← Back
CWE-416

7,666 CVEs • Abstraction: Variant • Likelihood of Exploit: High

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

JSON object

Loading...

CVEs (7,666)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Microsoft
4365 Apps
OfficeOffice Long Term Servicing Channel+1 more
Jun 17, 2026
Mar 11, 2025
N/A· v4
7.0 HIGH· v3
N/A· v2
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
1Microsoft
2365 Apps
Office Long Term Servicing Channel
Jun 17, 2026
Mar 11, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
1Microsoft
15Windows 10 1507
Windows 10 1607Windows 10 1809+12 more
Jun 17, 2026
Mar 11, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Local Security Authority Server (lsasrv) allows an authorized attacker to elevate privileges locally.
1Microsoft
7Windows Server 2008
Windows Server 2012Windows Server 2016+4 more
Jun 17, 2026
Mar 11, 2025
N/A· v4
8.1 HIGH· v3
N/A· v2
Use after free in DNS Server allows an unauthorized attacker to execute code over a network.
1Microsoft
12Windows 10 1507
Windows 10 1607Windows 10 1809+9 more
Jun 17, 2026
Mar 11, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Microsoft Streaming Service allows an authorized attacker to elevate privileges locally.
1Microsoft
14Windows 10 1507
Windows 10 1607Windows 10 1809+11 more
Jun 17, 2026
Mar 11, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally.
1Siemens
2Teamcenter Visualization
Tecnomatix Plant Simulation
Jun 17, 2026
Mar 11, 2025
7.3 HIGH· v4
7.8 HIGH· v3
N/A· v2
A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), T...Show more
A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.13), Teamcenter Visualization V2312 (All versions < V2312.0009), Teamcenter Visualization V2406 (All versions < V2406.0007), Teamcenter Visualization V2412 (All versions < V2412.0002), Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted WRL files. An attacker could leverage this vulnerability to execute code in the context of the current process.Show less
1Google
1Chrome
Jun 17, 2026
Mar 10, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in Inspector in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
-
-
Jun 17, 2026
Mar 7, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Software installed and run as a non-privileged user may conduct improper GPU system calls to corrupt kernel heap memory.
1Linux
1Linux Kernel
Jun 17, 2026
Mar 6, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_...Show more
In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Mar 6, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: remove unused check_buddy_priv Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global list of private data structures....Show more
In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: remove unused check_buddy_priv Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global list of private data structures. Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match vendor version 2013.02.07") started adding the private data to that list at probe time and added a hook, check_buddy_priv to find the private data from a similar device. However, that function was never used. Besides, though there is a lock for that list, it is never used. And when the probe fails, the private data is never removed from the list. This would cause a second probe to access freed memory. Remove the unused hook, structures and members, which will prevent the potential race condition on the list and its corruption during a second probe when probe fails.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Mar 6, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing There is a UAF report in the bpf_struct_ops when CONFIG_MODU...Show more
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject struct_ops registration that uses module ptr and the module btf_id is missing There is a UAF report in the bpf_struct_ops when CONFIG_MODULES=n. In particular, the report is on tcp_congestion_ops that has a "struct module *owner" member. For struct_ops that has a "struct module *owner" member, it can be extended either by the regular kernel module or by the bpf_struct_ops. bpf_try_module_get() will be used to do the refcounting and different refcount is done based on the owner pointer. When CONFIG_MODULES=n, the btf_id of the "struct module" is missing: WARN: resolve_btfids: unresolved symbol module Thus, the bpf_try_module_get() cannot do the correct refcounting. Not all subsystem's struct_ops requires the "struct module *owner" member. e.g. the recent sched_ext_ops. This patch is to disable bpf_struct_ops registration if the struct_ops has the "struct module *" member and the "struct module" btf_id is missing. The btf_type_is_fwd() helper is moved to the btf.h header file for this test. This has happened since the beginning of bpf_struct_ops which has gone through many changes. The Fixes tag is set to a recent commit that this patch can apply cleanly. Considering CONFIG_MODULES=n is not common and the age of the issue, targeting for bpf-next also.Show less
1Google
1Chrome
Jun 17, 2026
Mar 5, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in Profiles in Google Chrome prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium secur...Show more
Use after free in Profiles in Google Chrome prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)Show less
1Mozilla
2Firefox
Thunderbird
Jun 17, 2026
Mar 4, 2025
N/A· v4
7.5 HIGH· v3
N/A· v2
It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR...Show more
It was possible to cause a use-after-free in the content process side of a WebTransport connection, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.Show less
1Mozilla
2Firefox
Thunderbird
Jun 17, 2026
Mar 4, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. This vulnerability was fixed in Firefox 1...Show more
On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.Show less
1Openatom
1Openharmony
Jun 17, 2026
Mar 4, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
1Openatom
1Openharmony
Jun 17, 2026
Mar 4, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
1Openatom
1Openharmony
Jun 17, 2026
Mar 4, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
1Openatom
1Openharmony
Jun 17, 2026
Mar 4, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
1Openatom
1Openharmony
Jun 17, 2026
Mar 4, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.