← Back
CWE-416

7,666 CVEs • Abstraction: Variant • Likelihood of Exploit: High

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

JSON object

Loading...

CVEs (7,666)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Microsoft
15Windows 10 1507
Windows 10 1607Windows 10 1809+12 more
Jun 17, 2026
Apr 8, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in RPC Endpoint Mapper Service allows an authorized attacker to elevate privileges locally.
1Microsoft
7Windows Server 2008
Windows Server 2012Windows Server 2016+4 more
Jun 17, 2026
Apr 8, 2025
N/A· v4
8.1 HIGH· v3
N/A· v2
Use after free in Windows Remote Desktop Services allows an unauthorized attacker to execute code over a network.
1Microsoft
15Windows 10 1507
Windows 10 1607Windows 10 1809+12 more
Jun 17, 2026
Apr 8, 2025
N/A· v4
8.1 HIGH· v3
N/A· v2
Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network.
1Microsoft
15Windows 10 1507
Windows 10 1607Windows 10 1809+12 more
Jun 17, 2026
Apr 8, 2025
N/A· v4
8.1 HIGH· v3
N/A· v2
Use after free in Windows LDAP - Lightweight Directory Access Protocol allows an unauthorized attacker to execute code over a network.
1Microsoft
6Windows 11 22h2
Windows 11 23h2Windows 11 24h2+3 more
Jun 17, 2026
Apr 8, 2025
N/A· v4
7.0 HIGH· v3
N/A· v2
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Secure Channel allows an authorized attacker to elevate privileges locally.
1Microsoft
15Windows 10 1507
Windows 10 1607Windows 10 1809+12 more
Jun 17, 2026
Apr 8, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Sensitive data storage in improperly locked memory in Windows Kernel allows an authorized attacker to elevate privileges locally.
1Microsoft
9Windows 10 1809
Windows 10 21h2Windows 10 22h2+6 more
Jun 17, 2026
Apr 8, 2025
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.
-
-
Jun 17, 2026
Apr 8, 2025
8.3 HIGH· v4
N/A· v3
N/A· v2
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream ser...Show more
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.Show less
1Qualcomm
31Qam8255p Firmware
Qam8295p FirmwareQam8620p Firmware+28 more
Jun 17, 2026
Apr 7, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption while processing memory map or unmap IOCTL operations simultaneously.
1Qualcomm
25Fastconnect 7800 Firmware
Qmp1000 FirmwareSm8735 Firmware+22 more
Jun 17, 2026
Apr 7, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption may occur while initiating two IOCTL calls simultaneously to create processes from two different threads.
1Qualcomm
145Ar8035 Firmware
Fastconnect 6200 FirmwareFastconnect 6700 Firmware+142 more
Jun 17, 2026
Apr 7, 2025
N/A· v4
6.7 MEDIUM· v3
N/A· v2
Memory corruption while processing multiple IOCTL calls from HLOS to DSP.
1Qualcomm
44C V2x 9150 Firmware
Fastconnect 6800 FirmwareFastconnect 6900 Firmware+41 more
Jun 17, 2026
Apr 7, 2025
N/A· v4
6.6 MEDIUM· v3
N/A· v2
Memory corruption while processing IOCTL calls to add route entry in the HW.
1Qualcomm
68C V2x 9150 Firmware
Fastconnect 6200 FirmwareFastconnect 6800 Firmware+65 more
Jun 17, 2026
Apr 7, 2025
N/A· v4
6.6 MEDIUM· v3
N/A· v2
Memory corruption while invoking IOCTL map buffer request from userspace.
1Qualcomm
98Csrb31024 Firmware
Fastconnect 6200 FirmwareFastconnect 6700 Firmware+95 more
Jun 17, 2026
Apr 7, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption while handling file descriptor during listener registration/de-registration.
1Php
1Php
Jun 17, 2026
Apr 4, 2025
9.2 CRITICAL· v4
8.1 HIGH· v3
N/A· v2
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory la...Show more
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.Show less
1Microsoft
1Edge Chromium
Jun 17, 2026
Apr 4, 2025
N/A· v4
7.6 HIGH· v3
N/A· v2
Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network.
-
-
Jun 17, 2026
Apr 3, 2025
8.7 HIGH· v4
N/A· v3
N/A· v2
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash....Show more
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Apr 3, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free.
1Linux
1Linux Kernel
Jun 17, 2026
Apr 3, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it...Show more
In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path]Show less
1Google
1Chrome
Jun 17, 2026
Apr 2, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in Site Isolation in Google Chrome prior to 135.0.7049.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)