← Back
CWE-416

7,665 CVEs • Abstraction: Variant • Likelihood of Exploit: High

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

JSON object

Loading...

CVEs (7,665)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Linux
1Linux Kernel
Jun 17, 2026
Feb 10, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the curren...Show more
In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible that the operation continues on a different CPU. If the original CPU is hotunplugged while the acomp_ctx is still in use, we run into a UAF bug as some of the resources attached to the acomp_ctx are freed during hotunplug in zswap_cpu_comp_dead() (i.e. acomp_ctx.buffer, acomp_ctx.req, or acomp_ctx.acomp). The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") when the switch to the crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was retrieved using get_cpu_ptr() which disables preemption and makes sure the CPU cannot go away from under us. Preemption cannot be disabled with the crypto_acomp API as a sleepable context is needed. Use the acomp_ctx.mutex to synchronize CPU hotplug callbacks allocating and freeing resources with compression/decompression paths. Make sure that acomp_ctx.req is NULL when the resources are freed. In the compression/decompression paths, check if acomp_ctx.req is NULL after acquiring the mutex (meaning the CPU was offlined) and retry on the new CPU. The initialization of acomp_ctx.mutex is moved from the CPU hotplug callback to the pool initialization where it belongs (where the mutex is allocated). In addition to adding clarity, this makes sure that CPU hotplug cannot reinitialize a mutex that is already locked by compression/decompression. Previously a fix was attempted by holding cpus_read_lock() [1]. This would have caused a potential deadlock as it is possible for code already holding the lock to fall into reclaim and enter zswap (causing a deadlock). A fix was also attempted using SRCU for synchronization, but Johannes pointed out that synchronize_srcu() cannot be used in CPU hotplug notifiers [2]. Alternative fixes that were considered/attempted and could have worked: - Refcounting the per-CPU acomp_ctx. This involves complexity in handling the race between the refcount dropping to zero in zswap_[de]compress() and the refcount being re-initialized when the CPU is onlined. - Disabling migration before getting the per-CPU acomp_ctx [3], but that's discouraged and is a much bigger hammer than needed, and could result in subtle performance issues. [1]https://lkml.kernel.org/20241219212437.2714151-1-yosryahmed@google.com/ [2]https://lkml.kernel.org/20250107074724.1756696-2-yosryahmed@google.com/ [3]https://lkml.kernel.org/20250107222236.2715883-2-yosryahmed@google.com/ [yosryahmed@google.com: remove comment]Show less
1Openatom
1Openharmony
Jun 17, 2026
Feb 7, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.
1Huawei
2Emui
Harmonyos
Jun 17, 2026
Feb 6, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Use-After-Free (UAF) vulnerability in the display module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
1Google
1Chrome
Jun 17, 2026
Feb 4, 2025
N/A· v4
5.4 MEDIUM· v3
N/A· v2
Use after free in V8 in Google Chrome prior to 133.0.6943.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
1Google
1Chrome
Jun 17, 2026
Feb 4, 2025
N/A· v4
6.3 MEDIUM· v3
N/A· v2
Use after free in Skia in Google Chrome prior to 133.0.6943.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
1Mozilla
2Firefox
Thunderbird
Jun 17, 2026
Feb 4, 2025
N/A· v4
7.5 HIGH· v3
N/A· v2
A race during concurrent delazification could have led to a use-after-free. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
1Mozilla
2Firefox
Thunderbird
Jun 17, 2026
Feb 4, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128...Show more
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.Show less
1Mozilla
2Firefox
Thunderbird
Jun 17, 2026
Feb 4, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and...Show more
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.Show less
-
-
Jun 17, 2026
Feb 3, 2025
6.3 MEDIUM· v4
N/A· v3
N/A· v2
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the...Show more
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crate`openssl` version 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback.Show less
1Qualcomm
150Ar8035 Firmware
Csr8811 FirmwareFastconnect 6700 Firmware+147 more
Jun 17, 2026
Feb 3, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption may occour occur when stopping the WLAN interface after processing a WMI command from the interface.
1Qualcomm
32Aqt1000 Firmware
Fastconnect 6200 FirmwareFastconnect 6700 Firmware+29 more
Jun 17, 2026
Feb 3, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption while handling IOCTL call from user-space to set latency level.
1Qualcomm
7Fastconnect 7800 Firmware
Snapdragon 8 Gen 3 Mobile FirmwareWcd9390 Firmware+4 more
Jun 17, 2026
Feb 3, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption while invoking IOCTL calls from user-space to kernel-space to handle session errors.
1Qualcomm
17Fastconnect 6900 Firmware
Fastconnect 7800 FirmwareQcm8550 Firmware+14 more
Jun 17, 2026
Feb 3, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption while registering a buffer from user-space to kernel-space using IOCTL calls.
1Arm
25th Gen Gpu Architecture Kernel Driver
Valhall Gpu Kernel Driver
Jun 17, 2026
Feb 3, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to make improper GPU processing operations to gain access t...Show more
Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to make improper GPU processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r48p0 through r49p1, from r50p0 through r52p0; Arm 5th Gen GPU Architecture Kernel Driver: from r48p0 through r49p1, from r50p0 through r52p0.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Jan 31, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially...Show more
In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL. Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device.Show less
-
-
Jun 17, 2026
Jan 31, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.
-
-
Jun 17, 2026
Jan 31, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.
-
-
Jun 17, 2026
Jan 31, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions.
1Google
1Chrome
Jun 17, 2026
Jan 29, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
Use after free in DevTools in Google Chrome prior to 132.0.6834.159 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)
1Google
1Android
Jun 17, 2026
Jan 28, 2025
N/A· v4
8.4 HIGH· v3
N/A· v2
In TBD of TBD, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.