Total
6491 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6270 | 3 Debian, Fedoraproject, Linux | 3 Debian Linux, Fedora, Linux Kernel | 2025-08-30 | N/A | 7.0 HIGH |
| A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. | |||||
| CVE-2022-4283 | 4 Debian, Fedoraproject, Redhat and 1 more | 4 Debian Linux, Fedora, Enterprise Linux and 1 more | 2025-08-29 | N/A | 7.8 HIGH |
| A vulnerability was found in X.Org. This security flaw occurs because the XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. | |||||
| CVE-2023-1393 | 2 Fedoraproject, X.org | 2 Fedora, X Server | 2025-08-29 | N/A | 7.8 HIGH |
| A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later. | |||||
| CVE-2024-26958 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2025-08-28 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: nfs: fix UAF in direct writes In production we have been hitting the following warning consistently ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0 Workqueue: nfsiod nfs_direct_write_schedule_work [nfs] RIP: 0010:refcount_warn_saturate+0x9c/0xe0 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x9f/0x130 ? refcount_warn_saturate+0x9c/0xe0 ? report_bug+0xcc/0x150 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x16/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0x9c/0xe0 nfs_direct_write_schedule_work+0x237/0x250 [nfs] process_one_work+0x12f/0x4a0 worker_thread+0x14e/0x3b0 ? ZSTD_getCParams_internal+0x220/0x220 kthread+0xdc/0x120 ? __btf_name_valid+0xa0/0xa0 ret_from_fork+0x1f/0x30 This is because we're completing the nfs_direct_request twice in a row. The source of this is when we have our commit requests to submit, we process them and send them off, and then in the completion path for the commit requests we have if (nfs_commit_end(cinfo.mds)) nfs_direct_write_complete(dreq); However since we're submitting asynchronous requests we sometimes have one that completes before we submit the next one, so we end up calling complete on the nfs_direct_request twice. The only other place we use nfs_generic_commit_list() is in __nfs_commit_inode, which wraps this call in a nfs_commit_begin(); nfs_commit_end(); Which is a common pattern for this style of completion handling, one that is also repeated in the direct code with get_dreq()/put_dreq() calls around where we process events as well as in the completion paths. Fix this by using the same pattern for the commit requests. Before with my 200 node rocksdb stress running this warning would pop every 10ish minutes. With my patch the stress test has been running for several hours without popping. | |||||
| CVE-2023-46691 | 2 Intel, Microsoft | 2 Power Gadget, Windows | 2025-08-28 | N/A | 7.9 HIGH |
| Use after free in Intel(R) Power Gadget software for Windows all versions may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2024-2312 | 2 Gnu, Netapp | 3 Grub2, Bootstrap Os, Hci Compute Node | 2025-08-26 | N/A | 6.7 MEDIUM |
| GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass. | |||||
| CVE-2024-47810 | 2 Foxit, Microsoft | 3 Pdf Editor, Pdf Reader, Windows | 2025-08-25 | N/A | 8.8 HIGH |
| A use-after-free vulnerability exists in the way Foxit Reader 2024.3.0.26795 handles a 3D page object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled. | |||||
| CVE-2024-49576 | 2 Foxit, Microsoft | 3 Pdf Editor, Pdf Reader, Windows | 2025-08-25 | N/A | 8.8 HIGH |
| A use-after-free vulnerability exists in the way Foxit Reader 2024.3.0.26795 handles a checkbox CBF_Widget object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled. | |||||
| CVE-2025-27365 | 1 Ibm | 2 Mq Operator, Supplied Mq Advanced Container Images | 2025-08-25 | N/A | 6.5 MEDIUM |
| IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, and MQ Operator SC2 3.2.0 through 3.2.10 Client connecting to a MQ Queue Manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it. | |||||
| CVE-2025-1048 | 1 Sonos | 3 Era 300, S1, S2 | 2025-08-25 | N/A | 8.8 HIGH |
| Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SMB data. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25535. | |||||
| CVE-2024-43374 | 2 Netapp, Vim | 3 Bootstrap Os, Hci Compute Node, Vim | 2025-08-25 | N/A | 4.5 MEDIUM |
| The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678. | |||||
| CVE-2025-21436 | 1 Qualcomm | 50 Fastconnect 7800, Fastconnect 7800 Firmware, Qmp1000 and 47 more | 2025-08-20 | N/A | 7.8 HIGH |
| Memory corruption may occur while initiating two IOCTL calls simultaneously to create processes from two different threads. | |||||
| CVE-2025-21437 | 1 Qualcomm | 62 Qam8255p, Qam8255p Firmware, Qam8295p and 59 more | 2025-08-20 | N/A | 7.8 HIGH |
| Memory corruption while processing memory map or unmap IOCTL operations simultaneously. | |||||
| CVE-2025-27031 | 1 Qualcomm | 42 Fastconnect 6700, Fastconnect 6700 Firmware, Fastconnect 6900 and 39 more | 2025-08-20 | N/A | 7.8 HIGH |
| memory corruption while processing IOCTL commands, when the buffer in write loopback mode is accessed after being freed. | |||||
| CVE-2025-21456 | 1 Qualcomm | 128 Ar8035, Ar8035 Firmware, C-v2x 9150 and 125 more | 2025-08-20 | N/A | 7.8 HIGH |
| Memory corruption while processing IOCTL command when multiple threads are called to map/unmap buffer concurrently. | |||||
| CVE-2024-27246 | 1 Zoom | 5 Meeting Software Development Kit, Rooms, Workplace and 2 more | 2025-08-20 | N/A | 4.3 MEDIUM |
| Use after free in some Zoom Workplace Apps and SDKs may allow an authenticated user to conduct a denial of service via network access. | |||||
| CVE-2025-9157 | 2025-08-20 | 4.3 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2. The impacted element is the function untrunc_packet of the file src/tcpedit/edit_packet.c of the component tcprewrite. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da. Applying a patch is advised to resolve this issue. | |||||
| CVE-2025-49761 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-08-19 | N/A | 7.8 HIGH |
| Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-21915 | 1 Linux | 1 Linux Kernel | 2025-08-19 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: cdx: Fix possible UAF error in driver_override_show() Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() is part of DEVICE_ATTR_RW, which includes both driver_override_show() and driver_override_store(). These functions can be executed concurrently in sysfs. The driver_override_store() function uses driver_set_override() to update the driver_override value, and driver_set_override() internally locks the device (device_lock(dev)). If driver_override_show() reads cdx_dev->driver_override without locking, it could potentially access a freed pointer if driver_override_store() frees the string concurrently. This could lead to printing a kernel address, which is a security risk since DEVICE_ATTR can be read by all users. Additionally, a similar pattern is used in drivers/amba/bus.c, as well as many other bus drivers, where device_lock() is taken in the show function, and it has been working without issues. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. | |||||
| CVE-2025-53133 | 1 Microsoft | 2 Windows 11 24h2, Windows Server 2025 | 2025-08-19 | N/A | 7.8 HIGH |
| Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | |||||