CWE-825
AllowedExpired Pointer Dereference
Abstraction: Base · Status: Incomplete
The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
105 vulnerabilities reference this CWE, most recent first.
GHSA-6FHV-H367-4JC4
Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-06-30 03:36Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
{
"affected": [],
"aliases": [
"CVE-2026-8947"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T14:16:50Z",
"severity": "HIGH"
},
"details": "Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.",
"id": "GHSA-6fhv-h367-4jc4",
"modified": "2026-06-30T03:36:44Z",
"published": "2026-05-19T15:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8947"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-51"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-50"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-48"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-47"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-46"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8947.json"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479873"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2038439"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-8947"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27715"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26630"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26629"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26606"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26551"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26539"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26536"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26521"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26493"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26492"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26491"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26270"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26269"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26268"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26174"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22643"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22325"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21382"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21381"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21380"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21378"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6FW6-RQJG-9V3J
Vulnerability from github – Published: 2026-03-30 15:32 – Updated: 2026-03-30 15:32A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially leading to system instability or unexpected behavior.
{
"affected": [],
"aliases": [
"CVE-2026-5165"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T15:16:36Z",
"severity": "MODERATE"
},
"details": "A flaw was found in virtio-win, specifically within the VirtIO Block (BLK) device. When the device undergoes a reset, it fails to properly manage memory, resulting in a use-after-free vulnerability. This issue could allow a local attacker to corrupt system memory, potentially leading to system instability or unexpected behavior.",
"id": "GHSA-6fw6-rqjg-9v3j",
"modified": "2026-03-30T15:32:07Z",
"published": "2026-03-30T15:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5165"
},
{
"type": "WEB",
"url": "https://github.com/virtio-win/kvm-guest-drivers-windows/pull/1493"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-5165"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6W7X-Q46J-6X9R
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential UAF and double free in smb2_open_file()
Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free.
{
"affected": [],
"aliases": [
"CVE-2026-45972"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:14Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF and double free in smb2_open_file()\n\nZero out @err_iov and @err_buftype before retrying SMB2_open() to\nprevent an UAF bug if @data != NULL, otherwise a double free.",
"id": "GHSA-6w7x-q46j-6x9r",
"modified": "2026-06-30T03:36:50Z",
"published": "2026-05-27T15:33:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45972"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-45972"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481973"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d339b219004869e96c4ce56b8891f83a38da4c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/639deb962986ef2f5e2a6d5a600c66f922471e81"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7425453ea16dbc3bbb0f6cac4d60b537e5e4d151"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/96e53bb3ee2f354cf6b4ab07bcc56e500f8b3f74"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e66dcf7bb9c4df5582c82bc3582725abcbfbea73"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ebbbc4bfad4cb355d17c671223d0814ee3ef4eda"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45972.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7364-G429-CG4V
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-06-30 03:35Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
{
"affected": [],
"aliases": [
"CVE-2026-4688"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:04Z",
"severity": "CRITICAL"
},
"details": "Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox \u003c 149 and Firefox ESR \u003c 140.9.",
"id": "GHSA-7364-g429-cg4v",
"modified": "2026-06-30T03:35:58Z",
"published": "2026-03-24T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4688"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8286"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8287"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8288"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8289"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8290"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8315"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8427"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8850"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-4688"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016373"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450713"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4688.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5930"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5931"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5932"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6188"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6342"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6917"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7837"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7838"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7839"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7840"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7841"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7842"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7843"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7845"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8284"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8285"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-77JH-978M-WQHM
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-06-30 03:36In the Linux kernel, the following vulnerability has been resolved:
writeback: Fix use after free in inode_switch_wbs_work_fn()
inode_switch_wbs_work_fn() has a loop like:
wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); / Nothing to do? / if (!list) break; ... process the items ... }
Now adding of items to the list looks like:
wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work);
Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues.
We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs.
{
"affected": [],
"aliases": [
"CVE-2026-31703"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T14:16:20Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: Fix use after free in inode_switch_wbs_work_fn()\n\ninode_switch_wbs_work_fn() has a loop like:\n\n wb_get(new_wb);\n while (1) {\n list = llist_del_all(\u0026new_wb-\u003eswitch_wbs_ctxs);\n /* Nothing to do? */\n if (!list)\n break;\n ... process the items ...\n }\n\nNow adding of items to the list looks like:\n\nwb_queue_isw()\n if (llist_add(\u0026isw-\u003elist, \u0026wb-\u003eswitch_wbs_ctxs))\n queue_work(isw_wq, \u0026wb-\u003eswitch_work);\n\nBecause inode_switch_wbs_work_fn() loops when processing isw items, it\ncan happen that wb-\u003eswitch_work is pending while wb-\u003eswitch_wbs_ctxs is\nempty. This is a problem because in that case wb can get freed (no isw\nitems -\u003e no wb reference) while the work is still pending causing\nuse-after-free issues.\n\nWe cannot just fix this by cancelling work when freeing wb because that\ncould still trigger problematic 0 -\u003e 1 transitions on wb refcount due to\nwb_get() in inode_switch_wbs_work_fn(). It could be all handled with\nmore careful code but that seems unnecessarily complex so let\u0027s avoid\nthat until it is proven that the looping actually brings practical\nbenefit. Just remove the loop from inode_switch_wbs_work_fn() instead.\nThat way when wb_queue_isw() queues work, we are guaranteed we have\nadded the first item to wb-\u003eswitch_wbs_ctxs and nobody is going to\nremove it (and drop the wb reference it holds) until the queued work\nruns.",
"id": "GHSA-77jh-978m-wqhm",
"modified": "2026-06-30T03:36:28Z",
"published": "2026-05-01T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31703"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-31703"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464385"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/028103656b84273c73e9e271cf95c9f3421f4b8a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/156cc63691c1f20905510b1007896e090355e6c2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6689f01d6740cf358932b3e97ee968c6099800d9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9223e5f30403a9b506d6d0bff4f2e29a2d7d46af"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31703.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-78JH-RW4H-46R3
Vulnerability from github – Published: 2024-02-20 18:30 – Updated: 2025-11-04 21:31A use-after-free vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-23310"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T16:15:09Z",
"severity": "CRITICAL"
},
"details": "A use-after-free vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-78jh-rw4h-46r3",
"modified": "2025-11-04T21:31:10Z",
"published": "2024-02-20T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23310"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRLGNQM33KAWVWP5RPMAPHWNP3IY5YW"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1923"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1923"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7CWQ-2XV8-7CQW
Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-06-30 03:35In the Linux kernel, the following vulnerability has been resolved:
net/sched: Enforce that teql can only be used as root qdisc
Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint.
Although not important, I will describe the scenario that unearthed this issue for the curious.
GangMin Kim km.kim1503@gmail.com managed to concot a scenario as follows:
ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql
GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql's enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2's lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem's delay), a dangling pointer is accessed causing GangMin's causing a UAF.
{
"affected": [],
"aliases": [
"CVE-2026-23074"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T17:16:18Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Enforce that teql can only be used as root qdisc\n\nDesign intent of teql is that it is only supposed to be used as root qdisc.\nWe need to check for that constraint.\n\nAlthough not important, I will describe the scenario that unearthed this\nissue for the curious.\n\nGangMin Kim \u003ckm.kim1503@gmail.com\u003e managed to concot a scenario as follows:\n\nROOT qdisc 1:0 (QFQ)\n \u251c\u2500\u2500 class 1:1 (weight=15, lmax=16384) netem with delay 6.4s\n \u2514\u2500\u2500 class 1:2 (weight=1, lmax=1514) teql\n\nGangMin sends a packet which is enqueued to 1:1 (netem).\nAny invocation of dequeue by QFQ from this class will not return a packet\nuntil after 6.4s. In the meantime, a second packet is sent and it lands on\n1:2. teql\u0027s enqueue will return success and this will activate class 1:2.\nMain issue is that teql only updates the parent visible qlen (sch-\u003eq.qlen)\nat dequeue. Since QFQ will only call dequeue if peek succeeds (and teql\u0027s\npeek always returns NULL), dequeue will never be called and thus the qlen\nwill remain as 0. With that in mind, when GangMin updates 1:2\u0027s lmax value,\nthe qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc\u0027s\nqlen was not incremented, qfq fails to deactivate the class, but still\nfrees its pointers from the aggregate. So when the first packet is\nrescheduled after 6.4 seconds (netem\u0027s delay), a dangling pointer is\naccessed causing GangMin\u0027s causing a UAF.",
"id": "GHSA-7cwq-2xv8-7cqw",
"modified": "2026-06-30T03:35:32Z",
"published": "2026-02-04T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23074"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23074.json"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436791"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-23074"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3810"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3685"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3634"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3388"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3360"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3277"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3268"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3110"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7W9H-J8XP-J97V
Vulnerability from github – Published: 2025-11-18 21:32 – Updated: 2026-05-19 18:32A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.
{
"affected": [],
"aliases": [
"CVE-2025-61664"
],
"database_specific": {
"cwe_ids": [
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T19:15:50Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.",
"id": "GHSA-7w9h-j8xp-j97v",
"modified": "2026-05-19T18:32:02Z",
"published": "2025-11-18T21:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61664"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-61664"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414685"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/grub-devel/2025-11/msg00155.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8V2C-7QQJ-7WP7
Vulnerability from github – Published: 2026-05-20 15:35 – Updated: 2026-06-30 03:36A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.
{
"affected": [],
"aliases": [
"CVE-2026-3593"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T13:16:23Z",
"severity": "HIGH"
},
"details": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.\nBIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.",
"id": "GHSA-8v2c-7qqj-7wp7",
"modified": "2026-06-30T03:36:45Z",
"published": "2026-05-20T15:35:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3593"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7412"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-3593"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479770"
},
{
"type": "WEB",
"url": "https://downloads.isc.org/isc/bind9/9.20.23"
},
{
"type": "WEB",
"url": "https://downloads.isc.org/isc/bind9/9.21.22"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/cve-2026-3593"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3593.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99HH-XP2Q-F3FC
Vulnerability from github – Published: 2026-04-21 15:32 – Updated: 2026-06-30 03:36Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
{
"affected": [],
"aliases": [
"CVE-2026-6754"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-825"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T13:16:21Z",
"severity": "HIGH"
},
"details": "Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.",
"id": "GHSA-99hh-xp2q-f3fc",
"modified": "2026-06-30T03:36:21Z",
"published": "2026-04-21T15:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6754"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10757"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19465"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19466"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19467"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19468"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19469"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19655"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19704"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-6754"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2027541"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460075"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6754.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-31"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-32"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-34"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10766"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10767"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:12285"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13537"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:15892"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17687"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17688"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17689"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17690"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19041"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19131"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19201"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19348"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19461"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19463"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19464"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that provides automatic memory management.
Mitigation
When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.