CWE-416
7,688 CVEs • Abstraction: Variant • Likelihood of Exploit: High
Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CVEs (7,688)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
1Qualcomm 1735g Fixed Wireless Access Platform Firmware Ar8031 FirmwareAr8035 Firmware+170 moreJun 17, 2026 Mar 2, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory Corruption when concurrent access to shared buffer occurs due to improper synchronization between assignment and deallocation of buffer resources. |
1Qualcomm 120Ar8035 Firmware Fastconnect 6200 FirmwareFastconnect 6900 Firmware+117 moreJun 17, 2026 Mar 2, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls. |
1Qualcomm 165Ar8031 Firmware Ar8035 FirmwareCsra6620 Firmware+162 moreJun 17, 2026 Mar 2, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory Corruption when concurrent access to shared buffer occurs during IOCTL calls. |
1Qualcomm 164Ar8031 Firmware Ar8035 FirmwareCsra6620 Firmware+161 moreJun 17, 2026 Mar 2, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Memory corruption while handling different IOCTL calls from the user-space simultaneously. |
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for...Show more |
In display, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitati...Show more |
In imgsys, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitatio...Show more |
In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation....Show more |
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in t...Show more |
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` call...Show more |
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr chan...Show more |
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_serve...Show more |
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `g...Show more |
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected po...Show more |
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail...Show more |
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info`...Show more |
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. |
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. |
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. |
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. |