CWE-416
AllowedUse After Free
Abstraction: Variant · Status: Stable
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
9806 vulnerabilities reference this CWE, most recent first.
GHSA-XR94-3HC5-534P
Vulnerability from github – Published: 2024-04-02 21:30 – Updated: 2024-04-02 21:30Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22800.
{
"affected": [],
"aliases": [
"CVE-2024-30352"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T21:15:47Z",
"severity": "HIGH"
},
"details": "Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22800.",
"id": "GHSA-xr94-3hc5-534p",
"modified": "2024-04-02T21:30:30Z",
"published": "2024-04-02T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30352"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-335"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR96-H2WC-75JF
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-10-06 00:00Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-6462"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-21T04:15:00Z",
"severity": "MODERATE"
},
"details": "Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.",
"id": "GHSA-xr96-h2wc-75jf",
"modified": "2022-10-06T00:00:48Z",
"published": "2022-05-24T17:18:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6462"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1064891"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202005-13"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4714"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR9J-C7V6-7542
Vulnerability from github – Published: 2023-11-01 18:30 – Updated: 2024-03-12 21:30A use-after-free vulnerability was found in drivers/nvme/target/tcp.cinnvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation in case that the attacker already has local privileges.
{
"affected": [],
"aliases": [
"CVE-2023-5178"
],
"database_specific": {
"cwe_ids": [
"CWE-1341",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-01T17:15:11Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation in case that the attacker already has local privileges.",
"id": "GHSA-xr9j-c7v6-7542",
"modified": "2024-03-12T21:30:58Z",
"published": "2023-11-01T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5178"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231208-0004"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/linux-nvme/20231002105428.226515-1-sagi@grimberg.me"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241924"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-5178"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1278"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1269"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1268"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0554"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0461"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0432"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0431"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0412"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0386"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0378"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0340"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7559"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7557"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7554"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7551"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7549"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7548"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7418"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7379"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7370"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRF8-HFGX-RFCM
Vulnerability from github – Published: 2022-11-30 00:30 – Updated: 2022-12-02 00:30Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2022-4180"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-30T00:15:00Z",
"severity": "HIGH"
},
"details": "Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)",
"id": "GHSA-xrf8-hfgx-rfcm",
"modified": "2022-12-02T00:30:24Z",
"published": "2022-11-30T00:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4180"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1378564"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-10"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRHC-FGM3-X2H4
Vulnerability from github – Published: 2024-04-10 21:30 – Updated: 2024-04-19 21:31In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine
An error is detected with the following report when unloading the driver: "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b"
The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the flag is not cleared upon completion of the login.
This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set to LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used as an rpi_ids array index.
Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in lpfc_mbx_cmpl_fc_reg_login().
{
"affected": [],
"aliases": [
"CVE-2021-47198"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T19:15:47Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine\n\nAn error is detected with the following report when unloading the driver:\n \"KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b\"\n\nThe NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the\nflag is not cleared upon completion of the login.\n\nThis allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set\nto LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used\nas an rpi_ids array index.\n\nFix by clearing the NLP_REG_LOGIN_SEND nlp_flag in\nlpfc_mbx_cmpl_fc_reg_login().",
"id": "GHSA-xrhc-fgm3-x2h4",
"modified": "2024-04-19T21:31:07Z",
"published": "2024-04-10T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47198"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/79b20beccea3a3938a8500acef4e6b9d7c66142f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dbebf865b3239595c1d4dba063b122862583b52a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRHF-CCCW-CPM8
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
ext4: fix timer use-after-free on failed mount
Syzbot has found an ODEBUG bug in ext4_fill_super
The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi).
When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called.
Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
{
"affected": [],
"aliases": [
"CVE-2024-49960"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:17Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix timer use-after-free on failed mount\n\nSyzbot has found an ODEBUG bug in ext4_fill_super\n\nThe del_timer_sync function cancels the s_err_report timer,\nwhich reminds about filesystem errors daily. We should\nguarantee the timer is no longer active before kfree(sbi).\n\nWhen filesystem mounting fails, the flow goes to failed_mount3,\nwhere an error occurs when ext4_stop_mmpd is called, causing\na read I/O failure. This triggers the ext4_handle_error function\nthat ultimately re-arms the timer,\nleaving the s_err_report timer active before kfree(sbi) is called.\n\nFix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.",
"id": "GHSA-xrhf-cccw-cpm8",
"modified": "2025-11-04T00:31:43Z",
"published": "2024-10-21T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49960"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0ce160c5bdb67081a62293028dc85758a8efb22a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22e9b83f0f33bc5a7a3181769d1dccbf021f5b04"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7aac0c17a8cdf4a3236991c1e60435c6a984076c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9203817ba46ebba7c865c8de2aba399537b6e891"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b85569585d0154d4db1e4f9e3e6a4731d407feb0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf3196e5e2f36cd80dab91ffae402e13935724bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fa78fb51d396f4f2f80f8e96a3b1516f394258be"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRJ4-4G3M-87PF
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net: rose: convert 'use' field to refcount_t
The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths.
For example, when rose_neigh->use becomes zero during an ioctl operation via rose_rt_ioctl(), the structure may be removed while its timer is still active, potentially causing use-after-free issues.
This patch changes the type of 'use' from unsigned short to refcount_t and updates all code paths to use rose_neigh_hold() and rose_neigh_put() which operate reference counts atomically.
{
"affected": [],
"aliases": [
"CVE-2025-39826"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T13:16:02Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert \u0027use\u0027 field to refcount_t\n\nThe \u0027use\u0027 field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh-\u003euse becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of \u0027use\u0027 from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically.",
"id": "GHSA-xrj4-4g3m-87pf",
"modified": "2026-07-14T15:31:27Z",
"published": "2025-09-16T15:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39826"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0085b250fcc79f900c82a69980ec2f3e1871823b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/203e4f42596ede31498744018716a3db6dbb7f51"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d860d1faa6b2ce3becfdb8b0c2b048ad31800061"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f8c29fc437d03a98fb075c31c5be761cc8326284"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb07156cc0742ba4e93dfcc84280c011d05b301f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRMP-X8VM-QCMH
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: remove station if connection prep fails
If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes.
This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.
{
"affected": [],
"aliases": [
"CVE-2026-46125"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:28Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: remove station if connection prep fails\n\nIf connection preparation fails for MLO connections, then the\ninterface is completely reset to non-MLD. In this case, we must\nnot keep the station since it\u0027s related to the link of the vif\nbeing removed. Delete an existing station. Any \"new_sta\" is\nalready being removed, so that doesn\u0027t need changes.\n\nThis fixes a use-after-free/double-free in debugfs if that\u0027s\nenabled, because a vif going from MLD (and to MLD, but that\u0027s\nnot relevant here) recreates its entire debugfs.",
"id": "GHSA-xrmp-x8vm-qcmh",
"modified": "2026-06-30T03:36:51Z",
"published": "2026-05-28T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46125"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46125.json"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18fed0a209500bfea5c4c08609ec93855e4e500b"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482608"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-46125"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27789"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27735"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27708"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27288"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26563"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26515"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26428"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRP3-WPHR-647X
Vulnerability from github – Published: 2026-05-29 00:38 – Updated: 2026-05-29 15:30Use after free in GFX in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-9936"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T23:16:51Z",
"severity": "HIGH"
},
"details": "Use after free in GFX in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-xrp3-wphr-647x",
"modified": "2026-05-29T15:30:31Z",
"published": "2026-05-29T00:38:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9936"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/502104354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRV4-RVR5-75GV
Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 03:31Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Critical)
{
"affected": [],
"aliases": [
"CVE-2026-10890"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T23:16:50Z",
"severity": "HIGH"
},
"details": "Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Critical)",
"id": "GHSA-xrv4-rvr5-75gv",
"modified": "2026-06-05T03:31:30Z",
"published": "2026-06-05T00:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10890"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513136593"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Choose a language that provides automatic memory management.
Mitigation
Strategy: Attack Surface Reduction
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.