Use After Free
Use-after-free vulnerabilities occur when a program continues to access memory through a pointer after that memory has been deallocated.
How It Works
Use-after-free vulnerabilities occur when a program continues to access memory through a pointer after that memory has been deallocated. When memory is freed, it returns to the allocator's pool and may be reallocated for an entirely different purpose. The original pointer becomes "dangling"—it still points to that memory location, but the contents are now undefined or controlled by different code.
Attackers exploit this by orchestrating a three-step process: first, trigger the memory deallocation; second, cause the allocator to reassign that same memory region with attacker-controlled data (often through carefully timed allocations); third, trigger the program to dereference the dangling pointer. Because the memory now contains attacker data instead of the expected object, this can corrupt function pointers, vtables, or other critical structures.
The vulnerability is particularly dangerous in object-oriented code where freed objects contain function pointers or virtual method tables. When the program calls a method on the freed object, it may jump to attacker-controlled addresses. Browser engines are frequent targets because DOM manipulation allows attackers to control object allocation and deallocation timing through JavaScript, while kernel UAFs enable privilege escalation by manipulating file descriptors or process structures.
Impact
- Arbitrary code execution — attacker overwrites function pointers or vtables to redirect program flow to malicious code
- Privilege escalation — in kernel UAFs, gain root/system privileges by corrupting process credentials or security tokens
- Information disclosure — read sensitive data from reallocated memory that wasn't properly cleared
- Sandbox escape — break out of browser or application sandboxes by corrupting security-critical objects
- Denial of service — crash the application through memory corruption, though attackers typically aim for exploitation rather than simple crashes
Real-World Examples
CVE-2021-30551 affected Chrome's V8 JavaScript engine, where improper handling of JavaScript typed arrays created a use-after-free in object property management. Attackers could trigger object deletion while retaining references, then reallocate the memory with controlled data to achieve code execution within the renderer process.
Windows kernel vulnerabilities like CVE-2020-17087 involved use-after-free conditions in the Windows keyboard layout handling code. Attackers exploited race conditions in keyboard layout switching to free kernel objects while retaining references, then reallocated the memory with controlled structures to elevate privileges from user to SYSTEM level.
The WhatsApp vulnerability CVE-2019-11932 demonstrated UAF exploitation in media parsing code, where specially crafted GIF files triggered premature memory deallocation. Subsequent access to the freed buffers allowed remote code execution without user interaction beyond receiving the malicious file.
Mitigation
- Memory-safe languages — use Rust, Go, Swift, or other languages with automatic memory management
- Smart pointers — employ RAII patterns and reference counting (unique_ptr, shared_ptr in C++)
- AddressSanitizer (ASAN) — detect UAF during testing through instrumented builds
- Immediate pointer nullification — set pointers to NULL after free() to cause immediate crashes rather than exploitable conditions
- Garbage collection — languages with GC prevent manual memory management errors
- Control Flow Integrity (CFI) — limits exploit impact by validating function pointer targets
- Heap hardening — allocator metadata protection and delayed reuse policies increase exploitation difficulty
Recent CVEs (6126)
Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap corruption in Google Chrome's Digital Credentials component (versions prior to 149.0.7827.155) allows remote attackers to trigger a use-after-free condition by enticing a user to visit a crafted HTML page, potentially leading to arbitrary code execution within the renderer process. Chromium rates this issue as Critical severity, and Google has released a patched stable-channel build; no public exploit identified at time of analysis and EPSS sits at 0.31% (23rd percentile), indicating low predicted near-term exploitation pressure despite the high CVSS of 8.8.
Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Denial of service (and potential limited memory corruption) in the Zephyr RTOS IPv6 networking stack (versions 3.3.0 through 4.4.0) stems from a use-after-free in the IPv6 Neighbor Discovery send paths, where per-interface ICMP statistics are updated by reading from a network packet after the stack has already freed it. Any unauthenticated on-link node can trigger the Neighbor Advertisement path simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 and CONFIG_NET_STATISTICS_PER_INTERFACE enabled, causing a freed slab block to be dereferenced. There is no public exploit identified at time of analysis and EPSS is low (0.14%, 4th percentile); a vendor patch is available, and impact is largely limited to crashes/DoS with only theoretical limited memory corruption.
Use-after-free in Zephyr RTOS's ICMPv4 echo handler allows any unauthenticated remote host to trigger memory corruption or a crash by sending a standard ICMP ping to an affected device. The defect exists in all versions from v1.14 (2019) through v4.4.0, where `icmpv4_handle_echo_request()` reads from a freed `net_pkt` struct after transferring packet ownership to the TX path - violating a contract explicitly documented in `net_core.c`. No public exploit code exists and this CVE does not appear in CISA KEV, but the zero-privilege, network-reachable attack surface makes it a meaningful risk for internet-exposed embedded and IoT deployments running Zephyr with ICMP statistics enabled.
Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the networking stack and potentially corrupt memory by sending a standard ICMPv6 Echo Request or any IPv6 packet that elicits an ICMPv6 error response. Both `icmpv6_handle_echo_request()` and `net_icmpv6_send_error()` call `net_pkt_iface()` on a packet after transferring it to `net_try_send_data()`, which may synchronously or asynchronously free the packet's memory slab before the statistics update executes. When `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled, the stale interface pointer is written through (`iface->stats.icmp.sent++`), escalating the read UAF into an attacker-influenced memory write; no public exploit has been identified at time of analysis, but the trigger is a universally available IPv6 primitive.
Remotely triggerable denial of service in the Zephyr RTOS networking stack (versions 1.12.0 through 4.4.x) arises from a use-after-free in the IPv6 MLD code path, where mld_send() reads net_pkt_iface(pkt) after net_send_data() has already transferred packet ownership and the L2 driver freed it back to its memory slab. An unauthenticated attacker on the local link can elicit the vulnerable path by sending a crafted MLDv2 General Query, causing a NULL-pointer dereference crash or, in a narrow race, memory corruption via a stray statistics increment. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and the issue is not in CISA KEV; a vendor patch is available.
Use-after-free in Zephyr's IPv4 IGMP implementation (igmp_send(), subsys/net/ip/igmp.c) allows a remote unauthenticated attacker to trigger undefined behavior and sporadic denial-of-service crashes on devices running Zephyr v2.6.0 through v4.4.0. The flaw arises because the network packet's interface pointer is re-read via net_pkt_iface(pkt) after net_send_data() may have already released the packet's last reference, returning the slab block to the free list. No public exploit code exists and the vulnerability is not in CISA KEV; however, the remote trigger path via IGMP membership queries (224.0.0.1) requires no authentication, and the analogous IPv6 MLD path (mld_send) carries the same unpatched pattern.
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.
Memory corruption via use-after-free in the Networking: HTTP component of Mozilla Firefox enables remote attackers to potentially execute arbitrary code or trigger crashes when a user visits a malicious page. The flaw affects Firefox prior to version 152, Firefox ESR before 140.12, and Firefox ESR before 115.37, and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. With an EPSS of 0.16% (5th percentile) and no public exploit identified at time of analysis, opportunistic mass exploitation appears unlikely despite the high severity rating.
Use-after-free in Zephyr RTOS v4.4.0 on Xtensa/MMU targets allows privileged kernel code to corrupt page tables or trigger a fatal MMU exception by destroying a memory domain without unlinking it from the global xtensa_domain_list. The dangling list node persists after arch_mem_domain_deinit() sets domain->arch.ptables to NULL, so any subsequent arch_mem_map() or arch_mem_unmap() call traverses the stale entry and dereferences the freed pointer - producing at minimum a denial-of-service kernel crash (NULL pointer deref) and at worst page-table memory corruption that undermines userspace process isolation. No public exploit code exists and no CISA KEV listing is present; however the integrity and availability impact (I:H, A:H) in a real-time OS kernel elevates practical severity beyond the 6.3 base score for affected embedded deployments.
Heap use-after-free in LibreOffice's ODF number format parser allows memory corruption when a user opens a crafted document containing a malformed number format string. The flaw arises because a position value embedded in the document is consumed without validation against the actual length of the format-code string, causing the parser to reference stale or out-of-bounds heap memory. Publicly available exploit code exists (CVSS 4.0 E:P), and while no active exploitation is confirmed via CISA KEV, the low attack complexity and document-phishing delivery model make this a realistic targeted threat.
Use-after-free in Zephyr RTOS's native TCP2 stack allows a concurrent connection teardown - triggered by ordinary TCP traffic from an adjacent-network peer - to invalidate a cached iterator pointer in net_tcp_foreach(), crashing the system or causing the iterator callback to operate on attacker-influenced reallocated memory. All Zephyr releases from the TCP2 stack introduction in 2020 through v4.4.0 (inclusive) are affected. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the primary real-world risk is denial of service against embedded or IoT devices with TCP networking and shell access exposed on an adjacent network segment.
Heap use-after-free in GPAC MP4Box's MPEG-4 LASeR/SVG processing path crashes the tool when parsing a crafted MP4 file with the -svg conversion flag. The flaw occurs in gf_svg_node_del() at svg_types.c:107, where an SVG node is freed and then read again during scene graph teardown via gf_sg_reset()/gf_node_unregister(), confirmed by AddressSanitizer. Impact is limited to availability (process crash/DoS); no confidentiality or integrity impact is demonstrated. A public proof-of-concept MP4 file exists on GitHub; no active exploitation has been confirmed by CISA KEV.
Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containing an invalid BIFS GlobalQuantizer command. Any user or automated pipeline processing an attacker-supplied MP4 file with an affected GPAC build is exposed. Exploitation could yield arbitrary code execution or a reliable crash, depending on heap layout at the time of the free. No public exploit code or CISA KEV listing has been identified at time of analysis.
Local privilege escalation in Imagination Technologies Graphics DDK (GPU kernel driver) allows non-privileged users to issue crafted GPU system calls that perform read/write operations on arbitrary freed physical memory pages, enabling kernel memory corruption. The flaw stems from missing deferred-free handling, meaning the GPU can still access pages after the kernel module has released them. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 reflects high local impact on confidentiality, integrity, and availability.
Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in GPU in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Autofill in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Autofill in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Use after free in Cast in Google Chrome prior to 149.0.7827.115 allowed an attacker on the local network segment to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: High)
Use after free in Media in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Network in Google Chrome prior to 149.0.7827.115 allowed an attacker in a privileged network position to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)
Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Remote code execution in Google Chrome on Windows prior to 149.0.7827.115 allows remote attackers to trigger a use-after-free condition in the Core component via a crafted HTML page, leading to arbitrary code execution within the renderer process. Chromium rates the severity as Critical, and no public exploit has been identified at time of analysis, but the bug class (UAF in Core) is historically a frequent target for in-the-wild exploitation against Chrome. The vulnerability requires the victim to visit attacker-controlled content (UI:R).
Heap-use-after-free in ImageMagick's CheckPrimitiveExtent function allows remote attackers to crash the image processing service by supplying crafted input that triggers a memory allocation failure, resulting in a denial-of-service condition. Affected are all releases of the 6.x branch prior to 6.9.13-50 and all 7.x releases prior to 7.1.2-25. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the network-accessible attack vector is relevant wherever ImageMagick processes untrusted images (e.g., web upload pipelines, CI/CD asset processors).
Heap-use-after-free corruption in Ghidra's decompiler before version 12.1 allows a local attacker - or any actor who can deliver a crafted binary to a target analyst - to corrupt freed heap memory when the victim opens the file in the decompiler view. The vulnerability resides in HighVariable::merge() during the variable merging pass, where stale pointers in the HighIntersectTest::highedgemap cache are dereferenced against freed memory, producing low-impact integrity and availability effects on the Ghidra process. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the tool's user base of security researchers who routinely open untrusted binaries elevates the practical threat profile.
Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application crash by supplying a crafted binary for decompilation. All Ghidra releases prior to 12.1 are affected, as is any downstream application consuming the SLEIGH library via the public Sleigh::oneInstruction C++ API. The CVSS v4.0 score of 6.9 reflects a high availability impact (VA:H) with low integrity impact (VI:L) and no confidentiality impact; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Use-after-free in Cloud Hypervisor versions 21.0 through 51.1 allows a malicious guest VM to corrupt host memory in the cloud-hypervisor VMM process by racing duplicate virtio-block descriptor chains against the host's asynchronous I/O completion path. The flaw carries a CVSS 4.0 score of 8.9 with high impact on both the affected VMM and subsequent system scope, indicating a credible VM escape primitive. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) occurs when a victim opens a maliciously crafted PDF, triggering a use-after-free memory corruption that lets the attacker run code with the privileges of the logged-on user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; however, Acrobat Reader is a perennial target for phishing-delivered malware, making patching a near-term priority. Adobe has issued APSB26-63 with fixed builds.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is triggered when a user opens a malicious PDF, exploiting a Use-After-Free memory corruption flaw to run code as the current user. No public exploit identified at time of analysis, and EPSS data was not provided, but the high CVSS of 7.8 combined with Reader's massive install base makes this a routine patch priority. Vendor (Adobe) issued advisory APSB26-63 with corrective updates.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier results from a use-after-free memory corruption bug (CWE-416) triggered when a victim opens a malicious PDF. Code runs in the security context of the current user, making this a credible client-side initial-access vector via phishing or drive-by document delivery. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a maliciously crafted PDF, triggering a use-after-free memory corruption flaw. Code runs with the privileges of the current user, and no public exploit identified at time of analysis, though Adobe has released APSB26-63 as the corresponding advisory.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier is possible when a victim opens a maliciously crafted file that triggers a use-after-free in the document parser. The flaw runs code in the context of the logged-in user and carries a CVSS 7.8 (High) score, but requires user interaction; no public exploit identified at time of analysis and EPSS data is not provided in the input.
Use After Free memory disclosure in Adobe Acrobat Reader versions 24.001.30365 and 26.001.21651 (and earlier) exposes sensitive process memory contents when a victim opens a specially crafted malicious file. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms the attack is local, requires no privileges, but mandates user interaction - the victim must manually open the attacker-supplied document. Impact is limited to confidentiality (C:H), with no integrity or availability consequence. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651, and earlier) is possible when a victim opens a maliciously crafted document, triggering a use-after-free condition in the renderer. The flaw runs code in the context of the current user and has no public exploit identified at time of analysis, though Adobe issued advisory APSB26-63 confirming the vulnerability class and affected versions.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs through a use-after-free flaw triggered when a victim opens a maliciously crafted PDF document. Code executes in the context of the current user, making this a classic client-side document exploit vector. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a maliciously crafted PDF that triggers a use-after-free condition in the parser. Exploitation runs at the privilege of the user opening the file, and no public exploit identified at time of analysis. CVSS 7.8 reflects the local attack vector and required user interaction, but Reader's massive install base makes this a high-value target for phishing-driven campaigns.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier stems from a Use After Free condition (CWE-416) that triggers when a victim opens a malicious PDF, yielding execution in the context of the current user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the file-opening attack pattern is a perennial favorite in phishing and document-borne campaigns targeting Acrobat. Adobe has shipped fixed builds under advisory APSB26-63.
Arbitrary code execution in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier occurs through a use-after-free condition triggered by opening a malicious PDF document. Successful exploitation runs code in the context of the current user, but no public exploit identified at time of analysis and the issue requires user interaction to open the crafted file.
Arbitrary code execution in Adobe Acrobat Reader 24.001.30365, 26.001.21651, and earlier versions occurs through a use-after-free condition triggered when a victim opens a malicious PDF file. Successful exploitation runs attacker-supplied code with the privileges of the current user, making this a viable phishing and drive-by document attack vector. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier stems from a use-after-free condition triggered when a user opens a maliciously crafted document, allowing an attacker to run code with the privileges of the logged-in user. The flaw is reported by Adobe with a CVSS 3.1 base score of 7.8 and tagged for RCE, denial of service, and memory corruption, but there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in Microsoft Windows Kernel allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free condition (CWE-416). The flaw carries a CVSS 7.8 score with local attack vector and low privileges required, and no public exploit has been identified at time of analysis. Microsoft Security Response Center (MSRC) is the sole referenced authoritative source, indicating this is a vendor-discovered and vendor-tracked issue.
Remote code execution in Microsoft Remote Desktop Client is possible via a heap-based buffer overflow that an unauthenticated remote attacker can trigger when a user is convinced to connect to a malicious RDP server. The flaw is rated CVSS 7.5 (High) with attack complexity High and required user interaction, and no public exploit identified at time of analysis. The CWE-416 classification combined with the vendor's tags points to a use-after-free condition reachable through crafted RDP server responses.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that leads to arbitrary code execution on the client machine. The flaw is unauthenticated from the server side but requires user interaction and high attack complexity, and no public exploit identified at time of analysis. CVSS is rated 7.5 (High) with confidentiality, integrity, and availability impact.
Remote code execution in Microsoft Remote Desktop Client occurs when a user connects to an attacker-controlled RDP server, allowing the server to corrupt heap memory and execute arbitrary code on the client endpoint. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and no public exploit is identified at time of analysis. The attack pivots the traditional RDP threat model - attackers compromise clients that initiate outbound connections rather than exposed servers.
Local privilege escalation in Microsoft Office Click-To-Run stems from a use-after-free condition (CWE-416) that lets an authorized low-privilege user elevate to higher privileges on the host. The flaw, reported by Microsoft's MSRC, carries a CVSS 7.0 (AV:L/AC:H/PR:L) reflecting that exploitation requires local access, low privileges, and a successful race-window or memory-state condition. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local privilege escalation in the Windows Bluetooth Port Driver allows an authorized low-privileged attacker to elevate to higher privileges by triggering a use-after-free condition in the kernel-mode driver. The flaw is reported by Microsoft Security Response Center and carries a CVSS 7.0 (high) rating with high attack complexity, and no public exploit identified at time of analysis. EPSS data and CISA KEV status were not provided in the input, so widespread exploitation is not confirmed.
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library enables an authorized low-privileged user to gain elevated privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS 3.1 score of 7.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Exploitation requires the attacker to already have local code execution as a standard user, making it a strong candidate for post-compromise chaining toward SYSTEM-level access.
Local privilege escalation in the Windows Bluetooth Service stems from a use-after-free condition (CWE-416) that an authenticated low-privilege user can trigger to gain elevated rights on the host. The CVSS 7.8 vector (AV:L/AC:L/PR:L/UI:N) reflects a fully local attack with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. The flaw was reported by Microsoft (secure@microsoft.com) and tracked in the MSRC update guide.
Remote code execution in the Windows Universal Plug and Play service (upnp.dll) allows unauthenticated network attackers to execute arbitrary code by triggering a use-after-free condition. The flaw carries a CVSS 3.1 base score of 8.1, lowered by high attack complexity (AC:H) reflecting the race-condition or memory-state requirements typical of UAF bugs. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV; EPSS data was not provided in the input.
Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers an untrusted pointer dereference (CWE-416 use-after-free). The flaw lets an unauthorized attacker execute arbitrary code in the context of the current user, and no public exploit identified at time of analysis. Risk hinges on user interaction (UI:R), making phishing-style document delivery the realistic attack pathway.
Local privilege escalation in the Linux MANA (Microsoft Azure Network Adapter) driver allows an authenticated attacker with high privileges on the host to escalate privileges across security boundaries by exploiting a use-after-free condition. The flaw was reported by Microsoft Security Response Center and carries a CVSS 3.1 score of 8.2 driven by scope change and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction. The flaw carries a CVSS 3.1 score of 8.4 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite requiring local access, the absence of authentication and user-interaction requirements makes this a notable priority for endpoint patching cycles.
Local code execution in Microsoft Office via a heap-based buffer overflow allows an unauthorized attacker to run arbitrary code with the privileges of the user opening a malicious document. The CVSS vector (AV:L/PR:N/UI:N) indicates local attack vector without required authentication or user interaction, an unusual combination that warrants verification against the vendor advisory. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Local code execution in Microsoft Office via a heap-based buffer overflow that lets an unauthorized attacker run arbitrary code in the context of the current user. The flaw carries a CVSS 8.4 rating driven by high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite the 'unauthorized' wording, the CVSS vector specifies a local attack vector, indicating the attacker must already be able to deliver a crafted file or run code on the target system.
Local code execution in Microsoft Office via a type confusion flaw (CWE-416) permits unauthorized attackers to run arbitrary code in the context of the Office process without requiring privileges or user interaction. The issue carries a high CVSS 3.1 score of 8.4 with full impact across confidentiality, integrity, and availability, though exploitation requires local attack vector access to the target system. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library enables an authenticated low-privilege attacker to gain elevated rights through a use-after-free memory corruption flaw. The issue carries a CVSS 7.8 (High) rating with total confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. CISA SSVC scoring marks exploitation as 'none' and not automatable, suggesting limited real-world activity despite the severe technical impact.
Local privilege escalation in the Windows Common Log File System (CLFS) Driver allows an authenticated low-privileged attacker to elevate to SYSTEM via a use-after-free memory corruption flaw. The vulnerability carries a CVSS 7.8 rating with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. CLFS has a long history of being targeted for kernel-level privilege escalation, making this class of bug a recurring concern for Windows defenders.
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to SYSTEM via a use-after-free memory corruption flaw. CVSS 7.8 with high impact to confidentiality, integrity, and availability, but currently no public exploit identified at time of analysis and CISA SSVC rates exploitation status as 'none' with automation as 'no'.
Use-after-free in the Windows Network Controller (NC) Host Agent enables a locally authenticated attacker to crash the service, resulting in a denial of service on affected Windows Server deployments. The vulnerability carries a CVSS score of 5.5 (Medium) with local attack vector and low-privilege requirements, limiting its blast radius to service availability - confidentiality and integrity are unaffected. No public exploit code exists and CISA KEV listing is absent at time of analysis, though a vendor patch from Microsoft is available and should be prioritized on Windows Server deployments leveraging Software Defined Networking.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privileged user to elevate to higher privileges by exploiting a use-after-free memory corruption flaw (CWE-416). The issue was reported by Microsoft's security team (secure@microsoft.com) and tracked via MSRC, with no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact on the local host.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated low-privilege attacker to gain higher privileges through a use-after-free memory corruption flaw. The vulnerability carries a CVSS score of 7.8 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Successful exploitation typically yields SYSTEM-level code execution on the affected Windows host.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled RDP server, where a heap-based buffer overflow (linked to use-after-free memory corruption per vendor tags) enables arbitrary code execution on the client machine. The CVSS 7.5 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis. SSVC assessment from CISA rates exploitation as 'none' and automatable as 'no', though technical impact is total.
Remote code execution in Microsoft Windows Deployment Services (WDS) allows unauthenticated network-based attackers to execute arbitrary code by exploiting a use-after-free memory corruption flaw (CWE-416). The CVSS 8.1 score reflects high impact on confidentiality, integrity, and availability, though exploit complexity is rated High. No public exploit identified at time of analysis, and SSVC marks exploitation status as none with the flaw classified as not automatable.
Local privilege escalation in the Microsoft Graphics Component allows an authenticated low-privileged attacker to gain elevated rights via a use-after-free memory corruption flaw (CWE-416). The issue carries a CVSS 7.8 (High) rating with full confidentiality, integrity, and availability impact on the affected host. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that runs attacker code in the client's context. The flaw (CWE-416 use-after-free / heap corruption) carries CVSS 8.8 and requires user interaction, with no public exploit identified at time of analysis. A vendor patch is available via Microsoft MSRC.
Local privilege escalation in Microsoft Windows Kernel allows an authorized low-privileged attacker to gain elevated (SYSTEM-level) privileges by triggering a use-after-free condition in kernel memory. The flaw carries a CVSS 7.0 (High) rating with high attack complexity, and Microsoft has released a patch via MSRC; no public exploit identified at time of analysis. Successful exploitation breaks the local Windows security boundary, enabling full host compromise from any authenticated session.
Local privilege escalation in Microsoft Windows Desktop Window Manager (DWM) Core Library enables an authenticated low-privileged attacker to gain elevated privileges through a use-after-free memory corruption flaw. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability but requires local access and existing user-level credentials. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (afd.sys) allows an authenticated low-privileged user to elevate to SYSTEM via a use-after-free condition. The flaw affects Microsoft Windows installations using the standard WinSock kernel driver and has a vendor-released patch available through Microsoft's security update guide. No public exploit has been identified at time of analysis, though afd.sys has historically been a frequent target for elevation-of-privilege exploitation.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library enables an authorized low-privilege user to elevate to higher privileges via a use-after-free condition. The flaw carries a CVSS 7.8 (High) and no public exploit identified at time of analysis, though Microsoft has acknowledged the issue through MSRC. Successful exploitation grants full confidentiality, integrity, and availability impact on the affected host.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free condition in the kernel-mode driver. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but AFD.sys has a long history of being targeted for kernel EoP, making this a likely candidate for future weaponization. CVSS 7.0 reflects the high attack complexity required to reliably win the underlying race or reuse condition.
Use-after-free and VFS invariant violations in the Linux kernel SMC subsystem (5.17 through pre-6.19.4) allow local privileged users to trigger memory corruption and system instability via the TCP ULP-to-SMC conversion path. The upstream maintainers fully reverted the underlying commit d7cd421da9da rather than attempting an in-place fix, citing fundamental design flaws; no public exploit identified at time of analysis and EPSS sits at 0.02% (5th percentile).
Local privilege escalation in the Linux kernel's net/sched act_ct traffic control action stems from a use-after-free in tcf_ct_flow_table_get(), where rhashtable_lookup_fast() releases the RCU read lock before refcount_inc_not_zero() can pin the returned ct_ft object. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but Trend Micro ZDI provided detailed root-cause analysis and stable-tree patches are merged across 5.10 through 6.18 lines. Successful exploitation grants attacker-controlled kernel memory access enabling privilege escalation to root.
Heap use-after-free in OpenSSL's PKCS7_verify() function affects multiple supported branches (1.0.2, 1.1.1, 3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.0) and is fixed in OpenSSL 4.0.1. Authenticated remote attackers able to submit crafted PKCS#7 signed data to a vulnerable application can trigger memory corruption leading to high-impact compromise of confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis; EPSS is low (0.12%, 30th percentile) and CISA SSVC reports no observed exploitation, though the flaw is rated automatable with total technical impact.
Use-after-free memory corruption in Huawei HarmonyOS's IPC (Inter-Process Communication) module allows a network-adjacent, low-privilege authenticated attacker to exploit a race condition leading primarily to high-confidence information disclosure with secondary integrity and availability impacts. The CVSS vector (AV:N/AC:H/PR:L/UI:N) confirms remote reachability but demands precise race-condition timing and an authenticated session, materially constraining opportunistic exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and Huawei has issued a June 2026 security bulletin addressing the issue.
Use-after-free memory corruption in tmux's SIXEL image handling allows a local low-privileged attacker with high complexity to trigger memory corruption or denial of service in versions up to 3.6a. The root cause lies in the `image_free()` function in `image.c`, where image structs retain stale pointers to their original parent screen's image list after alternate screen transitions, causing `TAILQ_REMOVE` to dereference an invalid list pointer. No active exploitation is confirmed (not in CISA KEV), though publicly available exploit code exists per the CVE vector's E:P designation and a public gist from XlabAITeam. A fix is available in tmux 3.7-rc.
Sandbox escape in Google Chrome prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the Tracing component, triggered through a crafted HTML page. No public exploit identified at time of analysis, and SSVC indicates exploitation status is 'none', but the technical impact is rated total because a successful escape grants code execution at browser-process privileges. Google has shipped a fix and rates the underlying Chromium severity as Medium, while the assigned CVSS is 8.3 due to scope change and high CIA impact.
Heap corruption in Google Chrome on macOS prior to version 149.0.7827.103 can be triggered remotely through a crafted HTML page that exploits a use-after-free condition in the browser's Bluetooth component. Successful exploitation requires the victim to visit attacker-controlled content but no authentication, and Google has rated the underlying Chromium severity as High with no public exploit identified at time of analysis.
Heap corruption in Google Chrome on macOS prior to version 149.0.7827.103 allows remote attackers to potentially execute arbitrary code by luring a victim to a crafted HTML page that triggers a use-after-free in the browser's Bluetooth component. Google has released a patched stable channel update, and while no public exploit has been identified at time of analysis, the CVSS 8.8 score reflects the high impact achievable with only a single user click. CISA SSVC currently scores exploitation as 'none' but technical impact as 'total', consistent with a serious but not yet weaponized browser flaw.
Sandboxed remote code execution in Google Chrome versions prior to 149.0.7827.103 allows attackers who have already compromised the renderer process to execute arbitrary code via a crafted HTML page that triggers a use-after-free in the ServiceWorker component. Rated High severity by Chromium with a CVSS 7.5, the flaw requires user interaction (visiting a malicious page) and a pre-existing renderer compromise, and no public exploit has been identified at time of analysis. The vendor has released a patched Stable channel update.
Sandbox escape in Google Chrome versions prior to 149.0.7827.103 allows remote attackers who have already compromised the renderer process to break out of the sandbox via a use-after-free in the Read Anything component when processing a crafted HTML page. Google rates this Chromium-severity High, and no public exploit has been identified at time of analysis, but the CVSS 8.3 score reflects the severity of full sandbox escape leading to scoped impact beyond the renderer. This is a second-stage bug requiring chaining with a renderer compromise, not a one-shot drive-by.
Heap corruption in Google Chrome on macOS prior to 149.0.7827.103 enables remote attackers to potentially execute arbitrary code by luring a user to a crafted HTML page that exploits a use-after-free in the Dawn WebGPU implementation. The flaw carries a CVSS 8.8 (High) rating and Chromium rates it High severity; no public exploit has been identified at time of analysis, but Chrome browser bugs of this class are historically attractive targets for in-the-wild exploitation. Patch is available from Google.
Remote code execution in Google Chrome versions prior to 149.0.7827.103 allows attackers to execute arbitrary code within the browser sandbox by luring users to a malicious HTML page that triggers a use-after-free in the WebCodecs component. Chromium rates this as High severity with a CVSS score of 8.8, and while a vendor patch is available, no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a crafted page), which moderates real-world risk somewhat but still places this in the high-priority browser-patching tier.
Heap corruption in Google Chrome's Ozone component on Linux before version 149.0.7827.103 allows remote attackers to potentially achieve arbitrary code execution within the browser process when a victim visits a crafted HTML page. The flaw is a use-after-free rated High severity by Chromium, with CVSS 8.8 reflecting network-reachable exploitation requiring only minimal user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote code execution in Google Chrome on Windows prior to 149.0.7827.103 allows attackers to run arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page, triggering a use-after-free condition in the Media component. The flaw carries a CVSS 8.8 (High) rating and is tagged by Chromium as High severity. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.