption against a DTLS 1.3 endpoint, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects primarily a high availability (crash/DoS) impact with limited integrity impact.
Buffer overflow in wolfSSL's PKCS#7 decoder (versions 5.9.0 and earlier) allows attackers with low-privilege account access on an adjacent network to corrupt memory by providing crafted encrypted messages to applications using undersized output buffers in wc_PKCS7_DecodeEncryptedData. Real-world exploitation is severely constrained by requirements for adjacent network access, low privilege, user interaction, and specific attack target conditions, resulting in minimal integrity impact with no availability or confidentiality effects. No public exploit code or active exploitation is known at the time of analysis.
Remote denial of service in wolfSSL's Renesas TSIP TLS 1.3 client port (WOLFSSL_RENESAS_TSIP_TLS on Renesas MCUs with TSIP hardware) arises from an out-of-bounds heap write in tsip_StoreMessage(), where the capacity check guarding the fixed 8 KB message bag sets an error code but omits the return, letting execution fall through to an XMEMCPY that overruns the buffer once the accumulated handshake transcript exceeds 8 KB. A malicious or man-in-the-middle TLS 1.3 server (or an unusually large but legitimate certificate chain) can trigger heap corruption and crash the client. There is no public exploit identified at time of analysis, it is not on CISA KEV, and the upstream fix is available as wolfSSL PR #10705.
Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.
Arbitrary code execution in AzeoTech DAQFactory (versions 21.1 and prior) arises from a use-after-free flaw triggered when the application parses a maliciously crafted .ctl project/control file. An attacker who can convince an operator to open a booby-trapped .ctl file can corrupt memory and run code in the context of the DAQFactory process on the engineering or HMI workstation. No public exploit is identified at time of analysis and the CVE is not in CISA KEV, but it carries a high CVSS 4.0 base score of 8.4 driven by full confidentiality, integrity, and availability impact.
Stack out-of-bounds write in Vim's spell suggestion engine allows a crafted `.spl`/`.sug` file pair to corrupt the call stack and crash the editor when spell suggestions are invoked. All Vim releases prior to 9.2.0653 are affected, with the flaw in `tree_count_words()` and `sug_filltree()` inside `src/spellfile.c`, where three fixed-size MAXWLEN-element stack arrays are indexed by an unbounded depth counter. No public exploit identified at time of analysis (CVSS 4.0 E:U), though the upstream fix commit includes a detailed proof-of-concept test case reproducing the out-of-bounds write.
List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer. Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.
Stack out-of-bounds write in Vim's spell_soundfold_sofo() function (src/spell.c) allows local exploitation when a SOFO-based spell language is active and the soundfold path is triggered with a word exceeding MAXWLEN (254) bytes, corrupting the call frame and crashing the editor with theoretical code execution potential. All Vim releases prior to 9.2.0698 carrying the single-byte SOFO branch are affected; the vendor has released a confirmed fix at v9.2.0698. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 E:U supplemental metric confirms exploitation remains unproven at time of analysis.
Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointing at freed libxml2 memory after `#do_xinclude` is called on a document whose nodes have already been exposed to Ruby. An application that triggers this condition may experience invalid memory reads or writes, potentially resulting in a crash or memory disclosure. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.2 reflects the high attack complexity driven by an unusual, non-default API usage pattern required to reach the vulnerable code path.
Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault when an `XML::XPathContext` object outlives its source document and that document is freed by Ruby's garbage collector. Only CRuby is affected; JRuby is not. This is not triggerable by malicious document input and cannot be reached through the standard `Document#xpath`, `#css`, or related methods - it requires an unusual direct API usage pattern in application code. No public exploit has been identified, this is not listed in CISA KEV, and the CVSS 4.0 score of 1.7 reflects the tightly constrained triggering conditions.
Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application code assigns a DTD node as a document root via `Document#root=`. The root cause is insufficient type validation in the setter, which accepted any `Nokogiri::XML::Node` subclass rather than restricting to element nodes, leaving libxml2 in an inconsistent internal state that triggers a dangling pointer dereference during Ruby garbage collection or finalization. No active exploitation is confirmed (not in CISA KEV), no public exploit is identified, and the Nokogiri maintainers rate this low severity; the CVSS 4.0 score of 1.7 with E:U corroborates that assessment.
Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a segfault when an application accesses an XML attribute's child node and subsequently replaces that attribute's value via `Attr#value=` or `#content=`. The underlying libxml2 wrapper frees the native child node while a Ruby object in the document node cache retains a stale pointer, which a later GC mark pass or direct access can dereference. With a CVSS 4.0 score of 1.7, no KEV listing, and no public exploit identified at time of analysis, real-world risk is low and constrained to application availability.
Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 1.7 accurately reflects the low real-world priority.
Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network device to corrupt Door Lock schedule state by sending malformed ClearWeekdaySchedule messages. Only devices implementing the Door Lock cluster are affected, and the corruption is bounded in size and location, primarily threatening availability/integrity rather than data disclosure. No public exploit identified at time of analysis; a vendor patch is available.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network device to crash the host process by sending malformed IAS Zone enrollment messages, which trigger an out-of-bounds write to the state table. Only nodes that support the IAS Zone (security sensor) cluster are affected, and the attacker must already hold a valid place on the Zigbee network (PR:L). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation potential via a use-after-free in the Linux kernel's Bluetooth ISO (Isochronous) subsystem affects kernels through 6.19 and related stable trees. In iso_sock_rebind_bc(), the code caches the hci_conn pointer (bis) and then drops the socket lock to acquire hci_dev_lock; a concurrent close() during this unlocked window can destroy the connection and free the bis structure, so the subsequent hci_dev_lock(bis->hdev) dereferences freed memory. There is no public exploit identified at time of analysis and EPSS is low (0.15%, 5th percentile), but a kernel UAF reachable by a local user warrants timely patching.
Use-after-free in the Linux kernel's IPv6 multicast (MLD) query processing path allows an adjacent-network attacker to corrupt or read freed kernel slab memory by sending a crafted MLD query. The flaw stems from a stale pointer to the multicast group address being dereferenced in __mld_query_work() after pskb_may_pull() reallocated the skb header, confirmed by a KASAN slab-use-after-free report. Carries an 8.8 CVSS (adjacent vector); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).
Local privilege escalation or kernel memory corruption in the Linux kernel's OP-TEE (Trusted Execution Environment) driver arises from a use-after-free in the supplicant request path on ARM TrustZone systems. After commit 70b0d6b0a199 made the client wait killable, a client task can exit and kfree() its request while its ID still lives in supp->idr, so a later supplicant lookup dereferences freed memory. CVSS 7.8 (local, low privilege) with EPSS at 0.17% (7th percentile); no public exploit identified at time of analysis and not listed in CISA KEV.
Use-after-free in the Linux kernel's EROFS filesystem lets a local attacker who can trigger a decompression I/O race during unmount corrupt kernel memory. When z_erofs_decompress_kickoff() queues asynchronous decompression work, a concurrent unmount can free the superblock info (sbi) before the kworker accesses sbi->sync_decompress, producing a CWE-416 use-after-free with high confidentiality, integrity and availability impact (CVSS 7.8). EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis; the flaw is not on CISA KEV.
Local privilege-bearing users can trigger a use-after-free in the Linux kernel's net/sched action subsystem (act_api) by racing concurrent NEWTFILTER and DELFILTER operations, where an action object can be kfree()'d immediately on one CPU while another CPU still holds an RCU-protected reference and calls refcount_inc_not_zero() on freed memory. Affecting the tc action lifecycle, exploitation can corrupt kernel memory and lead to local privilege escalation or denial of service (kernel panic). This issue has no public exploit identified at time of analysis and carries a low EPSS exploitation probability (0.17%, 7th percentile).
Denial of service and potential memory corruption in the Linux kernel TCP stack arises from a refcount underflow / use-after-free in reqsk_queue_hash_req(), affecting kernels built with PREEMPT_RT (real-time preemption). On affected systems a request socket (reqsk) can lose both its ehash and timer reference counts when reqsk_queue_hash_req() is preempted between mod_timer() and refcount_set(), letting reqsk_timer_handler() drop the object twice and trigger a use-after-free flagged by refcount_warn_saturate. The fix was reported via syzbot fuzzing; there is no public weaponized exploit identified at time of analysis and the EPSS score is very low (0.15%, 5th percentile), and despite the NVD 9.8 score real-world exploitability is constrained to PREEMPT_RT kernels and a narrow timing window.
Memory corruption via a use-after-free in the Linux kernel's IPv6 anycast subsystem allows a local attacker to read freed slab memory and potentially corrupt kernel state. The flaw lives in __ipv6_dev_ac_inc()/ipv6_add_acaddr_hash(), where an ifacaddr6 (aca) object is published into the global inet6_acaddr_lst[] hash outside idev->lock, opening a race with device teardown (ipv6_ac_destroy_dev) that frees the object while it is still linked in the RCU-walked hash. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but the vendor has shipped a fix.
Use-after-free in the Linux kernel's Bluetooth RFCOMM subsystem allows an attacker within Bluetooth range to corrupt kernel memory by racing an incoming RFCOMM connection against the close of a listener socket. The flaw lives in rfcomm_connect_ind(), which uses a listener socket returned by rfcomm_get_sock_by_channel() after the protecting list lock is dropped and without taking a reference, so a concurrent rfcomm_sock_release() can free the parent socket before it is locked and a child is enqueued. KASAN confirmed a slab-use-after-free in lock_sock_nested(); EPSS is low (0.17%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Use-after-free in the Linux kernel's Airoha (airoha_eth) network driver allows memory corruption when metadata dst objects are torn down while still referenced by in-flight receive skbs. The airoha_metadata_dst_free() routine called metadata_dst_free()/kfree() directly, bypassing the RCU grace period required by the noref dst pointers set via skb_dst_set_noref() in the RX path, so RCU readers could dereference freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile); the issue is patched in current stable kernels.
Memory corruption (use-after-free) in the Linux kernel's MediaTek mtk_eth_soc Ethernet driver allows the metadata destination object to be freed via kfree() during driver teardown while the RX path may still hold a non-refcounted (noref) pointer to it from a live skb. Affects systems running the mtk_eth_soc driver (MediaTek SoC networking, common in routers/embedded devices) across multiple kernel branches; the fix routes the free through dst_release() so the RCU grace period is honored. No public exploit identified at time of analysis, EPSS is low (0.18%, 8th percentile), and it is not in CISA KEV - despite the input's nominal CVSS of 9.8.
Out-of-bounds memory access in the Linux kernel's SCTP stack lets a remote peer corrupt kernel memory by sending a COOKIE_ECHO chunk whose embedded cached INIT chunk advertises an inflated length, which sctp_unpack_cookie() failed to validate against the remaining COOKIE_ECHO buffer before sctp_process_init() walked its parameters. Any host running an SCTP listening server (kernels from 2.6.12 up to the fixed stable releases) is affected, with the kernel-assigned CVSS rating it 9.8/network-unauthenticated, though EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis. Impact ranges from out-of-bounds reads to potential heap corruption during STATE_COOKIE handling and kmemdup() copies.
Use-after-free in the Linux kernel's XFRM IP-TFS (IPsec Traffic Flow Confidentiality, RFC 9347) inbound reassembly path lets a race between __input_process_payload() and a concurrent iptfs_reassem_cont()/drop_timer handler operate on a freed sk_buff in skbuff_head_cache, causing memory corruption. The flaw affects kernels from 6.14 (where IP-TFS was introduced) running an IPsec SA in IP-TFS mode, and is fixed in stable releases including 6.18.36, 7.0.13 and 7.1. There is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.17%, 7th percentile).
Local privilege escalation via use-after-free in the Linux kernel's XFRM (IPsec) policy subsystem allows a local low-privileged attacker to corrupt kernel memory by racing XFRM_MSG_DELPOLICY and XFRM_MSG_NEWSPDINFO netlink operations. In xfrm_policy_bysel_ctx(), the inexact policy bin was pruned after dropping xfrm_policy_lock, leaving a window where a concurrent xfrm_hash_rebuild() could kfree_rcu() the same bin, leading to a use-after-free. No public exploit identified at time of analysis; EPSS probability is low (0.18%) and it is not listed in CISA KEV.
Use-after-free in the Linux kernel's IBM EMAC Ethernet driver (drivers/net/ethernet/ibm/emac) lets in-flight packet processing touch hardware resources that have already been freed during device removal, because devm_register_netdev() deferred unregister_netdev() until after emac_remove() tore down the hardware. A local attacker who can trigger driver unbind/hot-removal while the interface handles traffic can corrupt kernel memory, potentially escalating to code execution or crashing the system. This is a fixed regression window on IBM PowerPC EMAC hardware; no public exploit identified at time of analysis and EPSS risk is low (0.18%, 7th percentile).
Local privilege escalation potential in the Linux kernel netfilter nf_tables tunnel module (nft_tunnel) stems from a use-after-free triggered when a tunnel object is destroyed while packets still hold a reference to its metadata_dst. The flawed nft_tunnel_obj_destroy() path calls metadata_dst_free(), which kfree()s the structure while ignoring the dst_entry refcount, so packets queued in a qdisc (e.g. netem) later call dst_release() on freed memory. CVSS is 7.8 (high) with CVSS:3.1 vector AV:L/PR:L; EPSS is low at 0.18% (7th percentile), it is not in CISA KEV, and no public exploit identified at time of analysis.
Memory corruption in the Linux kernel Bluetooth subsystem (hci_sync) allows a local privileged user to overrun a temporary buffer when the Broadcast Announcement service data is prepended to an already-maximum-sized extended advertising payload. The flaw affects systems using Bluetooth LE Audio / Broadcast Audio Profile advertising; the upstream fix rejects the oversized combination before copying, preserving the existing advertising data. No public exploit identified at time of analysis, and the EPSS probability is very low (0.18%, 8th percentile), indicating no current evidence of widespread exploitation interest.
Out-of-bounds memory access in the Linux kernel's accel/ivpu driver (Intel NPU/VPU accelerator) occurs because firmware-supplied read and write indices for the firmware log buffer were used without bounds validation, allowing invalid offsets to drive out-of-bounds buffer reads. Affecting Intel Core Ultra-class systems running affected 6.12.x through 6.18.x and 7.x kernels, a local low-privileged actor able to influence the device's firmware log indices can disclose kernel memory or crash the host. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).
Use-after-free in the Linux kernel's in-kernel SMB server (ksmbd) lets an authenticated SMB client corrupt kernel slab memory by sending a second SMB2_CANCEL for the same AsyncId of a blocking byte-range lock. The first cancel frees the struct file_lock but takes an early-exit that never unlinks the async work or clears its cancel callback, leaving a live cancel_fn pointing at freed memory in the file_lock_cache (size 192) slab; a racing second cancel re-runs smb2_remove_blocked_lock() on the dangling pointer. The flaw was reproduced on mainline with KASAN by an authenticated client, EPSS is low (0.18%), and there is no public exploit identified at time of analysis.
Heap buffer overflow in the Linux kernel's io_ti USB serial driver (get_manuf_info()) lets a malicious USB device overflow a 10-byte kmalloc buffer by up to ~16 KB when attached to a host using this driver. The driver trusts the EEPROM-supplied descriptor Size field (validated only against TI_MAX_I2C_SIZE, not the destination buffer), enabling kernel memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and the issue is not in CISA KEV.
Kernel-level heap buffer overflow (out-of-bounds write) in the Linux kernel's io_ti USB-serial driver (used by Digi Edgeport TI-based USB serial adapters) allows a local low-privileged attacker or a malicious/crafted firmware image to corrupt kernel heap memory. The flaw lives in build_i2c_fw_hdr(), which copies an attacker-influenced 16-bit Length field (up to 65535) from the firmware image into a fixed-size buffer without validating it fits the remaining space after the ti_i2c_firmware_rec header. There is no public exploit identified at time of analysis, EPSS is low (0.20%, 10th percentile), and it is not on the CISA KEV list, so exploitation is theoretical rather than observed.
Heap out-of-bounds write in the Linux kernel's USB serial driver for KL5KUSB105-based adapters (kl5kusb105) lets a write to an attached tty corrupt slab memory two bytes past a 64-byte bulk-out buffer. The flaw is in klsi_105_prepare_write_buffer(), which reserves a two-byte length header but still copies the full buffer size from the write FIFO, overrunning the allocation by KLSI_HDR_LEN (2) bytes. EPSS is low (0.19%, 9th percentile) and there is no public exploit identified at time of analysis; the issue was found via KASAN using emulated hardware (dummy_hcd/raw-gadget), not in-the-wild exploitation.
Local privilege escalation via use-after-free in the Linux kernel ALSA timer subsystem (sound/core/timer.c) allows an authenticated local user to corrupt kernel memory by triggering dangling references to a freed snd_timer object. When snd_timer_free() unlinked pending instances it left slave timer instances still pointing at the freed master timer; the flaw is readily reachable through the userspace-driven timer interface (CONFIG_SND_UTIMER), where opening/closing a file creates and destroys timer objects while other processes keep accessing them. EPSS is low (0.18%, 8th percentile) and there is no public exploit identified at time of analysis, but kernel UAF bugs of this class are historically a strong primitive for local privilege escalation.
Local privilege escalation or memory corruption in the Linux kernel's ALSA timer subsystem stems from a use-after-free in snd_timer_user_params() reachable via the SNDRV_TIMER_IOCTL_PARAMS ioctl. A low-privileged local user with access to a timer device (notably userspace timers under CONFIG_SND_UTIMER) can race a concurrent ioctl against timer object release to access freed memory. No public exploit identified at time of analysis, and EPSS is low (0.18%), reflecting the local-only, race-dependent nature of the bug.
Local out-of-bounds read in the Linux kernel's RDMA/core subsystem allows a low-privileged user with access to RDMA uverbs to crash the system or leak adjacent kernel memory by supplying an unvalidated cpu_id during DMA handle (DMAH) allocation. The UVERBS_ATTR_ALLOC_DMAH_CPU_ID attribute is passed straight to cpumask_test_cpu() without a bounds check, and on CONFIG_DEBUG_PER_CPU_MAPS kernels combined with panic_on_warn it forces a reboot. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).
Slab use-after-free in the Linux kernel's IP fragment reassembly (inet frags) layer occurs during network namespace teardown: fqdir_pre_exit() flushes incomplete fragment queues via inet_frag_queue_flush() without clearing q->fragments_tail/last_run_head, so a fragment reassembly already in flight resumes after the flush and dereferences freed skbs. IPv4, IPv6, nf_conntrack_reasm6, and 6lowpan reassembly all share the affected flush path. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile); NVD scores it CVSS 9.8 (AV:N), but the bug is fundamentally a teardown-vs-reassembly race, so the network-unauthenticated framing overstates practical reachability.
Heap out-of-bounds write in the Linux kernel's accel/ethosu DRM driver (Arm Ethos-U NPU accelerator) allows a local user with access to the device to corrupt kernel heap memory through the command-stream copy-and-validate ioctl. The flaw stems from the parser advancing its index for 64-bit (bit-14-set) command words without re-checking the buffer bound, letting a crafted command stream write four bytes past a DMA allocation of attacker-controlled size. No public exploit is identified at time of analysis, EPSS is low (0.16%), and an upstream fix has landed in the stable trees.
Local privilege escalation and memory corruption in the Linux kernel's Qualcomm FastRPC misc driver (drivers/misc/fastrpc) arises from a use-after-free of the fastrpc_user structure during concurrent file-descriptor close and DSP response processing. A local user with access to the FastRPC device can race fastrpc_device_release() against the put_work workqueue so that fastrpc_context_free() dereferences an already-freed user object, enabling kernel memory corruption with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.18%), consistent with a hard-to-win kernel race on Qualcomm-only hardware.
Local privilege escalation and memory corruption in the Linux kernel's fastrpc misc driver allows an attacker with local low-privileged access to a FastRPC device to trigger a use-after-free in fastrpc_map_create by racing a concurrent MEM_UNMAP against map lookup. The flaw stems from fastrpc_map_lookup returning an unprotected raw pointer after dropping fl->lock, which a concurrent unmap can free before the reference is taken. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.17%, 7th percentile), consistent with a kernel race condition requiring local access and precise timing.
Slab use-after-free in the Linux kernel's Phonet subsystem (net/phonet) allows a local privileged actor to trigger memory corruption when a phonet_device is torn down. phonet_device_destroy() unlinks the object from the per-net device list with list_del_rcu() but frees it immediately, so concurrent RCU readers can still dereference the freed object; the fix converts the free to kfree_rcu(). No public exploit identified at time of analysis, EPSS is very low (0.17%, 7th percentile), and it is not on CISA KEV, but the CVSS 3.1 base score is 7.8 (High) reflecting full confidentiality, integrity and availability impact from local exploitation.
Local privilege escalation and memory corruption in the Linux kernel's nvmem core subsystem arises from use-after-free bugs in multiple error paths where __nvmem_device_put() releases the nvmem device (and its backing memory/resources) but the code continues to dereference the freed structure before returning. A local, low-privileged user able to trigger these error paths can corrupt kernel memory, potentially leading to code execution or information disclosure. Fix is upstream in stable kernel trees; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.17%).
Heap out-of-bounds write in the Linux kernel Thunderbolt/USB4 XDomain driver lets a malicious connected peer device corrupt kernel memory. In tb_xdp_properties_request(), the per-packet copy length is taken from the attacker-controlled response header without validating it against the previously kcalloc-allocated data buffer, so a peer advertising a length larger than data_length forces memcpy to write past the allocation. No public exploit identified at time of analysis and EPSS is low (0.18%), but the write-primitive nature (CWE-787) in kernel space makes it a meaningful local/physical attack surface on Thunderbolt-capable hosts.
Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.21%, 11th percentile); it is not listed in CISA KEV.
Out-of-bounds heap write in the Linux kernel amdgpu DRM display driver (drm/amd/display) arises because the VBIOS integrated info tables (v1_11 and v2_1) expose unvalidated u8 HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C settings into fixed-size arrays (9 and 3 elements). A malformed VBIOS can set these counts up to 255, overrunning the destination arrays during driver probe on AMD GPU systems. No public exploit has been identified and EPSS is very low (0.17%), but the memory-corruption primitive (CWE-787) carries high confidentiality, integrity, and availability impact per the CVSS 7.8 rating.
Remote denial-of-service in NLnet Labs NSD (authoritative DNS name server) version 4.13.0 and later allows an unauthenticated attacker to crash the server process by exploiting a heap use-after-free in the TLS error-logging path. By sending a DNS query over a DNS-over-TLS (DoT) connection and closing the socket before reading the response, an attacker triggers the freed-memory access trivially; no public exploit identified at time of analysis, and the issue is not in CISA KEV. The CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity exposure.
Local privilege escalation to root in OpenBSD through 7.9 arises from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c). An authenticated local user calling sys_semget() can trigger a context-switch use-after-free after tsleep(), where a freed semid_ds_kern structure is reused, enabling kernel memory corruption and full root compromise. There is no public exploit identified at time of analysis, EPSS probability is low (0.12%), and the issue is not listed in CISA KEV; the upstream fix adds reference counting (sem_ref/sem_rele) around the sleep window.
Use-after-free in MP4Box's filter pipeline (gf_filter_pid_get_packet, filter_core/filter_pid.c) crashes the application when processing a crafted media file, resulting in Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0. A publicly available proof-of-concept exploit exists, though exploitation requires local access and user interaction - the CVSS vector (AV:L/UI:R) and low EPSS score of 0.17% indicate limited real-world automated exploitation risk. No confirmed active exploitation (CISA KEV not listed).
Use-after-free in MP4Box's filter pipeline core (gf_filter_pid_inst_swap in filter_pid.c) allows local attackers to crash the application - and potentially achieve memory corruption beyond DoS - by supplying a crafted media file. Publicly available exploit code exists for this vulnerability, hosted on GitHub in a dedicated proof-of-concept repository. The EPSS score is low (0.17%, 6th percentile) with no CISA KEV listing, suggesting the public POC is research-grade rather than part of active exploitation campaigns, but the barrier to triggering a crash is low for any attacker with file delivery capability.
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_load_from_state_internal function of the SEI loader filter (src/filters/sei_load.c). Processing a maliciously crafted MPEG-2 Transport Stream file causes the parser to dereference a dangling pointer, crashing the application. Publicly available exploit code (a PoC test case and write-up) exists, though the issue is not listed in CISA KEV and carries a low EPSS exploitation probability (0.17%, 6th percentile).
Arbitrary code execution within the renderer sandbox affects Google Chrome on Android before 149.0.7827.197 via a use-after-free defect in the WebView component, reachable when a victim renders a crafted HTML page. The flaw lets an attacker corrupt freed memory in the rendering process to gain code execution confined to the sandbox; CVSS is 7.8 (High) and Chromium rates it High severity. There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as none, but a vendor patch is already available.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS of 8.8; it requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with the CISA SSVC framework recording exploitation status as none.
Remote code execution in Google Chrome for macOS prior to 149.0.7827.197 stems from a use-after-free in the browser's Bluetooth subsystem, letting a malicious Bluetooth peripheral corrupt memory and execute arbitrary code in the browser process. The flaw is rated High severity by Chromium with a CVSS 8.8, requires user interaction (UI:R) but no privileges, and currently has no public exploit identified at time of analysis; CISA SSVC marks exploitation status as none.
Remote code execution in Google Chrome's Blink rendering engine (versions prior to 149.0.7827.197) allows a remote attacker to run arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium with a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome browser bugs of this class are historically high-value targets. Exploitation requires user interaction (loading a malicious page) but no authentication.
Heap corruption in Google Chrome's Web Authentication (WebAuthn) component affects all desktop builds prior to 149.0.7827.197, where a use-after-free (CWE-416) can be triggered by a malicious browser extension. An attacker who first convinces a victim to install a crafted extension can reach the freed object and potentially achieve code execution. Rated High by Chromium with a CVSS 7.5; there is no public exploit identified at time of analysis and CISA SSVC marks exploitation as none.
Renderer-side heap corruption in Google Chrome's FileSystem component (versions prior to 149.0.7827.197) lets a remote attacker who lures a victim to a crafted HTML page trigger a use-after-free, potentially leading to arbitrary code execution within the renderer. Rated High severity by Chromium with a CVSS of 8.8; no public exploit identified at time of analysis, and CISA's SSVC framework currently records exploitation status as 'none'. EPSS data was not provided, but the user-interaction requirement (visiting a page) is the only meaningful barrier, making this a routine but real browser-patch priority.