← Back
CWE-416

7,688 CVEs • Abstraction: Variant • Likelihood of Exploit: High

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

JSON object

Loading...

CVEs (7,688)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Microsoft
14Windows 10 1607
Windows 10 1809Windows 10 21h2+11 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.
1Microsoft
7Windows 11 23h2
Windows 11 24h2Windows 11 25h2+4 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
1Microsoft
4Windows 11 24h2
Windows 11 25h2Windows 11 26h1+1 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.4 HIGH· v3
N/A· v2
Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.
1Microsoft
13Windows 10 1607
Windows 10 1809Windows 10 21h2+10 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.0 HIGH· v3
N/A· v2
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Device Association Service allows an authorized attacker to elevate privileges locally.
1Microsoft
11Windows 10 1809
Windows 10 21h2Windows 10 22h2+8 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally.
1Microsoft
14Windows 10 1607
Windows 10 1809Windows 10 21h2+11 more
Jun 19, 2026
Mar 10, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
1Microsoft
15365 Copilot
OfficeWindows 10 1607+12 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally.
1Microsoft
13Windows 10 1607
Windows 10 1809Windows 10 21h2+10 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.0 HIGH· v3
N/A· v2
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to elevate privileges locally.
1Microsoft
14Windows 10 1607
Windows 10 1809Windows 10 21h2+11 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in RPC Runtime allows an authorized attacker to execute code over a network.
1Microsoft
7Windows 10 1809
Windows 10 21h2Windows 10 22h2+4 more
Jun 17, 2026
Mar 10, 2026
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Broadcast DVR allows an authorized attacker to elevate privileges locally.
1Imagemagick
1Imagemagick
Jun 17, 2026
Mar 10, 2026
N/A· v4
5.3 MEDIUM· v3
N/A· v2
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image...Show more
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.Show less
1Imagemagick
1Imagemagick
Jun 17, 2026
Mar 10, 2026
N/A· v4
5.3 MEDIUM· v3
N/A· v2
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker...Show more
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.Show less
1Pjsip
1Pjsip
Jun 17, 2026
Mar 6, 2026
8.7 HIGH· v4
7.5 HIGH· v3
N/A· v2
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during...Show more
PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.Show less
-
-
Jun 17, 2026
Mar 5, 2026
7.1 HIGH· v4
N/A· v3
N/A· v2
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collecto...Show more
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privilege escalation (LPE) caused by a use-after-free (UAF). Ubuntu builds that have already taken the new GC stack from commit 4090fa373f0e, and mainline Linux kernels shipping that infrastructure are unaffected because they no longer execute the legacy collector path. This issue affects Ubuntu Linux from 6.8.0-56.58 before 6.8.0-84.84.Show less
1Emqx
1Nanomq
Jun 17, 2026
Mar 4, 2026
N/A· v4
5.3 MEDIUM· v3
N/A· v2
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massi...Show more
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory corruption in the Broker process, causing it to exit immediately with SIGABRT due to free(): invalid pointer. As of time of publication, no known patched versions are available.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Mar 4, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition...Show more
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback(). Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Mar 4, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in...Show more
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.Show less
1Google
1Android
Jun 17, 2026
Mar 2, 2026
N/A· v4
6.7 MEDIUM· v3
N/A· v2
In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not need...Show more
In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Show less
1Qualcomm
165Ar8031 Firmware
Ar8035 FirmwareCsra6620 Firmware+162 more
Jun 17, 2026
Mar 2, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory Corruption while invoking IOCTL calls when concurrent access to shared buffer occurs.
1Qualcomm
25Lemans Au Lgit Firmware
Lemansau FirmwareQam8255p Firmware+22 more
Jun 17, 2026
Mar 2, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory Corruption while processing IOCTL calls when concurrent access to shared buffer occurs.