← Back
CWE-416

7,674 CVEs • Abstraction: Variant • Likelihood of Exploit: High

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

JSON object

Loading...

CVEs (7,674)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Microsoft
4365 Apps
OfficeOffice Long Term Servicing Channel+1 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
1Microsoft
4365 Apps
OfficeOffice Long Term Servicing Channel+1 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Free of memory not on the heap in Microsoft Office allows an unauthorized attacker to execute code locally.
1Microsoft
5365 Apps
ExcelOffice+2 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
1Microsoft
5365 Apps
ExcelOffice+2 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
1Microsoft
5365 Apps
ExcelOffice+2 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
1Microsoft
5365 Apps
ExcelOffice+2 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
1Microsoft
13Windows 10 1507
Windows 10 1607Windows 10 1809+10 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally.
1Microsoft
13Windows 10 1507
Windows 10 1607Windows 10 1809+10 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Windows UI XAML Phone DatePickerFlyout allows an authorized attacker to elevate privileges locally.
1Microsoft
2Windows 11 24h2
Windows Server 2025
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.0 HIGH· v3
N/A· v2
Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.
1Microsoft
3Windows 11 24h2
Windows Server 2022 23h2Windows Server 2025
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.0 HIGH· v3
N/A· v2
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
1Microsoft
7Windows 10 21h2
Windows 10 22h2Windows 11 22h2+4 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.4 HIGH· v3
N/A· v2
Use after free in Windows Management Services allows an unauthorized attacker to elevate privileges locally.
1Microsoft
12Windows 10 1607
Windows 10 1809Windows 10 21h2+9 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.
1Microsoft
12Windows 10 1507
Windows 10 1607Windows 10 1809+9 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
4.8 MEDIUM· v3
N/A· v2
Use after free in Windows SMBv3 Client allows an authorized attacker to execute code over a network.
1Microsoft
10Windows 10 1809
Windows 10 21h2Windows 10 22h2+7 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
1Microsoft
10Windows 10 1809
Windows 10 21h2Windows 10 22h2+7 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.0 HIGH· v3
N/A· v2
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
1Microsoft
8Windows 10 21h2
Windows 10 22h2Windows 11 22h2+5 more
Jun 17, 2026
Sep 9, 2025
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
-
-
Jun 17, 2026
Sep 8, 2025
N/A· v4
8.1 HIGH· v3
N/A· v2
A vulnerability ( CVE-2024-38229 https://www.cve.org/CVERecord ) exists in EOL ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, re...Show more
A vulnerability ( CVE-2024-38229 https://www.cve.org/CVERecord ) exists in EOL ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, resulting in Remote Code Execution. Per CWE-416: Use After Free https://cwe.mitre.org/data/definitions/416.html , Use After Free is when a product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. This issue affects EOL ASP.NET 6.0.0 <= 6.0.36 as represented in this CVE, as well as 8.0.0 <= 8.0.8, 9.0.0-preview.1.24081.5 <= 9.0.0.RC.1 as represented in  CVE-2024-38229 https://www.cve.org/CVERecord . Additionally, if you've deployed self-contained applications https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd  targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. NOTE: This CVE only represents End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.Show less
1Arm
35th Gen Gpu Architecture Kernel Driver
Bifrost Gpu Kernel DriverValhall Gpu Kernel Driver
Jun 17, 2026
Sep 8, 2025
N/A· v4
5.3 MEDIUM· v3
N/A· v2
Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU mem...Show more
Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform valid GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r41p0 through r49p4, from r50p0 through r51p0; Valhall GPU Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Sep 5, 2025
N/A· v4
5.5 MEDIUM· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: crypto: qat - flush misc workqueue during device shutdown Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a t...Show more
In the Linux kernel, the following vulnerability has been resolved: crypto: qat - flush misc workqueue during device shutdown Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a tight loop can lead to a crash due to a use-after-free scenario. This occurs when a power management (PM) interrupt triggers just before the device-specific driver (e.g., qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains loaded. Since the driver uses a shared workqueue (`qat_misc_wq`) across all devices and owned by intel_qat.ko, a deferred routine from the device-specific driver may still be pending in the queue. If this routine executes after the driver is unloaded, it can dereference freed memory, resulting in a page fault and kernel crash like the following: BUG: unable to handle page fault for address: ffa000002e50a01c #PF: supervisor read access in kernel mode RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat] Call Trace: pm_bh_handler+0x1d2/0x250 [intel_qat] process_one_work+0x171/0x340 worker_thread+0x277/0x3a0 kthread+0xf0/0x120 ret_from_fork+0x2d/0x50 To prevent this, flush the misc workqueue during device shutdown to ensure that all pending work items are completed before the driver is unloaded. Note: This approach may slightly increase shutdown latency if the workqueue contains jobs from other devices, but it ensures correctness and stability.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Sep 5, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE As described in commit 7a54947e727b ('Merge patch series "fs: allow changing i...Show more
In the Linux kernel, the following vulnerability has been resolved: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE As described in commit 7a54947e727b ('Merge patch series "fs: allow changing idmappings"'), open_tree_attr(2) was necessary in order to allow for a detached mount to be created and have its idmappings changed without the risk of any racing threads operating on it. For this reason, mount_setattr(2) still does not allow for id-mappings to be changed. However, there was a bug in commit 2462651ffa76 ("fs: allow changing idmappings") which allowed users to bypass this restriction by calling open_tree_attr(2) *without* OPEN_TREE_CLONE. can_idmap_mount() prevented this bug from allowing an attached mountpoint's id-mapping from being modified (thanks to an is_anon_ns() check), but this still allows for detached (but visible) mounts to have their be id-mapping changed. This risks the same UAF and locking issues as described in the merge commit, and was likely unintentional.Show less