CWE-416
Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CVE-2025-0899 (GCVE-0-2025-0899)
Vulnerability from cvelistv5 – Published: 2025-02-11 19:22 – Updated: 2025-02-12 20:11
VLAI
Title
PDF-XChange Editor AcroForm Use-After-Free Remote Code Execution Vulnerability
Summary
PDF-XChange Editor AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25349.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PDF-XChange | PDF-XChange Editor |
Affected:
10.3.1.387
|
Date Public
2025-01-31 22:06
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0899",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T19:55:12.756620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:11:33.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "PDF-XChange Editor",
"vendor": "PDF-XChange",
"versions": [
{
"status": "affected",
"version": "10.3.1.387"
}
]
}
],
"dateAssigned": "2025-01-30T20:36:06.627Z",
"datePublic": "2025-01-31T22:06:12.503Z",
"descriptions": [
{
"lang": "en",
"value": "PDF-XChange Editor AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25349."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T19:22:58.592Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-061",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-061/"
}
],
"source": {
"lang": "en",
"value": "Mat Powell of Trend Micro Zero Day Initiative"
},
"title": "PDF-XChange Editor AcroForm Use-After-Free Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-0899",
"datePublished": "2025-02-11T19:22:58.592Z",
"dateReserved": "2025-01-30T20:36:06.509Z",
"dateUpdated": "2025-02-12T20:11:33.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0932 (GCVE-0-2025-0932)
Vulnerability from cvelistv5 – Published: 2025-08-04 10:00 – Updated: 2026-02-26 17:50
VLAI
Title
Mali GPU Userspace Driver allows access to already freed memory
Summary
Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to perform valid GPU processing operations, including via WebGL or WebGPU, to gain access to already freed memory.This issue affects Bifrost GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Arm Ltd | Bifrost GPU Userspace Driver |
Affected:
r48p0 , ≤ r49p3
(patch)
Affected: r50p0 , ≤ r51p0 (patch) |
|
| Arm Ltd | Valhall GPU Userspace Driver |
Affected:
r48p0 , ≤ r49p3
(patch)
Affected: r50p0 , ≤ r54p0 (patch) |
|
| Arm Ltd | Arm 5th Gen GPU Architecture Userspace Driver |
Affected:
r48p0 , ≤ r49p3
(patch)
Affected: r50p0 , ≤ r54p0 (patch) |
Date Public
2025-08-04 09:58
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0932",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T03:55:30.487311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:50:02.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bifrost GPU Userspace Driver",
"vendor": "Arm Ltd",
"versions": [
{
"changes": [
{
"at": "r49p4",
"status": "unaffected"
}
],
"lessThanOrEqual": "r49p3",
"status": "affected",
"version": "r48p0",
"versionType": "patch"
},
{
"changes": [
{
"at": "r54p1",
"status": "unaffected"
}
],
"lessThanOrEqual": "r51p0",
"status": "affected",
"version": "r50p0",
"versionType": "patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Valhall GPU Userspace Driver",
"vendor": "Arm Ltd",
"versions": [
{
"changes": [
{
"at": "r49p4",
"status": "unaffected"
}
],
"lessThanOrEqual": "r49p3",
"status": "affected",
"version": "r48p0",
"versionType": "patch"
},
{
"changes": [
{
"at": "r54p1",
"status": "unaffected"
}
],
"lessThanOrEqual": "r54p0",
"status": "affected",
"version": "r50p0",
"versionType": "patch"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Arm 5th Gen GPU Architecture Userspace Driver",
"vendor": "Arm Ltd",
"versions": [
{
"changes": [
{
"at": "r49p4",
"status": "unaffected"
}
],
"lessThanOrEqual": "r49p3",
"status": "affected",
"version": "r48p0",
"versionType": "patch"
},
{
"changes": [
{
"at": "r54p1",
"status": "unaffected"
}
],
"lessThanOrEqual": "r54p0",
"status": "affected",
"version": "r50p0",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Bernhard"
}
],
"datePublic": "2025-08-04T09:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to perform valid GPU processing operations, including via WebGL or WebGPU, to gain access to already freed memory.\u003cp\u003eThis issue affects Bifrost GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0.\u003c/p\u003e"
}
],
"value": "Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to perform valid GPU processing operations, including via WebGL or WebGPU, to gain access to already freed memory.This issue affects Bifrost GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T10:00:57.639Z",
"orgId": "56a131ea-b967-4a0d-a41e-5f3549952846",
"shortName": "Arm"
},
"references": [
{
"url": "https://developer.arm.com/documentation/110626/latest/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue has been fixed in the following versions: Bifrost GPU Userspace Driver r49p4, r54p1; Valhall GPU Userspace Driver r49p4, r54p1; Arm 5th Gen GPU Architecture Userspace Driver r49p4, r54p1. Arm recommends that affected users upgrade to the latest applicable version to protect against this issue.\u003cbr\u003e"
}
],
"value": "This issue has been fixed in the following versions: Bifrost GPU Userspace Driver r49p4, r54p1; Valhall GPU Userspace Driver r49p4, r54p1; Arm 5th Gen GPU Architecture Userspace Driver r49p4, r54p1. Arm recommends that affected users upgrade to the latest applicable version to protect against this issue."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mali GPU Userspace Driver allows access to already freed memory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "56a131ea-b967-4a0d-a41e-5f3549952846",
"assignerShortName": "Arm",
"cveId": "CVE-2025-0932",
"datePublished": "2025-08-04T10:00:57.639Z",
"dateReserved": "2025-01-31T14:19:56.294Z",
"dateUpdated": "2026-02-26T17:50:02.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1046 (GCVE-0-2025-1046)
Vulnerability from cvelistv5 – Published: 2025-04-23 16:43 – Updated: 2025-04-23 18:31
VLAI
Title
Luxion KeyShot SKP File Parsing Use-After-Free Remote Code Execution Vulnerability
Summary
Luxion KeyShot SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23646.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://download.keyshot.com/cert/ksa-113962/ksa-… | vendor-advisory |
Impacted products
Date Public
2025-04-09 20:30
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1046",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T18:31:35.611133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:31:52.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "KeyShot",
"vendor": "Luxion",
"versions": [
{
"status": "affected",
"version": "2024 13.0.0 Build 92 4.10.171"
}
]
}
],
"dateAssigned": "2025-02-04T21:01:30.617Z",
"datePublic": "2025-04-09T20:30:48.977Z",
"descriptions": [
{
"lang": "en",
"value": "Luxion KeyShot SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23646."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:43:48.216Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-231",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-231/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://download.keyshot.com/cert/ksa-113962/ksa-113962.pdf?version=1.0\u0026_gl=1*1x6i3a*_gcl_au*MTU0ODMwNDI4Ny4xNzQzNTUyMjcx"
}
],
"source": {
"lang": "en",
"value": "Anonymous"
},
"title": "Luxion KeyShot SKP File Parsing Use-After-Free Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-1046",
"datePublished": "2025-04-23T16:43:48.216Z",
"dateReserved": "2025-02-04T21:01:30.574Z",
"dateUpdated": "2025-04-23T18:31:52.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1048 (GCVE-0-2025-1048)
Vulnerability from cvelistv5 – Published: 2025-04-23 16:44 – Updated: 2025-04-23 18:27
VLAI
Title
Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability
Summary
Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of SMB data. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25535.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
Date Public
2025-04-09 20:29
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T18:27:37.094617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:27:53.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Era 300",
"vendor": "Sonos",
"versions": [
{
"status": "affected",
"version": "81.1-58074"
}
]
}
],
"dateAssigned": "2025-02-04T21:26:14.896Z",
"datePublic": "2025-04-09T20:29:56.953Z",
"descriptions": [
{
"lang": "en",
"value": "Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the processing of SMB data. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25535."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:44:16.757Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-223",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-223/"
}
],
"source": {
"lang": "en",
"value": "dungdm (@_piers2) with Viettel Cyber Security"
},
"title": "Sonos Era 300 Speaker libsmb2 Use-After-Free Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-1048",
"datePublished": "2025-04-23T16:44:16.757Z",
"dateReserved": "2025-02-04T21:26:14.789Z",
"dateUpdated": "2025-04-23T18:27:53.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10729 (GCVE-0-2025-10729)
Vulnerability from cvelistv5 – Published: 2025-10-03 14:39 – Updated: 2025-12-19 07:57
VLAI
Title
Use-after-free vulnerability in Qt SVG qsvghandler.cpp allows denial of service via crafted SVG
Summary
The module will parse a <pattern> node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading to a use after free.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The Qt Company | Qt |
Affected:
6.7.0 , ≤ 6.8.4
(python)
Affected: 6.9.0 , ≤ 6.9.2 (python) |
Date Public
2025-10-03 14:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T14:54:46.096203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T14:54:57.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Qt SVG"
],
"product": "Qt",
"vendor": "The Qt Company",
"versions": [
{
"lessThanOrEqual": "6.8.4",
"status": "affected",
"version": "6.7.0",
"versionType": "python"
},
{
"lessThanOrEqual": "6.9.2",
"status": "affected",
"version": "6.9.0",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "OSS-Fuzz"
}
],
"datePublic": "2025-10-03T14:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The module will parse a \u0026lt;pattern\u0026gt; node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading to a use after free."
}
],
"value": "The module will parse a \u003cpattern\u003e node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading to a use after free."
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129 Pointer Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/RE:H/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T07:57:16.117Z",
"orgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"shortName": "TQtC"
},
"references": [
{
"url": "https://codereview.qt-project.org/c/qt/qtsvg/+/676473"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use-after-free vulnerability in Qt SVG qsvghandler.cpp allows denial of service via crafted SVG",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"assignerShortName": "TQtC",
"cveId": "CVE-2025-10729",
"datePublished": "2025-10-03T14:39:20.433Z",
"dateReserved": "2025-09-19T14:01:08.672Z",
"dateUpdated": "2025-12-19T07:57:16.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10824 (GCVE-0-2025-10824)
Vulnerability from cvelistv5 – Published: 2025-09-23 00:02 – Updated: 2025-09-23 19:55
VLAI
Title
axboe fio init.c __parse_jobs_ini use after free
Summary
A vulnerability was determined in axboe fio up to 3.41. This impacts the function __parse_jobs_ini of the file init.c. Executing manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.325181 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.325181 | signaturepermissions-required |
| https://vuldb.com/?submit.654072 | third-party-advisory |
| https://github.com/axboe/fio/issues/1981 | issue-tracking |
| https://github.com/user-attachments/files/2226675… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| axboe | fio |
Affected:
3.0
Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 Affected: 3.8 Affected: 3.9 Affected: 3.10 Affected: 3.11 Affected: 3.12 Affected: 3.13 Affected: 3.14 Affected: 3.15 Affected: 3.16 Affected: 3.17 Affected: 3.18 Affected: 3.19 Affected: 3.20 Affected: 3.21 Affected: 3.22 Affected: 3.23 Affected: 3.24 Affected: 3.25 Affected: 3.26 Affected: 3.27 Affected: 3.28 Affected: 3.29 Affected: 3.30 Affected: 3.31 Affected: 3.32 Affected: 3.33 Affected: 3.34 Affected: 3.35 Affected: 3.36 Affected: 3.37 Affected: 3.38 Affected: 3.39 Affected: 3.40 Affected: 3.41 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10824",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T19:53:53.085584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T19:55:20.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fio",
"vendor": "axboe",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4"
},
{
"status": "affected",
"version": "3.5"
},
{
"status": "affected",
"version": "3.6"
},
{
"status": "affected",
"version": "3.7"
},
{
"status": "affected",
"version": "3.8"
},
{
"status": "affected",
"version": "3.9"
},
{
"status": "affected",
"version": "3.10"
},
{
"status": "affected",
"version": "3.11"
},
{
"status": "affected",
"version": "3.12"
},
{
"status": "affected",
"version": "3.13"
},
{
"status": "affected",
"version": "3.14"
},
{
"status": "affected",
"version": "3.15"
},
{
"status": "affected",
"version": "3.16"
},
{
"status": "affected",
"version": "3.17"
},
{
"status": "affected",
"version": "3.18"
},
{
"status": "affected",
"version": "3.19"
},
{
"status": "affected",
"version": "3.20"
},
{
"status": "affected",
"version": "3.21"
},
{
"status": "affected",
"version": "3.22"
},
{
"status": "affected",
"version": "3.23"
},
{
"status": "affected",
"version": "3.24"
},
{
"status": "affected",
"version": "3.25"
},
{
"status": "affected",
"version": "3.26"
},
{
"status": "affected",
"version": "3.27"
},
{
"status": "affected",
"version": "3.28"
},
{
"status": "affected",
"version": "3.29"
},
{
"status": "affected",
"version": "3.30"
},
{
"status": "affected",
"version": "3.31"
},
{
"status": "affected",
"version": "3.32"
},
{
"status": "affected",
"version": "3.33"
},
{
"status": "affected",
"version": "3.34"
},
{
"status": "affected",
"version": "3.35"
},
{
"status": "affected",
"version": "3.36"
},
{
"status": "affected",
"version": "3.37"
},
{
"status": "affected",
"version": "3.38"
},
{
"status": "affected",
"version": "3.39"
},
{
"status": "affected",
"version": "3.40"
},
{
"status": "affected",
"version": "3.41"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ahuo (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in axboe fio up to 3.41. This impacts the function __parse_jobs_ini of the file init.c. Executing manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in axboe fio up to 3.41 entdeckt. Es geht hierbei um die Funktion __parse_jobs_ini der Datei init.c. Durch die Manipulation mit unbekannten Daten kann eine use after free-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T00:02:06.575Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325181 | axboe fio init.c __parse_jobs_ini use after free",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.325181"
},
{
"name": "VDB-325181 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325181"
},
{
"name": "Submit #654072 | Jens Axboe Fio 3.41 / master commit 84787ad Use After Free",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.654072"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/axboe/fio/issues/1981"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/user-attachments/files/22266756/poc.zip"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-21T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-21T18:10:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "axboe fio init.c __parse_jobs_ini use after free"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-10824",
"datePublished": "2025-09-23T00:02:06.575Z",
"dateReserved": "2025-09-21T16:05:26.134Z",
"dateUpdated": "2025-09-23T19:55:20.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10865 (GCVE-0-2025-10865)
Vulnerability from cvelistv5 – Published: 2026-01-13 17:26 – Updated: 2026-01-14 14:36
VLAI
Title
GPU DDK - DevmemIntGetReservationData does not ref the PMR it returns
Summary
Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free.
Improper reference counting on an internal resource caused scenario where potential for use after free was present.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Imagination Technologies | Graphics DDK |
Affected:
1.15 RTM
(custom)
Affected: 1.17 RTM (custom) Affected: 1.18 RTM (custom) Affected: 23.2 RTM , ≤ 25.2 RTM (custom) Unaffected: 25.3 RTM (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T14:36:09.762443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T14:36:47.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"Linux",
"Android"
],
"product": "Graphics DDK",
"vendor": "Imagination Technologies",
"versions": [
{
"status": "affected",
"version": "1.15 RTM",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.17 RTM",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.18 RTM",
"versionType": "custom"
},
{
"lessThanOrEqual": "25.2 RTM",
"status": "affected",
"version": "23.2 RTM",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "25.3 RTM",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free.\u003cbr\u003e\u003cbr\u003eImproper reference counting on an internal resource caused scenario where potential for use after free was present.\u003cbr\u003e"
}
],
"value": "Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free.\n\nImproper reference counting on an internal resource caused scenario where potential for use after free was present."
}
],
"impacts": [
{
"capecId": "CAPEC-124",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-124: Shared Resource Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T17:26:45.523Z",
"orgId": "367425dc-4d06-4041-9650-c2dc6aaa27ce",
"shortName": "imaginationtech"
},
"references": [
{
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "GPU DDK - DevmemIntGetReservationData does not ref the PMR it returns",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "367425dc-4d06-4041-9650-c2dc6aaa27ce",
"assignerShortName": "imaginationtech",
"cveId": "CVE-2025-10865",
"datePublished": "2026-01-13T17:26:45.523Z",
"dateReserved": "2025-09-23T07:31:35.940Z",
"dateUpdated": "2026-01-14T14:36:47.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10994 (GCVE-0-2025-10994)
Vulnerability from cvelistv5 – Published: 2025-09-26 02:02 – Updated: 2025-09-26 19:26
VLAI
Title
Open Babel gamessformat.cpp ReadMolecule use after free
Summary
A weakness has been identified in Open Babel up to 3.1.1. This affects the function GAMESSOutputFormat::ReadMolecule of the file gamessformat.cpp. This manipulation causes use after free. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be exploited.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.325922 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.325922 | signaturepermissions-required |
| https://vuldb.com/?submit.654057 | third-party-advisory |
| https://github.com/openbabel/openbabel/issues/2834 | issue-tracking |
| https://github.com/user-attachments/files/2231861… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Open Babel |
Affected:
3.1.0
Affected: 3.1.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10994",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T19:25:50.404086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T19:26:09.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Open Babel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.1.0"
},
{
"status": "affected",
"version": "3.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ahuo (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Open Babel up to 3.1.1. This affects the function GAMESSOutputFormat::ReadMolecule of the file gamessformat.cpp. This manipulation causes use after free. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be exploited."
},
{
"lang": "de",
"value": "In Open Babel up to 3.1.1 wurde eine Schwachstelle gefunden. Hierbei geht es um die Funktion GAMESSOutputFormat::ReadMolecule der Datei gamessformat.cpp. Mit der Manipulation mit unbekannten Daten kann eine use after free-Schwachstelle ausgenutzt werden. Der Angriff ist nur lokal m\u00f6glich. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T02:02:07.422Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325922 | Open Babel gamessformat.cpp ReadMolecule use after free",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.325922"
},
{
"name": "VDB-325922 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325922"
},
{
"name": "Submit #654057 | Open Babel 3.1.1 / master commit 889c350 Use After Free",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.654057"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/openbabel/openbabel/issues/2834"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/user-attachments/files/22318611/poc.zip"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-25T20:10:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open Babel gamessformat.cpp ReadMolecule use after free"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-10994",
"datePublished": "2025-09-26T02:02:07.422Z",
"dateReserved": "2025-09-25T18:04:46.647Z",
"dateUpdated": "2025-09-26T19:26:09.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11234 (GCVE-0-2025-11234)
Vulnerability from cvelistv5 – Published: 2025-10-03 10:30 – Updated: 2026-06-01 03:03
VLAI
Title
Qemu-kvm: vnc websocket handshake use-after-free
Summary
A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
12 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:23228 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:0326 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:0332 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:0702 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:1831 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:18772 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:22147 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:3077 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:3165 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:5578 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2025-11234 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2401209 | issue-trackingx_refsource_REDHAT |
Impacted products
14 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
2.6.0 , < 10.1.2
(semver)
|
|||
| Red Hat | Red Hat Enterprise Linux 10 |
Unaffected:
18:10.0.0-14.el10_1.5 , < *
(rpm)
cpe:/o:redhat:enterprise_linux:10.1 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
8100020251120003312.489197e6 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb |
|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
8100020251202222937.489197e6 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
17:10.1.0-17.el9_8 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions |
Unaffected:
17:6.2.0-11.el9_0.10 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:9.0::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions |
Unaffected:
17:7.2.0-14.el9_2.24 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:9.2::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support |
Unaffected:
17:8.2.0-11.el9_4.18 , < *
(rpm)
cpe:/a:redhat:rhel_eus:9.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support |
Unaffected:
17:8.2.0-11.el9_4.19 , < *
(rpm)
cpe:/a:redhat:rhel_eus:9.4::appstream |
|
| Red Hat | Red Hat OpenShift Container Platform 4.16 |
Unaffected:
416.94.202601071926-0 , < *
(rpm)
cpe:/a:redhat:openshift:4.16::el9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4.17 |
Unaffected:
417.94.202601120213-0 , < *
(rpm)
cpe:/a:redhat:openshift:4.17::el9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4.18 |
Unaffected:
418.94.202601071817-0 , < *
(rpm)
cpe:/a:redhat:openshift:4.18::el9 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
Date Public
2025-09-30 12:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11234",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T15:56:54.379790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T15:57:08.606Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://gitlab.com/qemu-project/qemu",
"defaultStatus": "unaffected",
"packageName": "qemu",
"versions": [
{
"lessThan": "10.1.2",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "18:10.0.0-14.el10_1.5",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"packageName": "virt-devel:rhel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8100020251120003312.489197e6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/a:redhat:enterprise_linux:8::crb"
],
"defaultStatus": "affected",
"packageName": "virt:rhel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8100020251202222937.489197e6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "17:10.1.0-17.el9_8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "17:6.2.0-11.el9_0.10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "17:7.2.0-14.el9_2.24",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "17:8.2.0-11.el9_4.18",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "17:8.2.0-11.el9_4.19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "416.94.202601071926-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.17::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.17",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "417.94.202601120213-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4.18::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.18",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "418.94.202601071817-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "qemu-kvm-ma",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Grant Millar (Cylo) for reporting this issue."
}
],
"datePublic": "2025-09-30T12:18:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T03:03:58.100Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2025:23228",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:23228"
},
{
"name": "RHSA-2026:0326",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:0326"
},
{
"name": "RHSA-2026:0332",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:0332"
},
{
"name": "RHSA-2026:0702",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:0702"
},
{
"name": "RHSA-2026:1831",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:1831"
},
{
"name": "RHSA-2026:18772",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18772"
},
{
"name": "RHSA-2026:22147",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22147"
},
{
"name": "RHSA-2026:3077",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3077"
},
{
"name": "RHSA-2026:3165",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:3165"
},
{
"name": "RHSA-2026:5578",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:5578"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-11234"
},
{
"name": "RHBZ#2401209",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401209"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-30T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-09-30T12:18:00.000Z",
"value": "Made public."
}
],
"title": "Qemu-kvm: vnc websocket handshake use-after-free",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-416: Use After Free"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-11234",
"datePublished": "2025-10-03T10:30:34.427Z",
"dateReserved": "2025-10-01T17:03:04.737Z",
"dateUpdated": "2026-06-01T03:03:58.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11465 (GCVE-0-2025-11465)
Vulnerability from cvelistv5 – Published: 2025-10-29 19:44 – Updated: 2025-10-30 14:11
VLAI
Title
Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability
Summary
Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of CO files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26631.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ashlar-Vellum | Cobalt |
Affected:
1204.97
|
Date Public
2025-10-16 17:50
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-30T14:11:16.523366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T14:11:26.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Cobalt",
"vendor": "Ashlar-Vellum",
"versions": [
{
"status": "affected",
"version": "1204.97"
}
]
}
],
"dateAssigned": "2025-10-07T20:47:42.880Z",
"datePublic": "2025-10-16T17:50:04.432Z",
"descriptions": [
{
"lang": "en",
"value": "Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CO files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26631."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T19:44:00.443Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-956",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-956/"
}
],
"source": {
"lang": "en",
"value": "Rocco Calvi (@TecR0c) with TecSecurity"
},
"title": "Ashlar-Vellum Cobalt CO File Parsing Use-After-Free Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-11465",
"datePublished": "2025-10-29T19:44:00.443Z",
"dateReserved": "2025-10-07T20:47:42.943Z",
"dateUpdated": "2025-10-30T14:11:26.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Strategy: Language Selection
Description:
- Choose a language that provides automatic memory management.
Mitigation
Phase: Implementation
Strategy: Attack Surface Reduction
Description:
- When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.