Total
6487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-20442 | 2 Google, Mediatek | 47 Android, Mt6739, Mt6761 and 44 more | 2026-03-03 | N/A | 4.4 MEDIUM |
| In display, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10436998; Issue ID: MSV-5723. | |||||
| CVE-2026-20443 | 2 Google, Mediatek | 47 Android, Mt6739, Mt6761 and 44 more | 2026-03-03 | N/A | 6.7 MEDIUM |
| In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10436998; Issue ID: MSV-5722. | |||||
| CVE-2026-20437 | 2 Google, Mediatek | 6 Android, Mt2718, Mt6899 and 3 more | 2026-03-03 | N/A | 4.4 MEDIUM |
| In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431940; Issue ID: MSV-5843. | |||||
| CVE-2026-20439 | 2 Google, Mediatek | 6 Android, Mt2718, Mt6899 and 3 more | 2026-03-03 | N/A | 4.4 MEDIUM |
| In imgsys, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431955; Issue ID: MSV-5826. | |||||
| CVE-2026-23226 | 1 Linux | 1 Linux Kernel | 2026-03-02 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses. | |||||
| CVE-2026-2766 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
| Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||
| CVE-2026-2765 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
| Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||
| CVE-2026-2764 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
| JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||
| CVE-2026-2763 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-02-28 | N/A | 9.8 CRITICAL |
| Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. | |||||
| CVE-2026-1979 | 1 Mruby | 1 Mruby | 2026-02-28 | 4.3 MEDIUM | 5.3 MEDIUM |
| A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue. | |||||
| CVE-2026-2408 | 1 Tanium | 1 Cloud Workloads | 2026-02-27 | N/A | 4.7 MEDIUM |
| Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce client extension. | |||||
| CVE-2026-26986 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 7.5 HIGH |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability. | |||||
| CVE-2026-27950 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 7.5 HIGH |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0. | |||||
| CVE-2025-15570 | 1 Ckolivas | 1 Lrzip | 2026-02-27 | 4.3 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. Performing a manipulation results in use after free. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-25997 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25955 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25954 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 7.5 HIGH |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25953 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25952 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25959 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue. | |||||