← Back
CWE-416

7,688 CVEs • Abstraction: Variant • Likelihood of Exploit: High

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

JSON object

Loading...

CVEs (7,688)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Qualcomm
1735g Fixed Wireless Access Platform Firmware
Ar8031 FirmwareAr8035 Firmware+170 more
Jun 17, 2026
Mar 2, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory Corruption when concurrent access to shared buffer occurs due to improper synchronization between assignment and deallocation of buffer resources.
1Qualcomm
120Ar8035 Firmware
Fastconnect 6200 FirmwareFastconnect 6900 Firmware+117 more
Jun 17, 2026
Mar 2, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls.
1Qualcomm
165Ar8031 Firmware
Ar8035 FirmwareCsra6620 Firmware+162 more
Jun 17, 2026
Mar 2, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory Corruption when concurrent access to shared buffer occurs during IOCTL calls.
1Qualcomm
164Ar8031 Firmware
Ar8035 FirmwareCsra6620 Firmware+161 more
Jun 17, 2026
Mar 2, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption while handling different IOCTL calls from the user-space simultaneously.
1Google
1Android
Jun 17, 2026
Mar 2, 2026
N/A· v4
6.7 MEDIUM· v3
N/A· v2
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for...Show more
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10436998; Issue ID: MSV-5722.Show less
1Google
1Android
Jun 17, 2026
Mar 2, 2026
N/A· v4
4.4 MEDIUM· v3
N/A· v2
In display, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitati...Show more
In display, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10436998; Issue ID: MSV-5723.Show less
1Google
1Android
Jun 17, 2026
Mar 2, 2026
N/A· v4
4.4 MEDIUM· v3
N/A· v2
In imgsys, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitatio...Show more
In imgsys, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431955; Issue ID: MSV-5826.Show less
1Google
1Android
Jun 17, 2026
Mar 2, 2026
N/A· v4
4.4 MEDIUM· v3
N/A· v2
In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation....Show more
In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431940; Issue ID: MSV-5843.Show less
1Freerdp
1Freerdp
Jun 17, 2026
Feb 25, 2026
5.5 MEDIUM· v4
7.5 HIGH· v3
N/A· v2
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in t...Show more
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0.Show less
1Freerdp
1Freerdp
Jun 17, 2026
Feb 25, 2026
5.5 MEDIUM· v4
7.5 HIGH· v3
N/A· v2
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` call...Show more
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability.Show less
1Freerdp
1Freerdp
Jun 17, 2026
Feb 25, 2026
5.5 MEDIUM· v4
9.8 CRITICAL· v3
N/A· v2
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr chan...Show more
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue.Show less
1Freerdp
1Freerdp
Jun 17, 2026
Feb 25, 2026
5.5 MEDIUM· v4
9.8 CRITICAL· v3
N/A· v2
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_serve...Show more
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue.Show less
1Freerdp
1Freerdp
Jun 17, 2026
Feb 25, 2026
5.5 MEDIUM· v4
9.8 CRITICAL· v3
N/A· v2
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `g...Show more
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.Show less
1Freerdp
1Freerdp
Jun 17, 2026
Feb 25, 2026
5.5 MEDIUM· v4
7.5 HIGH· v3
N/A· v2
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected po...Show more
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.Show less
1Freerdp
1Freerdp
Jun 17, 2026
Feb 25, 2026
5.5 MEDIUM· v4
9.8 CRITICAL· v3
N/A· v2
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail...Show more
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue.Show less
1Freerdp
1Freerdp
Jun 17, 2026
Feb 25, 2026
5.5 MEDIUM· v4
9.8 CRITICAL· v3
N/A· v2
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info`...Show more
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue.Show less
1Mozilla
2Firefox
Thunderbird
Jun 17, 2026
Feb 24, 2026
N/A· v4
5.4 MEDIUM· v3
N/A· v2
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
1Mozilla
2Firefox
Thunderbird
Jun 30, 2026
Feb 24, 2026
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
1Mozilla
2Firefox
Thunderbird
Jun 30, 2026
Feb 24, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
1Mozilla
2Firefox
Thunderbird
Jun 30, 2026
Feb 24, 2026
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.