← Back
CWE-416

7,688 CVEs • Abstraction: Variant • Likelihood of Exploit: High

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

JSON object

Loading...

CVEs (7,688)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Google
1Chrome
Jun 17, 2026
Mar 11, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in TextEncoding in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
1Google
1Chrome
Jun 17, 2026
Mar 11, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium sec...Show more
Use after free in Extensions in Google Chrome prior to 146.0.7680.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)Show less
1Google
1Chrome
Jun 17, 2026
Mar 11, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in WebMCP in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
1Google
1Chrome
Jun 17, 2026
Mar 11, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in Agents in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
1Haxx
1Curl
Jun 17, 2026
Mar 11, 2026
N/A· v4
7.5 HIGH· v3
N/A· v2
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.
1Adobe
3Acrobat
Acrobat DcAcrobat Reader Dc
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation o...Show more
Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
1Adobe
3Acrobat
Acrobat DcAcrobat Reader Dc
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation o...Show more
Acrobat Reader versions 24.001.30307, 24.001.30308, 25.001.21265 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
1Google
1Android
Jun 17, 2026
Mar 10, 2026
N/A· v4
2.9 LOW· v3
N/A· v2
In VPU, there is a possible use-after-free read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
1Google
1Android
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.4 HIGH· v3
N/A· v2
In vpu_open_inst of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed...Show more
In vpu_open_inst of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
1Envoyproxy
1Envoy
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.5 HIGH· v3
N/A· v2
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enab...Show more
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request's inner state may be accessed and result in crash. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.Show less
1Envoyproxy
1Envoy
Jun 17, 2026
Mar 10, 2026
N/A· v4
5.9 MEDIUM· v3
N/A· v2
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution...Show more
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes ActiveStream::decodeData, which cascades to FilterManager::decodeData. FilterManager::decodeData fails to check the saw_downstream_reset_ flag. It iterates over the decoder_filters_ list and invokes decodeData() on filters that have already received onDestroy(). This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.Show less
1Adobe
1Substance 3d Stager
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user in...Show more
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
1Adobe
1Substance 3d Stager
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user in...Show more
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
1Mozilla
1Firefox
Jun 17, 2026
Mar 10, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerabil...Show more
Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148.0.2.Show less
1Color
1Iccdev
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulner...Show more
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5.Show less
1Microsoft
2365 Copilot
Office
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Integer overflow or wraparound in Microsoft Office allows an authorized attacker to elevate privileges locally.
1Microsoft
9Windows 10 21h2
Windows 10 22h2Windows 11 23h2+6 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
1Microsoft
5365 Apps
ExcelOffice+2 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
1Microsoft
5Windows 10 1809
Windows 10 21h2Windows 10 22h2+2 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
1Microsoft
14Windows 10 1607
Windows 10 1809Windows 10 21h2+11 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.