Use After Free
Use-after-free vulnerabilities occur when a program continues to access memory through a pointer after that memory has been deallocated.
How It Works
Use-after-free vulnerabilities occur when a program continues to access memory through a pointer after that memory has been deallocated. When memory is freed, it returns to the allocator's pool and may be reallocated for an entirely different purpose. The original pointer becomes "dangling"—it still points to that memory location, but the contents are now undefined or controlled by different code.
Attackers exploit this by orchestrating a three-step process: first, trigger the memory deallocation; second, cause the allocator to reassign that same memory region with attacker-controlled data (often through carefully timed allocations); third, trigger the program to dereference the dangling pointer. Because the memory now contains attacker data instead of the expected object, this can corrupt function pointers, vtables, or other critical structures.
The vulnerability is particularly dangerous in object-oriented code where freed objects contain function pointers or virtual method tables. When the program calls a method on the freed object, it may jump to attacker-controlled addresses. Browser engines are frequent targets because DOM manipulation allows attackers to control object allocation and deallocation timing through JavaScript, while kernel UAFs enable privilege escalation by manipulating file descriptors or process structures.
Impact
- Arbitrary code execution — attacker overwrites function pointers or vtables to redirect program flow to malicious code
- Privilege escalation — in kernel UAFs, gain root/system privileges by corrupting process credentials or security tokens
- Information disclosure — read sensitive data from reallocated memory that wasn't properly cleared
- Sandbox escape — break out of browser or application sandboxes by corrupting security-critical objects
- Denial of service — crash the application through memory corruption, though attackers typically aim for exploitation rather than simple crashes
Real-World Examples
CVE-2021-30551 affected Chrome's V8 JavaScript engine, where improper handling of JavaScript typed arrays created a use-after-free in object property management. Attackers could trigger object deletion while retaining references, then reallocate the memory with controlled data to achieve code execution within the renderer process.
Windows kernel vulnerabilities like CVE-2020-17087 involved use-after-free conditions in the Windows keyboard layout handling code. Attackers exploited race conditions in keyboard layout switching to free kernel objects while retaining references, then reallocated the memory with controlled structures to elevate privileges from user to SYSTEM level.
The WhatsApp vulnerability CVE-2019-11932 demonstrated UAF exploitation in media parsing code, where specially crafted GIF files triggered premature memory deallocation. Subsequent access to the freed buffers allowed remote code execution without user interaction beyond receiving the malicious file.
Mitigation
- Memory-safe languages — use Rust, Go, Swift, or other languages with automatic memory management
- Smart pointers — employ RAII patterns and reference counting (unique_ptr, shared_ptr in C++)
- AddressSanitizer (ASAN) — detect UAF during testing through instrumented builds
- Immediate pointer nullification — set pointers to NULL after free() to cause immediate crashes rather than exploitable conditions
- Garbage collection — languages with GC prevent manual memory management errors
- Control Flow Integrity (CFI) — limits exploit impact by validating function pointer targets
- Heap hardening — allocator metadata protection and delayed reuse policies increase exploitation difficulty
Recent CVEs (6128)
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a use-after-free in the PerformanceManager component triggered by a crafted HTML page. Exploitation requires user interaction (visiting a malicious page) and a pre-existing renderer compromise, and while no public exploit has been identified at time of analysis, EPSS rates exploitation probability as low (0.03%, 11th percentile). The flaw is rated High severity by Chromium and carries a CVSS 3.1 score of 8.3 due to the scope-changing nature of a sandbox escape.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out via a use-after-free in the Passwords component, delivered through a crafted HTML page. Exploitation requires user interaction and high attack complexity, and no public exploit identified at time of analysis, though Google rates the underlying Chromium severity as High and a vendor patch is available.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a use-after-free in the Input component. Chromium rates the severity as High and CVSS scores it 8.3, but EPSS estimates exploitation probability at only 0.03% (11th percentile) and no public exploit identified at time of analysis. The flaw is a chained-exploitation primitive rather than a standalone RCE, requiring an attacker to first achieve renderer code execution before leveraging this bug.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the WebXR component, allowing a remote attacker to run arbitrary code within the browser's renderer sandbox by enticing a victim to visit a crafted HTML page. Google rates the underlying Chromium severity as High, and a vendor patch has been released; no public exploit identified at time of analysis.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a use-after-free in the Core component. Google rates this Chromium severity as High, and a vendor patch is available; no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile). Exploitation requires a chained renderer compromise plus user interaction, so it is a meaningful second-stage primitive rather than a one-shot drive-by RCE.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox by serving a crafted PDF file that triggers a use-after-free in the Views component. Chromium rates the severity as High and Google has shipped a fixed Stable channel build, but no public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile). The bug is a second-stage primitive - it requires an existing renderer compromise plus user interaction with a malicious PDF, which is the typical shape of a Chrome exploit chain.
Remote code execution in Google Chrome's Network component prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by the Chromium team, and while no public exploit is identified at time of analysis, browser memory-corruption bugs of this class are historically attractive targets when chained with a sandbox escape.
Heap corruption in Google Chrome on macOS prior to version 148.0.7778.216 can be triggered remotely through a crafted HTML page combined with specific user interface gestures, leveraging a use-after-free condition in the WebAppInstalls component. Chrome rates this as High severity and has shipped a patched stable channel release, though no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.03%.
Sandbox escape in Google Chrome on Linux prior to 148.0.7778.216 allows remote attackers to leverage a WebRTC use-after-free condition through a crafted HTML page to break out of the renderer sandbox. The flaw was reported by the Chrome security team and rated High severity by Chromium, with no public exploit identified at time of analysis and an EPSS score of 0.03% (10th percentile) suggesting low near-term exploitation likelihood. Successful exploitation requires user interaction (visiting a malicious page) and high attack complexity, but the scope-changing impact (S:C) and full CIA compromise make it a meaningful browser-targeted risk.
Remote code execution in Google Chrome for Windows versions prior to 148.0.7778.216 stems from a use-after-free condition in the UI component, allowing remote attackers to execute arbitrary code by luring a user to a crafted HTML page. Chromium rated the issue High severity and CVSS 8.8 reflects the network-reachable, low-complexity nature of the bug, tempered only by required user interaction (visiting the malicious page). No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.
Sandboxed remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 stems from a use-after-free defect in the Glic component, allowing a remote attacker to corrupt memory and execute arbitrary code within the renderer sandbox when a victim visits a crafted HTML page. Google has rated the Chromium severity as High and shipped a Stable channel update; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The CVSS 8.8 score reflects network reachability and user interaction (loading a page), with full impact to confidentiality, integrity, and availability inside the sandboxed process.
Sandbox escape in Google Chrome's WebGL component (versions prior to 148.0.7778.216) allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, requiring user interaction (visiting a page) and a prior renderer compromise, making it a second-stage exploit primitive. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03%.
Arbitrary code execution in Google Chrome on macOS prior to 148.0.7778.216 stems from a use-after-free condition in the Bluetooth component, exploitable through a malicious browser extension. Chromium rates the severity as High, and while CVSS scores it 8.1 with network attack vector, real-world exploitation requires the victim to install an attacker-controlled extension. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code within the browser sandbox by enticing a victim to load a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High by Chromium's security team, and while no public exploit identified at time of analysis, the CVSS 8.8 score reflects the low-complexity network-based attack vector combined with the high impact across confidentiality, integrity, and availability. User interaction (visiting a malicious page) is required, but otherwise no authentication or privileges are needed.
Heap corruption in Google Chrome's SurfaceCapture component (versions prior to 148.0.7778.216) allows a remote attacker to potentially execute arbitrary code by luring a user to a crafted HTML page. The flaw is a use-after-free issue rated High severity by the Chromium project, with a CVSS score of 8.8 reflecting low complexity and no authentication, though user interaction is required. There is no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), but the historical pattern of Chrome UAF bugs being weaponized makes patching urgent.
Heap corruption in Google Chrome's PDFium component before version 148.0.7778.216 lets a remote attacker trigger a use-after-free condition by serving a crafted PDF, opening the door to code execution within the renderer process. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (UI:R) to open or render the malicious document. EPSS is currently very low (0.03%, 11th percentile) and no public exploit has been identified at time of analysis, though Chrome PDFium UAFs have a long history of weaponization in browser exploit chains.
Sandboxed arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the PDF component that remote attackers can trigger by serving a crafted PDF file. The flaw carries a CVSS 8.8 rating reflecting network reach with required user interaction (opening or rendering a malicious PDF), and no public exploit identified at time of analysis though Google rates the underlying Chromium severity as High.
Remote code execution in Google Chrome on iOS prior to 148.0.7778.216 allows attackers to exploit a use-after-free memory corruption flaw when a victim is lured to a malicious HTML page and performs specific UI gestures. The issue carries a CVSS 7.5 (High) score with high attack complexity and required user interaction, and no public exploit has been identified at time of analysis.
Heap corruption in Google Chrome's TabStrip component before version 148.0.7778.216 allows remote attackers to potentially achieve code execution by serving a crafted HTML page and inducing the victim to perform specific UI gestures. Chromium rates the issue High severity, but EPSS places exploitation probability at just 0.03% (11th percentile) and no public exploit identified at time of analysis, reflecting the high attack complexity and required user interaction.
Remote code execution in Google Chrome's WebAudio component (versions prior to 148.0.7778.216) allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue rated High severity by Chromium, with a CVSS score of 8.8 reflecting low attack complexity and no authentication required, though user interaction (visiting a page) is needed. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers to break out of the renderer process sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free condition in the UI component. Chromium rates the severity as High, and a vendor patch is available; no public exploit identified at time of analysis and EPSS exploitation probability is currently very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on Windows before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page leveraging a use-after-free in Core. The flaw is rated High by Chromium and carries CVSS 8.3, but EPSS is very low (0.03%) and no public exploit identified at time of analysis, so it is most relevant as the second stage of a multi-bug exploit chain rather than a standalone entry vector.
Sandbox escape in Google Chrome on macOS before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a use-after-free in the Views UI component. The flaw is rated High severity by Chromium and carries a CVSS 8.3 due to scope change, but EPSS is only 0.03% and there is no public exploit identified at time of analysis. Exploitation is realistic only as the second stage of a chained renderer compromise rather than a standalone drive-by attack.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the browser's XML handling component, allowing a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. Chromium rates the severity as High with a CVSS 3.1 score of 8.8, and exploitation requires user interaction such as visiting a malicious site. No public exploit identified at time of analysis, but use-after-free flaws in Chrome's XML parsing have historically been chained with sandbox escapes for full system compromise.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer that lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Google rates this High severity and a vendor patch is available, but EPSS scoring (0.03%, 11th percentile) is low and no public exploit identified at time of analysis, suggesting it has not yet been weaponized broadly.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.216 allows attackers to execute arbitrary code within the renderer sandbox by enticing a victim to visit a crafted HTML page that triggers a use-after-free condition in the Media component. Rated High severity by Chromium with a CVSS 8.8 score, the flaw requires user interaction (visiting a malicious page) but no authentication, and no public exploit identified at time of analysis.
Remote code execution in Google Chrome (ANGLE component) prior to version 148.0.7778.216 allows a remote attacker to execute arbitrary code inside the renderer sandbox via a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) rated High severity by Chromium and CVSS 8.8, requiring only that a victim visit a malicious page. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Sandbox escape in Google Chrome on Windows versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the UI component, triggered by a crafted HTML page. Chromium rates this High severity and a vendor patch is available, though no public exploit has been identified at time of analysis and EPSS exploitation probability is very low (0.03%, 11th percentile).
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the GPU/GFX sandbox via a crafted HTML page, leveraging a use-after-free condition. The flaw is rated High severity by Chromium (CVSS 8.3) and requires user interaction plus a chained renderer compromise; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.03%).
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the Aura UI framework component. A remote attacker who lures a user to a malicious HTML page and convinces them to perform specific UI gestures can execute arbitrary code within the browser process. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects high attack complexity combined with required user interaction.
Use-after-free in the Input component of Google Chrome prior to 148.0.7778.216 allows a remote attacker to trigger heap corruption when a victim is lured to a crafted HTML page and performs specific UI gestures. Chromium rates the severity High, and while no public exploit identified at time of analysis and EPSS is very low (0.03%, 11th percentile), the bug class historically yields renderer RCE when chained with a sandbox escape. A vendor patch is available in the stable channel update referenced by Google.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the renderer sandbox via a use-after-free in the ANGLE graphics layer. Exploitation requires user interaction (visiting a crafted HTML page) and a pre-existing renderer compromise, so it functions as the second stage of an exploit chain rather than a standalone RCE. No public exploit identified at time of analysis and EPSS is very low (0.03%), but Chrome rates the underlying flaw as High severity.
Sandbox escape in Google Chrome's GPU process prior to version 148.0.7778.216 lets a remote attacker who has already gained code execution inside the renderer process break out of Chrome's sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and carries CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C). EPSS is very low (0.03%), and there is no public exploit identified at time of analysis, but the bug is part of a stable-channel security release shipped by Google.
Remote code execution in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows attackers to run arbitrary code inside the browser sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free memory corruption issue (CWE-416) reported internally by the Chrome team and rated High by Chromium; no public exploit identified at time of analysis, though Chrome UAF bugs in ANGLE are historically attractive targets and pair well with sandbox escapes.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables remote attackers, who have already compromised the renderer process, to break out of the browser sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction (visiting a crafted HTML page) and a prior renderer compromise, making this a second-stage primitive in a chained attack. EPSS is low at 0.03% and there is no public exploit identified at time of analysis, though Google rates the underlying Chromium severity as High.
Heap corruption in Google Chrome's Skia graphics library affects all versions prior to 148.0.7778.216 and can be triggered by a remote attacker hosting a crafted HTML page. Successful exploitation requires user interaction (visiting the page) but yields high confidentiality, integrity, and availability impact within the renderer context. No public exploit is identified at time of analysis and EPSS is very low (0.03%), though Chromium rates the severity as High and a vendor patch is available.
Renderer-to-browser sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 enables remote code execution via a use-after-free in the GPU process. An attacker who has already compromised the renderer can leverage a crafted HTML page to corrupt GPU process memory and execute arbitrary code outside the renderer sandbox. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Chromium rates the underlying severity as High.
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page exploiting a use-after-free in the Accessibility component. Chromium rates the severity as High and a vendor patch is available, but no public exploit has been identified at time of analysis and EPSS exploitation probability remains very low at 0.03%.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free condition in the ANGLE graphics translation layer, triggered when a victim visits a crafted HTML page. Remote attackers can potentially break out of Chrome's renderer sandbox to gain broader access on the host system. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.03% (11th percentile), though the Chromium team rated severity as High.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers a use-after-free in the Accessibility component. Chromium rates the issue High severity and a vendor patch is available, though no public exploit identified at time of analysis and EPSS exploitation probability is currently low (0.03%, 11th percentile).
Sandbox escape and arbitrary code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in the ANGLE graphics translation layer. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break memory safety and execute code in a higher-privileged context. No public exploit identified at time of analysis, though Chromium rates the underlying severity as High.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High severity by Chromium with a CVSS score of 8.3, but EPSS exploitation probability is currently very low at 0.03% and no public exploit has been identified at time of analysis.
Remote code execution in Google Chrome prior to 148.0.7778.216 enables a remote attacker to execute arbitrary code within the renderer sandbox by luring a user to a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw carries a CVSS 8.8 (High) rating reflecting network reach with required user interaction, and Google has rated the Chromium severity as High; no public exploit is identified at the time of analysis and the issue is not listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free in the GPU process. Chrome rates the underlying memory corruption as High severity, and while no public exploit identified at time of analysis, the bug is part of a chained-exploit class historically weaponized against browsers. EPSS is very low (0.03%) reflecting the prerequisite of an already-compromised renderer rather than a direct one-shot RCE.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page that triggers a use-after-free in the Skia graphics library. Google rated this Critical internally, though no public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.03% (11th percentile). The flaw requires chaining with a separate renderer compromise, so it is a second-stage primitive rather than a single-shot RCE.
Sandbox escape in Google Chrome before 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted Chrome Extension exploiting a use-after-free in the Extensions component. Chromium rates the underlying flaw as Critical severity, though no public exploit has been identified at time of analysis and EPSS exploitation probability sits at 0.03% (11th percentile).
Sandbox escape in Google Chrome on Windows prior to 148.0.7778.216 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page targeting the XR (WebXR) component. The flaw is a use-after-free rated Critical by Chromium and CVSS 8.3 (AV:N/AC:H/PR:N/UI:R/S:C); no public exploit identified at time of analysis and EPSS is low at 0.03%, but the bug forms a key link in a multi-stage browser exploit chain.
Sandbox escape in Google Chrome for Android versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of the sandbox via a use-after-free flaw in the WebView component. Chromium rates the severity as Critical, and a vendor patch is available; no public exploit identified at time of analysis and EPSS is very low (0.03%, 10th percentile), but the chained-exploit potential against mobile users makes prompt patching important.
Remote code execution in Google Chrome prior to 148.0.7778.216 allows attackers to exploit a use-after-free condition in the Proxy component via a malicious PAC (Proxy Auto-Config) script delivered through a crafted web page. Chromium rates this as Critical severity, and while no public exploit identified at time of analysis, the EPSS score of 0.04% reflects low predicted exploitation activity despite the high CVSS 8.8 rating. Successful exploitation requires user interaction (UI:R) such as visiting an attacker-controlled page that triggers the vulnerable PAC processing path.
Sandbox escape in Google Chrome on macOS prior to 148.0.7778.216 allows a remote attacker to break out of the renderer sandbox by enticing a user to visit a crafted HTML page that triggers a use-after-free in the Base component. Chromium rates the severity Critical and CVSS scores it 9.6, though no public exploit is identified at time of analysis and EPSS exploitation probability is currently very low (0.03%).
Remote code execution in Google Chrome on macOS prior to version 148.0.7778.216 allows attackers to exploit a use-after-free flaw in the Browser component via a malicious HTML page. Rated Critical by Chromium's security team with a CVSS of 8.8, exploitation requires user interaction (visiting a crafted page) but no authentication, and no public exploit identified at time of analysis. A vendor patch is available through the Chrome stable channel update.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code via a crafted HTML page exploiting a use-after-free flaw in the Base component. Chromium classifies the severity as Critical, and Google has shipped a stable channel update; no public exploit has been identified at time of analysis. Exploitation requires user interaction (visiting a malicious page), which is the typical drive-by browser attack model.
Sandbox escape in Google Chrome on macOS versions prior to 148.0.7778.216 allows attackers to break out of the browser's renderer sandbox via a use-after-free flaw in the Bluetooth component. Exploitation requires convincing a user to install a malicious Chrome Extension, which then triggers the bug through crafted extension interactions. Chromium rates this Critical severity; no public exploit identified at time of analysis and EPSS remains low (0.01%) despite the high CVSS of 9.0.
Remote code execution in Google Chrome versions prior to 148.0.7778.216 stems from a use-after-free flaw in ANGLE, the graphics abstraction layer that translates OpenGL ES calls to native GPU APIs. A remote attacker who lures a user into visiting a crafted HTML page can execute arbitrary code within the renderer sandbox, with Chromium rating the severity as Critical. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 enables a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a use-after-free flaw in the ANGLE graphics translation layer. Exploitation requires user interaction with a crafted HTML page and is typically chained with a separate renderer-compromise bug. No public exploit identified at time of analysis, and EPSS is very low (0.03%), though Google rated the underlying issue Critical severity.
Sandbox escape in Google Chrome for Android prior to 148.0.7778.216 allows a remote attacker who lures a user to a crafted HTML page to break out of the renderer sandbox by exploiting a use-after-free condition in the WebGL component. Chromium rates the issue Critical and CVSS scores it 9.6 due to the scope change from compromised renderer to host, though EPSS is only 0.03% (10th percentile) and no public exploit identified at time of analysis.
Sandbox escape in Google Chrome versions prior to 148.0.7778.216 allows a remote attacker to exploit a use-after-free condition in the Dawn WebGPU implementation through a crafted HTML page, leading to potential escape from the browser's renderer sandbox. The flaw carries a CVSS 9.6 with scope change reflecting cross-boundary impact, and while no public exploit identified at time of analysis, Google's own classification of the underlying Chromium severity as Critical signals significant risk to end users. EPSS is currently low (0.03%, 11th percentile), suggesting no widespread exploitation has been observed yet despite the severity.
Remote code execution in Google Chrome desktop versions prior to 148.0.7778.216 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a use-after-free condition in the Network component. Google rates the underlying Chromium issue as Critical severity, and no public exploit identified at time of analysis, though the bug class and reachable attack surface make it a high-priority browser patch.
Local privilege escalation in Ubuntu Linux 6.8 kernel stems from an AppArmor SAUCE patch that omits proper locking when modifying a linked list, enabling a race condition that can be exploited by an unprivileged local user. Successful exploitation leads to a use-after-free condition with theoretical arbitrary code execution in kernel context. No public exploit identified at time of analysis, and the issue is not present on the CISA KEV list.
Use-after-free in the Linux kernel SPI controller driver for Freescale MPC52xx (spi-mpc52xx) occurs when controller registration fails and the previously requested interrupts are not properly disabled or released, leaving dangling interrupt handlers tied to freed memory. Local users with the ability to load or interact with this SPI driver on affected systems could potentially trigger memory corruption or information disclosure. EPSS is 0.02% and there is no public exploit identified at time of analysis, but the issue is rated CVSS 7.8 due to high impact on confidentiality, integrity, and availability.
Local privilege escalation potential via use-after-free in Linux Kernel iris media driver affects kernels 6.18.16-6.18.31, 6.19.6-6.19.x, and 7.0 series prior to the fix commits. The flaw resides in iris_release_internal_buffers(), where session_release_buf() may free a buffer that the caller subsequently dereferences, a regression introduced by commit 1dabf00ee206. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but local low-privileged attackers on systems with the Qualcomm iris video accelerator driver could potentially leverage the freed-memory access.
Local privilege escalation in the Linux kernel SCTP subsystem allows unprivileged users to trigger a use-after-free or type confusion in the SCTP_SENDALL code path. The flaw stems from a stale iterator cursor in sctp_sendmsg() that survives across a dropped socket lock, and the type-confusion variant yields a controlled indirect call via outqueue.sched->init_sid. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the vendor description explicitly notes both bugs are reachable from CapEff=0.
Use-after-free in the Linux kernel's MPC52xx SPI driver (spi-mpc52xx) can be triggered when the driver is unbound, because the interrupt-scheduled state machine work is not cancelled after interrupts are disabled. Local users with the ability to unbind the driver could potentially corrupt kernel memory, with confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Use-after-free in the Linux kernel's DRM (Direct Rendering Manager) GEM handle subsystem allows a local authenticated attacker to trigger memory corruption via a race condition in the change_handle ioctl. The flaw stems from a window where a single GEM object briefly held two IDR entries, letting a concurrent gem_close call dereference a dangling handle. No public exploit identified at time of analysis and EPSS exploitation probability is low (0.02%), but the CVSS 7.8 reflects full confidentiality, integrity, and availability impact on affected systems.
Use-after-free in the Linux kernel's appletb-kbd HID driver allows local low-privileged users on Apple Touch Bar-equipped MacBooks to potentially trigger memory corruption during driver tear-down. The flaw stems from incorrect ordering of timer cleanup and device reference release in the inactivity-timer cleanup path, leaving two race windows where a softirq can dereference freed backlight_device memory. EPSS is very low (0.02%) and no public exploit identified at time of analysis; impact is limited to systems running the appletb-kbd driver, primarily Apple MacBook Pro hardware with Touch Bars.
Use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. Advanced) mesh networking module's bridge loop avoidance (BLA) subsystem allows adjacent attackers on the same Layer-2 segment to potentially trigger memory corruption when claim entries are deleted. The flaw, with a CVSS of 8.8 (AV:A/AC:L/PR:N/UI:N), exists in batadv_bla_del_backbone_claims() where a claim reference may be released before its final use, enabling exploitation by anyone able to inject mesh traffic. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but upstream fixes have been released across multiple stable kernel branches.
Local privilege escalation and memory corruption in the Linux kernel's iris media driver allows local users with low privileges to trigger a use-after-free condition via concurrent access during Macro Blocks Per Frame (MBPF) checks. The flaw affects Linux kernel 6.18 and stems from improper lock ordering where fmt_src and fmt_dst structures are freed under inst->lock while the instance remains in the core list traversed under core->lock. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, but the high CVSS score reflects severe local impact.
Local privilege escalation risk in the Linux kernel's brcmfmac Broadcom FullMAC Wi-Fi driver stems from a use-after-free in the watchdog kthread teardown path, where the watchdog task can exit between send_sig() and kthread_stop(), leaving stale memory accessible. Successful exploitation by a local low-privileged attacker who can trigger driver teardown could yield kernel memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is very low (0.02%), suggesting limited near-term exploitation interest.
Use-after-free in the Linux kernel mac80211 wireless subsystem allows attackers on the adjacent wireless network to corrupt kernel memory by triggering radar detection cancellation paths that free a channel context still being iterated. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile), but the high CVSS reflects severe potential impact on confidentiality, integrity, and availability if exploited. A vendor-released patch is available in stable kernel updates including 6.12.88, 6.18.30, and 7.0.7.
Local privilege escalation potential exists in the Linux kernel's sched_ext (SCX) subsystem where a use-after-free condition in cgroup setter operations can be triggered when a BPF scheduler is swapped concurrently with cgroup weight, idle, or bandwidth updates. The flaw affects kernel 6.18 and related stable branches and stems from reading scx_root outside the scx_cgroup_ops_rwsem, allowing a stale pointer to be dereferenced after the previous scheduler is freed via RCU. EPSS is very low (0.02%) and no public exploit is identified at time of analysis.
Use-after-free/double-free in the Linux kernel's mac80211 wireless subsystem affects systems with Multi-Link Operation (MLO) Wi-Fi connections when debugfs is enabled. The flaw occurs when connection preparation fails for MLO connections and the interface is reset to non-MLD without removing the associated station, corrupting debugfs state. EPSS probability is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on adjacent-network reachable systems.
Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.
Local privilege escalation and kernel memory corruption in the Linux kernel's IPv6 GRE (ip6_gre) subsystem stem from ip6erspan_changelink() using dev_net(dev) instead of the cached t->net after IFLA_NET_NS_FD migration, causing a tunnel to be re-inserted into the wrong per-netns hash. When the original network namespace is later destroyed, the stale entry triggers a slab-use-after-free (flagged by KASAN) and a kernel BUG at LIST_POISON1, reachable from an unprivileged user namespace. No public exploit identified at time of analysis, though the bug is trivially reachable via unshare and EPSS exploitation probability is low (0.02%).
Use-after-free in the Linux kernel's xfrm (IPsec) state management subsystem allows local attackers with low privileges to trigger memory corruption via concurrent xfrm_state lifecycle operations. The flaw resides in __xfrm_state_delete() where value-based predicates on x->km.seq and x->id.spi can race with xfrm_alloc_spi() outside of xfrm_state_lock, leading to slab-use-after-free writes through LIST_POISON pointers on the byseq/byspi/bydst/bysrc hash chains. No public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), but a vendor patch is available.
Use-after-free in the Linux kernel's KVM x86 shadow MMU allows a malicious guest VM to corrupt host memory and potentially escalate privileges on the hypervisor. The flaw occurs when a guest modifies its page tables between VM entries, causing KVM to install rmap entries outside the expected GFN range of a direct-mapped shadow page; subsequent rmap walks (e.g., during dirty logging or MMU notifier invalidations from MADV_DONTNEED) then dereference a freed kvm_mmu_page. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug has existed since the earliest KVM versions and is now patched upstream.
Local privilege escalation potential in the Linux kernel Bluetooth subsystem (hci_conn) stems from a use-after-free in create_big_sync() when a Broadcast Isochronous Group (BIG) creation races against connection teardown. A local low-privileged attacker on a system with active Bluetooth LE Audio operations could trigger the freed hci_conn dereference through hci_connect_cfm()/hci_conn_del(), enabling memory corruption with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile), reflecting limited weaponization despite the CVSS 7.8 rating.
Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.
Local privilege escalation potential via use-after-free in the Linux kernel's ALSA aloop (snd-aloop) driver allows authenticated local users to trigger memory corruption by racing PCM stream close against a peer format-change stop. The flaw stems from snd_pcm_stop() running after cable->lock is dropped, leaving a stale peer substream pointer that can be freed by a concurrent close. Upstream fixes are merged into stable trees (6.12.88, 6.18.27, 7.0.4, 7.1-rc2); no public exploit identified at time of analysis and EPSS is very low at 0.02%.
Use-after-free in the Linux kernel's RDMA mana_ib driver (Microsoft Azure Network Adapter) lets a local user trigger stale firmware RX steering after destroying an RSS QP, so incoming completions land on reused CQ IDs and corrupt kernel state. It affects Linux deployments on Azure VMs using MANA with RDMA/DPDK; an attacker who can create and destroy RSS QPs (e.g., via a DPDK application exit while a peer keeps transmitting) can drive completions onto TX CQs and crash or corrupt the driver. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 5th percentile), indicating low real-world exploitation likelihood.
Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.
Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.
Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.
Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.
Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.
Use-after-free in the Linux kernel's rxrpc (AF_RXRPC) networking subsystem allows local attackers with low privileges to trigger memory corruption when skb_unshare() fails during packet input handling. Affected Linux kernel versions from 6.2 up to the fixed releases can be exploited to cause a NULL-pointer oops and potentially escalate privileges or crash the system. No public exploit identified at time of analysis; EPSS is very low (0.02%) and the issue is not present in CISA KEV.
Use-after-free in the Linux kernel's i.MX SPI driver (spi-imx) can be triggered when the driver is unbound, allowing a local privileged user to corrupt kernel memory and potentially escalate to full kernel code execution. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a kernel-level UAF with high CIA impact warrants prompt patching on affected i.MX-based systems.
Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.
Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.