Total
7274 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47379 | 1 Qualcomm | 356 5g Fixed Wireless Access Platform, 5g Fixed Wireless Access Platform Firmware, Ar8031 and 353 more | 2026-03-05 | N/A | 7.8 HIGH |
| Memory Corruption when concurrent access to shared buffer occurs due to improper synchronization between assignment and deallocation of buffer resources. | |||||
| CVE-2025-47386 | 1 Qualcomm | 340 Ar8031, Ar8031 Firmware, Ar8035 and 337 more | 2026-03-05 | N/A | 7.8 HIGH |
| Memory Corruption while invoking IOCTL calls when concurrent access to shared buffer occurs. | |||||
| CVE-2025-47375 | 1 Qualcomm | 338 Ar8031, Ar8031 Firmware, Ar8035 and 335 more | 2026-03-04 | N/A | 7.8 HIGH |
| Memory corruption while handling different IOCTL calls from the user-space simultaneously. | |||||
| CVE-2025-47376 | 1 Qualcomm | 340 Ar8031, Ar8031 Firmware, Ar8035 and 337 more | 2026-03-04 | N/A | 7.8 HIGH |
| Memory Corruption when concurrent access to shared buffer occurs during IOCTL calls. | |||||
| CVE-2025-47377 | 1 Qualcomm | 244 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 241 more | 2026-03-04 | N/A | 7.8 HIGH |
| Memory Corruption when accessing a buffer after it has been freed while processing IOCTL calls. | |||||
| CVE-2025-47381 | 1 Qualcomm | 50 Lemans Au Lgit, Lemans Au Lgit Firmware, Lemansau and 47 more | 2026-03-04 | N/A | 7.8 HIGH |
| Memory Corruption while processing IOCTL calls when concurrent access to shared buffer occurs. | |||||
| CVE-2026-20442 | 2 Google, Mediatek | 47 Android, Mt6739, Mt6761 and 44 more | 2026-03-03 | N/A | 4.4 MEDIUM |
| In display, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10436998; Issue ID: MSV-5723. | |||||
| CVE-2026-20443 | 2 Google, Mediatek | 47 Android, Mt6739, Mt6761 and 44 more | 2026-03-03 | N/A | 6.7 MEDIUM |
| In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10436998; Issue ID: MSV-5722. | |||||
| CVE-2026-20437 | 2 Google, Mediatek | 6 Android, Mt2718, Mt6899 and 3 more | 2026-03-03 | N/A | 4.4 MEDIUM |
| In MAE, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431940; Issue ID: MSV-5843. | |||||
| CVE-2026-20439 | 2 Google, Mediatek | 6 Android, Mt2718, Mt6899 and 3 more | 2026-03-03 | N/A | 4.4 MEDIUM |
| In imgsys, there is a possible system crash due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10431955; Issue ID: MSV-5826. | |||||
| CVE-2026-2408 | 1 Tanium | 1 Cloud Workloads | 2026-02-27 | N/A | 4.7 MEDIUM |
| Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce client extension. | |||||
| CVE-2026-26986 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 7.5 HIGH |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `rail_window_free` dereferences a freed `xfAppWindow` pointer during `HashTable_Free` cleanup because `xf_rail_window_common` calls `free(appWindow)` on title allocation failure without first removing the entry from the `railWindows` hash table, leaving a dangling pointer that is freed again on disconnect. Version 3.23.0 fixes the vulnerability. | |||||
| CVE-2026-27950 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 7.5 HIGH |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, the fix for the heap-use-after-free described in CVE-2026-24680 is incomplete. While the vulnerable execution flow referenced in the advisory exists in the SDL2 implementation, the fix appears to have been applied only to the SDL3 code path. In the SDL2 implementation, the pointer is not nulled after free. This creates a situation where the advisory suggests the vulnerability is fully resolved, while builds or environments still using SDL2 may retain the vulnerable logic. A complete fix is available in version 3.23.0. | |||||
| CVE-2026-25997 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_clipboard_format_equal` reads freed `lastSentFormats` memory because `xf_clipboard_formats_free` (called from the cliprdr channel thread during auto-reconnect) frees the array while the X11 event thread concurrently iterates it in `xf_clipboard_changed`, triggering a heap use after free. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25955 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25954 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 7.5 HIGH |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_local_move_size` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25953 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reads from a freed `xfAppWindow` because the RDPGFX DVC thread obtains a bare pointer via `xf_rail_get_window` without any lifetime protection, while the main thread can concurrently delete the window through a fastpath window-delete order. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25952 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_SetWindowMinMaxInfo` dereferences a freed `xfAppWindow` pointer because `xf_rail_get_window` in `xf_rail_server_min_max_info` returns an unprotected pointer from the `railWindows` hash table, and the main thread can concurrently delete the window (via a window delete order) while the RAIL channel thread is still using the pointer. Version 3.23.0 fixes the issue. | |||||
| CVE-2026-25959 | 1 Freerdp | 1 Freerdp | 2026-02-27 | N/A | 9.8 CRITICAL |
| FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_cliprdr_provide_data_` passes freed `pDstData` to `XChangeProperty` because the cliprdr channel thread calls `xf_cliprdr_server_format_data_response` which converts and uses the clipboard data without holding any lock, while the X11 event thread concurrently calls `xf_cliprdr_clear_cached_data` → `HashTable_Clear` which frees the same data via `xf_cached_data_free`, triggering a heap use after free. Version 3.23.0 fixes the issue. | |||||
| CVE-2022-50542 | 1 Linux | 1 Linux Kernel | 2026-02-26 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: media: si470x: Fix use-after-free in si470x_int_in_callback() syzbot reported use-after-free in si470x_int_in_callback() [1]. This indicates that urb->context, which contains struct si470x_device object, is freed when si470x_int_in_callback() is called. The cause of this issue is that si470x_int_in_callback() is called for freed urb. si470x_usb_driver_probe() calls si470x_start_usb(), which then calls usb_submit_urb() and si470x_start(). If si470x_start_usb() fails, si470x_usb_driver_probe() doesn't kill urb, but it just frees struct si470x_device object, as depicted below: si470x_usb_driver_probe() ... si470x_start_usb() ... usb_submit_urb() retval = si470x_start() return retval if (retval < 0) free struct si470x_device object, but don't kill urb This patch fixes this issue by killing urb when si470x_start_usb() fails and urb is submitted. If si470x_start_usb() fails and urb is not submitted, i.e. submitting usb fails, it just frees struct si470x_device object. | |||||