Total
7798 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-9080 | 1 Haxx | 1 Curl | 2026-07-07 | N/A | 7.3 HIGH |
| Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed. | |||||
| CVE-2026-57986 | 1 Microsoft | 1 Edge Chromium | 2026-07-07 | N/A | 7.5 HIGH |
| Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-57992 | 1 Microsoft | 1 Edge Chromium | 2026-07-07 | N/A | 7.5 HIGH |
| Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-58287 | 1 Microsoft | 1 Edge Chromium | 2026-07-07 | N/A | 8.3 HIGH |
| Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-58294 | 1 Microsoft | 1 Edge Chromium | 2026-07-07 | N/A | 7.5 HIGH |
| Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-58288 | 1 Microsoft | 1 Edge Chromium | 2026-07-07 | N/A | 8.3 HIGH |
| Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-58276 | 1 Microsoft | 1 Edge Chromium | 2026-07-07 | N/A | 7.5 HIGH |
| Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-13368 | 2026-07-07 | N/A | N/A | ||
| WatchGuard Fireware OS contains a race condition leading to a use-after-free vulnerability in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server. This vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2. | |||||
| CVE-2026-13869 | 2 Google, Microsoft | 2 Chrome, Windows | 2026-07-06 | N/A | 9.6 CRITICAL |
| Use after free in Device in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2026-13915 | 2 Apple, Google | 2 Iphone Os, Chrome | 2026-07-06 | N/A | 8.8 HIGH |
| Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2026-13918 | 2 Apple, Google | 2 Iphone Os, Chrome | 2026-07-06 | N/A | 8.8 HIGH |
| Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2026-14032 | 2 Apple, Google | 2 Macos, Chrome | 2026-07-06 | N/A | 8.1 HIGH |
| Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low) | |||||
| CVE-2026-53161 | 1 Linux | 1 Linux Kernel | 2026-07-06 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit: 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent(). 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS. 3. fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list. The resulting use-after-free manifests as: pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388 Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure — freeing pending contexts, maps, mmaps, and the channel context reference — into the kref release callback fastrpc_user_free(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes. | |||||
| CVE-2026-53160 | 1 Linux | 1 Linux Kernel | 2026-07-06 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free race in fastrpc_map_create fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero) on this unprotected pointer. A concurrent MEM_UNMAP can free the map between the lock release and the kref operation, resulting in a use-after-free on the freed slab object. Restore the take_ref parameter to fastrpc_map_lookup so the reference is acquired atomically under fl->lock before the pointer is exposed to the caller. | |||||
| CVE-2026-53156 | 1 Linux | 1 Linux Kernel | 2026-07-06 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: nvmem: core: fix use-after-free bugs in error paths Fix several instances of error paths in which we call __nvmem_device_put() - which may end up freeing the underlying memory and other resources - and then keep on using the nvmem structure. Always put the reference to the nvmem device as the last step before returning the error code. | |||||
| CVE-2026-53129 | 1 Linux | 1 Linux Kernel | 2026-07-06 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: fs/mbcache: cancel shrink work before destroying the cache mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first. If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free. This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem. Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down. | |||||
| CVE-2026-14064 | 1 Google | 2 Android, Chrome | 2026-07-06 | N/A | 7.5 HIGH |
| Use after free in PageInfo in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | |||||
| CVE-2026-24266 | 2 Linux, Nvidia | 2 Linux Kernel, Triton Inference Server | 2026-07-06 | N/A | 5.9 MEDIUM |
| NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause a use-after-free issue. A successful exploit of this vulnerability might lead to denial of service. | |||||
| CVE-2026-53192 | 1 Linux | 1 Linux Kernel | 2026-07-06 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at snd_timer_user_params() At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses. Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free. This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter. | |||||
| CVE-2026-53193 | 1 Linux | 1 Linux Kernel | 2026-07-06 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Forcibly close timer instances at closing When snd_timer object is freed via snd_timer_free() and still pending snd_timer_instance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIG_SND_UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer. This patch is an attempt to paper over the problem above: now instead of just unlinking, call snd_timer_close[_locked]() forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since snd_timer_close() might be called later by the driver that created that instance, the check of SNDRV_TIMER_IFLG_DEAD is added at the beginning, too. | |||||
