Use After Free

A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.

Remote code execution in Google Chrome versions prior to 148.0.7778.179 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw requires user interaction (visiting a malicious page) but no authentication, and while Chromium rates its security severity as Medium, the CVSS 3.1 base score of 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.

Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.

Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.

Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.

Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).

Use-after-free in the DNS-over-HTTPS (DoH) implementation of ISC BIND 9 (9.20.0-9.20.22, 9.21.0-9.21.21, and Subscription Edition 9.20.9-S1-9.20.22-S1) allows remote attackers to corrupt freed memory in the resolver/server process, potentially causing denial of service and possible information disclosure. The 9.18.x branch (including 9.18.11-S1 through 9.18.48-S1) is explicitly unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attackers to crash the daemon or potentially achieve arbitrary code execution by serving a malicious signed zone to a vulnerable resolver. The flaw stems from a struct-assignment bug during deep copying of response messages when DS sub-queries suspend validation under NSEC3 computational budget exhaustion. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.1 with network attack vector and no required privileges or user interaction makes this a high-priority patching target for any operator running a recursive Unbound resolver.

Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.

Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.

Use-after-free memory corruption in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) enables pointer manipulation when processing crafted JavaScript content, with CVSS 7.8 reflecting high-impact local exploitation requiring user interaction. The affected codepaths include evaluator error handling, TypedArray copyWithin operations on resizable buffers, DataView coercion, and array fast-mode transitions - all triggerable by attacker-controlled script. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Use-After-Free memory corruption in OpenHarmony v6.0 and prior enables a local attacker with low privileges to execute arbitrary code, achieving a changed scope with high availability impact. The vulnerability is rooted in CWE-416, where freed memory regions are accessed without proper lifecycle management, a class of flaw frequently exploitable for control-flow hijacking. No public exploit code or CISA KEV listing has been identified at time of analysis, though the OpenHarmony security team has published a formal disclosure.

Heap-use-after-free in Magick.NET's MSL (Magick Scripting Language) decoder causes a denial-of-service condition when processing a crafted MSL image file. All Magick.NET NuGet package variants across Q16, Q16-HDRI, and multi-architecture builds prior to version 14.13.1 are affected. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis; the CVSS vector indicates local-only access with availability-only impact, classifying this as a crasher rather than a code execution or data exposure issue.

Use-after-free vulnerability in Open5GS NRF component (versions up to 2.7.7) allows authenticated remote attackers to trigger denial of service via the discover_handler function in nghttp2-server.c. Publicly available exploit code exists (GitHub issue #4476), but vendor has not responded to early disclosure. EPSS data not available; CVSS 4.3 (Medium) reflects limited scope (DoS only, authenticated access required). Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC.

Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.

Remote attackers can trigger memory corruption in radare2 6.1.5 through its GDB remote debugging interface, causing denial of service or potentially achieving code execution. The use-after-free vulnerability in gdbr_threads_list() occurs when processing a valid qfThreadInfo response followed by a malformed qsThreadInfo response, leading to improper memory management. VulnCheck reported this issue and vendor patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c addresses the vulnerability.

Use-After-Free vulnerability in the AMD Secure Processor (ASP) PCI driver affects multiple Ryzen, Threadripper, EPYC, and Athlon processor families due to improper input validation. A local attacker with user-level privileges can trigger the UAF condition, resulting in denial of service via platform crash or potential loss of platform integrity. Vendor-released patch: AMD Ryzen Chipset Driver 7.02.13.148 (or equivalent Catalyst driver versions for embedded SKUs). No public exploit identified at time of analysis.

Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium)

Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Heap-use-after-free in NGINX Plus and NGINX Open Source allows unauthenticated remote attackers to trigger memory corruption in the worker process when ssl_verify_client is set to 'on' or 'optional' and ssl_ocsp is configured with a resolver. Exploitation can cause limited information disclosure or worker process restart, with CVSS 4.8 reflecting moderate impact constrained by high attack complexity. No public exploit code or active exploitation has been identified at time of analysis.

Remote denial-of-service in F5 BIG-IP Policy Enforcement Manager (PEM) allows unauthenticated attackers to crash the Traffic Management Microkernel (TMM) via undisclosed traffic patterns when PEM-specific iRules are configured on a virtual server. The vulnerability is a use-after-free memory corruption issue (CWE-416) affecting CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and urlcatquery iRule commands. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates straightforward remote exploitation with high availability impact. EPSS data not provided, but F5 has released a vendor patch (K000160875). No public exploit or CISA KEV listing identified at time of analysis.

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or mapreduce map functions) with subsequent JavaScript engine invocations ($where, $function, mapreduce reduce stages), triggering a use-after-free condition. Affects MongoDB Server 7.0 (prior to 7.0.34), 8.0 (prior to 8.0.23), 8.2 (prior to 8.2.9), and 8.3 (prior to 8.3.2). Vendor-released patches available for all affected branches. No public exploit identified at time of analysis; EPSS score of 0.05% (16th percentile) suggests low observed exploitation probability despite 7.7 CVSS score. The CWE-416 use-after-free root cause requires precise sequencing of JavaScript operations, limiting exploitability.

Use-after-free in MongoDB Server's Field-Level Encryption query analysis component allows authenticated remote attackers with control over FLE query structure to cause information disclosure and denial of service. The vulnerability affects mongocryptd and crypt_shared in versions 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. No public exploit code identified at time of analysis.

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

Use after free in Data Deduplication allows an authorized attacker to elevate privileges locally.

Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

Use after free in Windows TCP/IP allows an unauthorized attacker to execute code over a network.

Use after free in Windows SMB Client allows an authorized attacker to elevate privileges locally.

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.

Use after free in Windows TCP/IP allows an unauthorized attacker to disclose information over a network.

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows low-privileged authenticated users to execute arbitrary code with SYSTEM privileges via use-after-free memory corruption. Microsoft has released patches addressing Windows 10 (versions 1607 through 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2012. CVSS base score is 7.0 (High) with local attack vector and high attack complexity. EPSS data not available; no CISA KEV listing at time of analysis, suggesting exploitation has not been observed in the wild despite public disclosure.

Local privilege escalation in Windows Win32K graphics subsystem (Win32K - GRFX) allows authenticated users with low privileges to achieve SYSTEM-level access through a use-after-free memory corruption vulnerability. Affects multiple Windows 10, Windows 11, and Windows Server 2012 versions. Microsoft has released patches through their March 2026 security updates. The CVSS 7.0 (High) rating reflects high attack complexity (AC:H), requiring specific race condition timing or system state manipulation, though EPSS data is not yet available for this recently disclosed CVE.

Local privilege escalation in Windows Win32K graphics subsystem affects Windows 10 (1607 through 22H2), Windows 11 (all versions including 26H1 preview), and Windows Server 2012 through authenticated low-privileged local users exploiting a use-after-free memory corruption flaw. Microsoft has released security updates addressing this CWE-416 vulnerability with CVSS 7.8 severity. The local attack vector and low complexity (AC:L) indicate straightforward exploitation once local access is achieved, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Privilege escalation in Windows Win32K ICOMP component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 via a use-after-free memory corruption flaw. Low-privileged authenticated local attackers can exploit this to gain SYSTEM-level privileges with low attack complexity and no user interaction required. Microsoft has released patches addressing this vulnerability, tracked under MSRC guidance. No active exploitation or public exploit code has been identified at time of analysis, with EPSS data not yet available for this recent CVE.

Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts.

Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

A use-after-free vulnerability in Apple's Wi-Fi stack allows attackers in a privileged network position to cause denial-of-service via crafted Wi-Fi packets. The vulnerability affects iOS and iPadOS versions prior to 26.5 and 18.7.9, macOS versions prior to 26.5, 15.7.7, and 14.8.7, and tvOS, watchOS versions prior to 26.5. Exploitation requires adjacent network access and specific radio conditions (AC:H) but results in high availability impact with no active public exploitation identified.

Remote attackers can crash Apple devices or corrupt kernel memory without authentication via a use-after-free vulnerability affecting iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has released patches across eight separate security bulletins (HT127110-127120) fixing this memory management flaw in all supported OS versions. EPSS score of 0.10% (28th percentile) suggests low exploitation probability despite the network-accessible attack vector and lack of authentication requirements. No active exploitation or public POC identified at time of analysis.

Denial of service in Apple macOS prior to version 26.5 allows remote attackers to crash Safari via maliciously crafted web content that triggers a use-after-free memory condition. The vulnerability requires user interaction (opening a malicious webpage) but no authentication, affecting all macOS versions before 26.5. EPSS exploitation probability is very low at 0.02%, suggesting limited real-world attack incentive despite the crash capability.

Use-after-free in WebKit allows remote attackers to trigger Safari crashes and potentially achieve arbitrary code execution across Apple's entire ecosystem (iOS, iPadOS, macOS, tvOS, visionOS, watchOS) via maliciously crafted web content. Users must visit or be tricked into visiting a malicious webpage (UI:R). Despite CVSS 8.8 (High) with theoretical code execution impact (C:H/I:H/A:H), EPSS probability is extremely low (0.02%, 5th percentile), indicating minimal observed exploitation activity. No public exploit identified at time of analysis, and vendor patches are available across all platforms as of version 26.5.

Use-after-free in WebKit across Apple's entire operating system ecosystem enables remote information disclosure via malicious web content. Affects iOS/iPadOS, macOS Tahoe, tvOS, visionOS, and watchOS versions prior to 26.5. The vulnerability allows network-based unauthenticated attackers to access high-value confidential information through crafted web pages, though the CVE description anomalously mentions process crash (availability impact) while the CVSS vector indicates confidentiality impact only. No public exploit identified at time of analysis. EPSS score of 0.02% (5th percentile) suggests low likelihood of imminent widespread exploitation despite the broad platform impact and network attack vector.

Use-after-free memory corruption in Apple operating systems allows high confidentiality impact through unexpected system termination. Affects iOS/iPadOS versions before 18.7.9 and 26.5, macOS Sequoia before 15.7.7, macOS Sonoma before 14.8.7, macOS Tahoe before 26.5, tvOS before 26.5, visionOS before 26.5, and watchOS before 26.5. Vendor-released patches are available across all affected platforms. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability in the wild, and no public exploit identified at time of analysis. CVSS vector indicates network-reachable attack surface with no authentication required, though the description states only 'an app' can trigger the condition, suggesting conflicting attack vector classification.

Safari on Apple platforms crashes when processing maliciously crafted web content due to a use-after-free vulnerability in memory management, resulting in denial of service. Affects iOS and iPadOS below 26.5, macOS Tahoe below 26.5, tvOS below 26.5, visionOS below 26.5, and watchOS below 26.5. Exploitation requires user interaction to visit a malicious webpage but does not allow code execution or information disclosure.

Use-after-free in Linux kernel ASoC (ALSA System on Chip) subsystem allows local authenticated users with open audio streams to trigger memory corruption during sound card unbind operations. The flaw occurs when PCM stream closure schedules delayed DAPM (Dynamic Audio Power Management) work after widgets are freed, enabling potential privilege escalation or denial of service. EPSS score of 0.02% indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). No CISA KEV listing or public POC identified at time of analysis.

Local privilege escalation in the Linux kernel's CAIF serial driver allows attackers with local access to trigger a use-after-free condition in pty_write_room() via the caif_serial line discipline. The flaw stems from missing reference counting on tty->link, enabling memory corruption that can lead to arbitrary kernel code execution with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with an EPSS score of 0.02% (7th percentile) indicating low likelihood of widespread exploitation.

Use-after-free in the Linux kernel iavf driver allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system. The vulnerability affects Intel Ethernet Adaptive Virtual Function (iavf) driver's PTP implementation where a worker thread continues accessing freed memory during network adapter reset or disable operations. Patch available from kernel.org upstream commits across multiple stable branches (6.18.19, 6.19.9, 7.0+). EPSS score of 0.02% (4th percentile) indicates low observed exploitation likelihood, and no CISA KEV listing confirms this remains a theoretical risk requiring local access with low privileges.

Local privilege escalation potential in the Linux kernel's Microsoft Azure Network Adapter (mana) driver allows a low-privileged local user to trigger a use-after-free via a double destroy_workqueue() call on the gc->service_wq pointer when mana_gd_setup() fails. The flaw, fixed in the 6.18.x and 6.19.x stable trees, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but carries a CVSS of 7.8 due to high confidentiality, integrity, and availability impact within the kernel.

Reference count underflow in Linux kernel sched_ext subsystem enables local privilege escalation to execute arbitrary code with kernel privileges. The flaw affects kernel versions 6.12 through 6.19.x (prior to patched releases 6.12.78, 6.18.19, 6.19.9, 7.0), scoring CVSS 7.8 with local attack vector requiring low privileges. Vendor patches available via stable kernel updates. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit code or active exploitation confirmed at time of analysis, though the Use-After-Free primitive could enable kernel memory corruption attacks.

Use-after-free in Linux kernel ALSA PCM subsystem allows local authenticated users to corrupt memory and potentially execute arbitrary code with kernel privileges. The vulnerability occurs in snd_pcm_drain() when a linked stream's runtime structure is freed via concurrent close() while still being dereferenced, enabling information disclosure, system crashes, or privilege escalation. With EPSS at 0.02% (7th percentile) and CVSS 7.8, this represents elevated theoretical risk but shows no evidence of active exploitation or public POC at time of analysis. Vendor patches are available across multiple stable kernel branches (5.10.253, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0).

Use-after-free in the Linux kernel's Renesas USB host (renesas_usbhs) driver allows a local low-privileged attacker to potentially corrupt memory or escalate privileges during device removal. The flaw stems from the interrupt handler remaining registered while driver resources, including the pipe array, are freed in usbhs_remove(), creating a race window where the ISR can dereference freed memory. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the kernel-level memory corruption impact (CVSS 7.8) makes it a meaningful local risk on affected Renesas USB hardware.

Use-after-free in Linux kernel kthread subsystem enables memory corruption leading to arbitrary code execution or denial of service. The vulnerability arises when kernel threads exit via make_task_dead() instead of kthread_exit(), bypassing affinity_node cleanup. This causes dangling pointers in the global kthread_affinity_list that corrupt freed memory reused by the SLAB allocator, specifically overwriting RCU callback function pointers in struct pid objects. CVSS rates this 9.8 critical, though the network attack vector appears misclassified since kernel thread manipulation requires local code execution. EPSS score of 0.02% (4th percentile) indicates low predicted exploitation likelihood despite severity. Vendor patches available for Linux 6.18.19, 6.19.9, and 7.0 via upstream commits.

Use-after-free in Linux kernel ksmbd allows remote unauthenticated attackers to potentially execute arbitrary code, disclose sensitive information, or cause denial of service. The vulnerability stems from improper RCU lock handling in smb_lazy_parent_lease_break_close() where opinfo pointer is dereferenced after RCU read unlock, creating a race condition. Patches available across multiple kernel versions (6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). Despite critical CVSS 9.8 score, EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC identified at time of analysis.

Use-after-free in the Linux kernel's ksmbd SMB server (smb2_open()) allows remote attackers to potentially trigger memory corruption when accessing an opinfo pointer dereferenced after rcu_read_unlock(). The flaw is fixed in upstream stable releases (6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.