Total
6713 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-58411 | 1 Imaginationtech | 1 Ddk | 2026-01-30 | N/A | 8.8 HIGH |
| Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present. | |||||
| CVE-2026-22264 | 1 Oisf | 1 Suricata | 2026-01-29 | N/A | 7.4 HIGH |
| Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet. | |||||
| CVE-2026-0908 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-01-29 | N/A | 8.8 HIGH |
| Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | |||||
| CVE-2026-23883 | 1 Freerdp | 1 Freerdp | 2026-01-28 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | |||||
| CVE-2025-13952 | 1 Imaginationtech | 1 Ddk | 2026-01-28 | N/A | 9.8 CRITICAL |
| A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object. | |||||
| CVE-2026-23884 | 1 Freerdp | 1 Freerdp | 2026-01-28 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | |||||
| CVE-2025-27063 | 1 Qualcomm | 222 Csra6620, Csra6620 Firmware, Csra6640 and 219 more | 2026-01-28 | N/A | 7.8 HIGH |
| Memory corruption during video playback when video session open fails with time out error. | |||||
| CVE-2025-47322 | 1 Qualcomm | 222 Ar8031, Ar8031 Firmware, Ar8035 and 219 more | 2026-01-28 | N/A | 7.8 HIGH |
| Memory corruption while handling IOCTL calls to set mode. | |||||
| CVE-2025-47333 | 1 Qualcomm | 478 Aqt1000, Aqt1000 Firmware, Ar8031 and 475 more | 2026-01-28 | N/A | 6.6 MEDIUM |
| Memory corruption while handling buffer mapping operations in the cryptographic driver. | |||||
| CVE-2025-47336 | 1 Qualcomm | 36 Fastconnect 7800, Fastconnect 7800 Firmware, Qmp1000 and 33 more | 2026-01-27 | N/A | 6.7 MEDIUM |
| Memory corruption while performing sensor register read operations. | |||||
| CVE-2025-47337 | 1 Qualcomm | 128 Fastconnect 6700, Fastconnect 6700 Firmware, Fastconnect 6900 and 125 more | 2026-01-27 | N/A | 6.7 MEDIUM |
| Memory corruption while accessing a synchronization object during concurrent operations. | |||||
| CVE-2025-47339 | 1 Qualcomm | 370 Ar8035, Ar8035 Firmware, Ar9380 and 367 more | 2026-01-27 | N/A | 7.8 HIGH |
| Memory corruption while deinitializing a HDCP session. | |||||
| CVE-2025-39945 | 1 Linux | 1 Linux Kernel | 2026-01-23 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: cnic: Fix use-after-free bugs in cnic_delete_task The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), which does not guarantee that the delayed work item 'delete_task' has fully completed if it was already running. Additionally, the delayed work item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after the cyclic work items have finished executing, a delayed work item may still exist in the workqueue. This leads to use-after-free scenarios where the cnic_dev is deallocated by cnic_free_dev(), while delete_task remains active and attempt to dereference cnic_dev in cnic_delete_task(). A typical race condition is illustrated below: CPU 0 (cleanup) | CPU 1 (delayed work callback) cnic_netdev_event() | cnic_stop_hw() | cnic_delete_task() cnic_cm_stop_bnx2x_hw() | ... cancel_delayed_work() | /* the queue_delayed_work() flush_workqueue() | executes after flush_workqueue()*/ | queue_delayed_work() cnic_free_dev(dev)//free | cnic_delete_task() //new instance | dev = cp->dev; //use Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the cyclic delayed work item is properly canceled and that any ongoing execution of the work item completes before the cnic_dev is deallocated. Furthermore, since cancel_delayed_work_sync() uses __flush_work(work, true) to synchronously wait for any currently executing instance of the work item to finish, the flush_workqueue() becomes redundant and should be removed. This bug was identified through static analysis. To reproduce the issue and validate the fix, I simulated the cnic PCI device in QEMU and introduced intentional delays — such as inserting calls to ssleep() within the cnic_delete_task() function — to increase the likelihood of triggering the bug. | |||||
| CVE-2025-2913 | 1 Hdfgroup | 1 Hdf5 | 2026-01-23 | 1.7 LOW | 3.3 LOW |
| A vulnerability was found in HDF5 up to 1.14.6. It has been rated as critical. Affected by this issue is the function H5FL__blk_gc_list of the file src/H5FL.c. The manipulation of the argument H5FL_blk_head_t leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-50492 | 1 Linux | 1 Linux Kernel | 2026-01-23 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix use-after-free on probe deferral The bridge counter was never reset when tearing down the DRM device so that stale pointers to deallocated structures would be accessed on the next tear down (e.g. after a second late bind deferral). Given enough bridges and a few probe deferrals this could currently also lead to data beyond the bridge array being corrupted. Patchwork: https://patchwork.freedesktop.org/patch/502665/ | |||||
| CVE-2025-39951 | 1 Linux | 1 Linux Kernel | 2026-01-23 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: um: virtio_uml: Fix use-after-free after put_device in probe When register_virtio_device() fails in virtio_uml_probe(), the code sets vu_dev->registered = 1 even though the device was not successfully registered. This can lead to use-after-free or other issues. | |||||
| CVE-2026-21908 | 1 Juniper | 2 Junos, Junos Os Evolved | 2026-01-23 | N/A | 7.1 HIGH |
| A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS: * from 23.2R2-S1 before 23.2R2-S5, * from 23.4R2 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S2, 25.2R2; Junos OS Evolved: * from 23.2R2-S1 before 23.2R2-S5-EVO, * from 23.4R2 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S3-EVO, * from 24.4 before 24.4R2-S1-EVO, * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO. | |||||
| CVE-2025-52946 | 1 Juniper | 2 Junos, Junos Os Evolved | 2026-01-23 | N/A | 7.5 HIGH |
| A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition. On all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled. This issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue. This issue affects: Junos OS: * All versions before 21.2R3-S9, * all versions of 21.4, * from 22.2 before 22.2R3-S6, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S4, * from 24.2 before 24.2R2; Junos OS Evolved: * All versions before 22.4R3-S5-EVO, * from 23.2-EVO before 23.2R2-S3-EVO, * from 23.4-EVO before 23.4R2-S4-EVO, * from 24.2-EVO before 24.2R2-EVO. This is a more complete fix for previously published CVE-2024-39549 (JSA83011). | |||||
| CVE-2026-21921 | 1 Juniper | 2 Junos, Junos Os Evolved | 2026-01-23 | N/A | 6.5 MEDIUM |
| A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-EVO. | |||||
| CVE-2025-70968 | 1 Freeimage Project | 1 Freeimage | 2026-01-23 | N/A | 9.8 CRITICAL |
| FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE(). | |||||