← Back
CWE-416

7,675 CVEs • Abstraction: Variant • Likelihood of Exploit: High

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

JSON object

Loading...

CVEs (7,675)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Microsoft
12Windows 10 1607
Windows 10 1809Windows 10 21h2+9 more
Jun 17, 2026
Jan 13, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
1Imaginationtech
1Ddk
Jun 17, 2026
Jan 13, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal reso...Show more
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present.Show less
1Imaginationtech
1Ddk
Jun 17, 2026
Jan 13, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management...Show more
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Jan 13, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since thi...Show more
In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. v2: (Matt A) - Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl() (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)Show less
1Linux
1Linux Kernel
Jun 17, 2026
Jan 13, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the a...Show more
In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Jan 13, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit()...Show more
In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open().Show less
1Linux
1Linux Kernel
Jun 17, 2026
Jan 13, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful loo...Show more
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Jan 13, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect...Show more
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it.Show less
1Mozilla
2Firefox
Thunderbird
Jun 17, 2026
Jan 13, 2026
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
1Mozilla
2Firefox
Thunderbird
Jun 17, 2026
Jan 13, 2026
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
1Mozilla
2Firefox
Thunderbird
Jun 30, 2026
Jan 13, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
1Espressif
1Usb Host Hid Driver
Jun 17, 2026
Jan 12, 2026
N/A· v4
6.8 MEDIUM· v3
N/A· v2
Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is...Show more
Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0.Show less
1Samsung
1Android
Jun 17, 2026
Jan 9, 2026
7.3 HIGH· v4
7.8 HIGH· v3
N/A· v2
Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code.
1Samsung
1Android
Jun 17, 2026
Jan 9, 2026
6.7 MEDIUM· v4
6.7 MEDIUM· v3
N/A· v2
Use after free in DualDAR prior to SMR Jan-2026 Release 1 allows local privileged attackers to execute arbitrary code.
1Qualcomm
185Ar8035 Firmware
Ar9380 FirmwareCsr8811 Firmware+182 more
Jun 17, 2026
Jan 7, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption while deinitializing a HDCP session.
1Qualcomm
63Fastconnect 6700 Firmware
Fastconnect 6900 FirmwareFastconnect 7800 Firmware+60 more
Jun 17, 2026
Jan 7, 2026
N/A· v4
6.7 MEDIUM· v3
N/A· v2
Memory corruption while accessing a synchronization object during concurrent operations.
1Qualcomm
18Fastconnect 7800 Firmware
Qmp1000 FirmwareSm8735 Firmware+15 more
Jun 17, 2026
Jan 7, 2026
N/A· v4
6.7 MEDIUM· v3
N/A· v2
Memory corruption while performing sensor register read operations.
1Qualcomm
237Aqt1000 Firmware
Ar8031 FirmwareAr8035 Firmware+234 more
Jun 17, 2026
Jan 7, 2026
N/A· v4
6.6 MEDIUM· v3
N/A· v2
Memory corruption while handling buffer mapping operations in the cryptographic driver.
1Color
1Iccdev
Jun 17, 2026
Jan 6, 2026
N/A· v4
7.8 HIGH· v3
N/A· v2
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bou...Show more
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2.Show less
1Color
1Iccdev
Jun 17, 2026
Jan 6, 2026
N/A· v4
9.8 CRITICAL· v3
N/A· v2
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint....Show more
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.Show less