Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-416
Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CVE-2026-13129 (GCVE-0-2026-13129)
Vulnerability from cvelistv5 – Published: 2026-07-08 07:36 – Updated: 2026-07-08 13:20
VLAI
EPSS
VEX
Title
Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability
Summary
When the application opens a PDF file, JavaScript uses the damaged field tree to trigger field traversal, resulting in the program holding an invalid form object when accessing the field property path. Eventually, the application crashes due to reading an invalid pointer.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use after free
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Foxit Software Inc. | Foxit PDF Editor |
Affected:
Versions 2026.1.1 and earlier
Affected: Versions 14.0.4 and earlier Affected: Versions 13.2.4 and earlier |
|
| Foxit Software Inc. | Foxit PDF Reader |
Affected:
Versions 2026.1.1 and earlier
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:20:17.240504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:20:30.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Editor",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
},
{
"status": "affected",
"version": "Versions 14.0.4 and earlier"
},
{
"status": "affected",
"version": "Versions 13.2.4 and earlier"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Foxit PDF Reader",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "Versions 2026.1.1 and earlier"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Anonymous working with TrendAI Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When the application opens a PDF file, JavaScript uses the damaged field tree to trigger field traversal, resulting in the program holding an invalid form object when accessing the field property path. Eventually, the application crashes due to reading an invalid pointer."
}
],
"value": "When the application opens a PDF file, JavaScript uses the damaged field tree to trigger field traversal, resulting in the program holding an invalid form object when accessing the field property path. Eventually, the application crashes due to reading an invalid pointer."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary code execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T07:36:30.034Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"title": "Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2026-13129",
"datePublished": "2026-07-08T07:36:30.034Z",
"dateReserved": "2026-06-24T03:01:54.524Z",
"dateUpdated": "2026-07-08T13:20:30.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13368 (GCVE-0-2026-13368)
Vulnerability from cvelistv5 – Published: 2026-07-02 23:06 – Updated: 2026-07-07 03:56
VLAI
EPSS
VEX
Title
WatchGuard Firebox Race Condition and Use-After-Free in Mobile VPN with IKEv2 LDAP Authentication
Summary
WatchGuard Fireware OS contains a race condition leading to a use-after-free vulnerability in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.
This vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.watchguard.com/wgrd-psirt/advisory/wg… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WatchGuard | Fireware OS |
Affected:
11.10.2 , ≤ 11.12.4+541730
(semver)
Unaffected: 12.0 , ≤ 12.12 (semver) Unaffected: 12.5 , ≤ 12.5.18 (semver) Affected: 2025.1 , ≤ 2026.2 (semver) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T03:56:35.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fireware OS",
"vendor": "WatchGuard",
"versions": [
{
"lessThanOrEqual": "11.12.4+541730",
"status": "affected",
"version": "11.10.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.12",
"status": "unaffected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.5.18",
"status": "unaffected",
"version": "12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "2026.2",
"status": "affected",
"version": "2025.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:11.0",
"versionEndIncluding": "11.12.4+541730",
"versionStartIncluding": "11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1",
"versionEndIncluding": "2026.2",
"versionStartIncluding": "2025.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Cody Sixteen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WatchGuard Fireware OS contains a race condition leading to a use-after-free vulnerability in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.\u003cbr\u003e\u003cbr\u003eThis vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2.\u003cbr\u003e"
}
],
"value": "WatchGuard Fireware OS contains a race condition leading to a use-after-free vulnerability in LDAP authentication for the Mobile User VPN with IKEv2. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code in the context of the iked process on Fireboxes that have a Mobile VPN with IKEv2 configured to use an external LDAP authentication server.\n\nThis vulnerability affects Fireware OS 11.0 up to and including 11.12.4_Update1, 12.0 up to and including 12.12 and 2025.1 up to and including 2026.2."
}
],
"impacts": [
{
"capecId": "CAPEC-26",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-26 Leveraging Race Conditions"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T23:06:32.928Z",
"orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"shortName": "WatchGuard"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00023"
}
],
"source": {
"advisory": "WGSA-2026-00023",
"defect": [
"FBX-32231"
],
"discovery": "EXTERNAL"
},
"title": "WatchGuard Firebox Race Condition and Use-After-Free in Mobile VPN with IKEv2 LDAP Authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"assignerShortName": "WatchGuard",
"cveId": "CVE-2026-13368",
"datePublished": "2026-07-02T23:06:32.928Z",
"dateReserved": "2026-06-25T19:00:06.688Z",
"dateUpdated": "2026-07-07T03:56:35.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13595 (GCVE-0-2026-13595)
Vulnerability from cvelistv5 – Published: 2026-06-29 08:06 – Updated: 2026-06-30 02:14
VLAI
EPSS
VEX
Title
Util-linux: util-linux: heap use-after-free in libblkid nested partition probing
Summary
A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:26573 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-13595 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2494101 | issue-trackingx_refsource_REDHAT |
| https://github.com/util-linux/util-linux/commit/c… |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Hardened Images |
Unaffected:
2.42.2-1.hum1 , < *
(rpm)
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public
2026-05-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:50:15.269617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:50:26.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"packageName": "util-linux-main",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.42.2-1.hum1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Thai Duong (Calif.io in collaboration with Claude and Anthropic Research) for reporting this issue."
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T02:14:09.471Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:26573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26573"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-13595"
},
{
"name": "RHBZ#2494101",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494101"
},
{
"url": "https://github.com/util-linux/util-linux/commit/c0186f14fbdb02f64c8e0ba701ce727ea764ff4c"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-416: Use After Free"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-13595",
"datePublished": "2026-06-29T08:06:09.059Z",
"dateReserved": "2026-06-29T07:20:52.583Z",
"dateUpdated": "2026-06-30T02:14:09.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14178 (GCVE-0-2026-14178)
Vulnerability from cvelistv5 – Published: 2026-06-30 13:56 – Updated: 2026-06-30 14:40
VLAI
EPSS
VEX
Title
openGauss存在非法内存访问导致DoS漏洞
Summary
openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fmt_nls() 会将 nls_fmt_str 保存到 u_sess->parser_cxt.nls_fmt_str。在 seqscan + sort 执行路径下,该字符串原本被分配在 SeqScan 的表达式上下文中;当 SeqScan 完成后,该内存上下文会被 reset,但后续结果输出阶段 timestamp_out() 仍会通过 CheckNlsFormat() 访问 u_sess->parser_cxt.nls_fmt_str,导致访问已释放内存。攻击者在具备数据库 SQL 执行权限的情况下,可构造特定 to_timestamp(..., ..., nlsparam) 查询触发 heap-use-after-free。在 ASan/Memcheck 环境下表现为数据库服务退出;在实际运行环境中可能造成后端进程异常退出,影响数据库服务可用性,形成拒绝服务风险。该问题在openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2版本存在,目前已在openGauss-server-7.0.0-RC3版本修复。由于
openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2均为创新版本,不会发布针对性补丁包,涉及版本升级至
openGauss-server-7.0.0-RC3或更新版本即可。
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use after free
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| openGauss-server | openGauss-server-7.0.0-RC2 |
Affected:
openGauss-server-7.0.0-RC2
|
|
| openGauss-server | openGauss-server-7.0.0-RC1 |
Affected:
openGauss-server-7.0.0-RC1
|
|
| openGauss-server | openGauss-server-7.0.0-RC3 |
Unaffected:
openGauss-server-7.0.0-RC3
|
Date Public
2026-06-30 07:53
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T14:39:56.155795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T14:40:10.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://opengauss.org/zh/download/archive/?version=7.0.0-RC2",
"defaultStatus": "affected",
"platforms": [
"openEuler",
"Centos"
],
"product": "openGauss-server-7.0.0-RC2",
"vendor": "openGauss-server",
"versions": [
{
"status": "affected",
"version": "openGauss-server-7.0.0-RC2"
}
]
},
{
"collectionURL": "https://opengauss.org/zh/download/archive/?version=7.0.0-RC1",
"defaultStatus": "affected",
"platforms": [
"openEuler",
"Centos"
],
"product": "openGauss-server-7.0.0-RC1",
"vendor": "openGauss-server",
"versions": [
{
"status": "affected",
"version": "openGauss-server-7.0.0-RC1"
}
]
},
{
"collectionURL": "https://opengauss.org/zh/download/archive/?version=7.0.0-RC3",
"defaultStatus": "unaffected",
"platforms": [
"openEuler Centos"
],
"product": "openGauss-server-7.0.0-RC3",
"vendor": "openGauss-server",
"versions": [
{
"status": "unaffected",
"version": "openGauss-server-7.0.0-RC3"
}
]
}
],
"datePublic": "2026-06-30T07:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;openGauss \u5728\u5904\u7406\u5e26 NLS \u53c2\u6570\u7684 to_timestamp \u8c03\u7528\u65f6\uff0cto_timestamp_with_fmt_nls() \u4f1a\u5c06 nls_fmt_str \u4fdd\u5b58\u5230 u_sess-\u0026gt;parser_cxt.nls_fmt_str\u3002\u5728 seqscan + sort \u6267\u884c\u8def\u5f84\u4e0b\uff0c\u8be5\u5b57\u7b26\u4e32\u539f\u672c\u88ab\u5206\u914d\u5728 SeqScan \u7684\u8868\u8fbe\u5f0f\u4e0a\u4e0b\u6587\u4e2d\uff1b\u5f53 SeqScan \u5b8c\u6210\u540e\uff0c\u8be5\u5185\u5b58\u4e0a\u4e0b\u6587\u4f1a\u88ab reset\uff0c\u4f46\u540e\u7eed\u7ed3\u679c\u8f93\u51fa\u9636\u6bb5 timestamp_out() \u4ecd\u4f1a\u901a\u8fc7 CheckNlsFormat() \u8bbf\u95ee u_sess-\u0026gt;parser_cxt.nls_fmt_str\uff0c\u5bfc\u81f4\u8bbf\u95ee\u5df2\u91ca\u653e\u5185\u5b58\u3002\u653b\u51fb\u8005\u5728\u5177\u5907\u6570\u636e\u5e93 SQL \u6267\u884c\u6743\u9650\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u6784\u9020\u7279\u5b9a to_timestamp(..., ..., nlsparam) \u67e5\u8be2\u89e6\u53d1 heap-use-after-free\u3002\u5728 ASan/Memcheck \u73af\u5883\u4e0b\u8868\u73b0\u4e3a\u6570\u636e\u5e93\u670d\u52a1\u9000\u51fa\uff1b\u5728\u5b9e\u9645\u8fd0\u884c\u73af\u5883\u4e2d\u53ef\u80fd\u9020\u6210\u540e\u7aef\u8fdb\u7a0b\u5f02\u5e38\u9000\u51fa\uff0c\u5f71\u54cd\u6570\u636e\u5e93\u670d\u52a1\u53ef\u7528\u6027\uff0c\u5f62\u6210\u62d2\u7edd\u670d\u52a1\u98ce\u9669\u3002\u8be5\u95ee\u9898\u5728openGauss-server-7.0.0-RC1\u7248\u672c\u548copenGauss-server-7.0.0-RC2\u7248\u672c\u5b58\u5728\uff0c\u76ee\u524d\u5df2\u5728openGauss-server-7.0.0-RC3\u7248\u672c\u4fee\u590d\u3002\u7531\u4e8e\nopenGauss-server-7.0.0-RC1\u7248\u672c\u548copenGauss-server-7.0.0-RC2\u5747\u4e3a\u521b\u65b0\u7248\u672c\uff0c\u4e0d\u4f1a\u53d1\u5e03\u9488\u5bf9\u6027\u8865\u4e01\u5305\uff0c\u6d89\u53ca\u7248\u672c\u5347\u7ea7\u81f3\nopenGauss-server-7.0.0-RC3\u6216\u66f4\u65b0\u7248\u672c\u5373\u53ef\u3002"
}
],
"value": "openGauss \u5728\u5904\u7406\u5e26 NLS \u53c2\u6570\u7684 to_timestamp \u8c03\u7528\u65f6\uff0cto_timestamp_with_fmt_nls() \u4f1a\u5c06 nls_fmt_str \u4fdd\u5b58\u5230 u_sess-\u003eparser_cxt.nls_fmt_str\u3002\u5728 seqscan + sort \u6267\u884c\u8def\u5f84\u4e0b\uff0c\u8be5\u5b57\u7b26\u4e32\u539f\u672c\u88ab\u5206\u914d\u5728 SeqScan \u7684\u8868\u8fbe\u5f0f\u4e0a\u4e0b\u6587\u4e2d\uff1b\u5f53 SeqScan \u5b8c\u6210\u540e\uff0c\u8be5\u5185\u5b58\u4e0a\u4e0b\u6587\u4f1a\u88ab reset\uff0c\u4f46\u540e\u7eed\u7ed3\u679c\u8f93\u51fa\u9636\u6bb5 timestamp_out() \u4ecd\u4f1a\u901a\u8fc7 CheckNlsFormat() \u8bbf\u95ee u_sess-\u003eparser_cxt.nls_fmt_str\uff0c\u5bfc\u81f4\u8bbf\u95ee\u5df2\u91ca\u653e\u5185\u5b58\u3002\u653b\u51fb\u8005\u5728\u5177\u5907\u6570\u636e\u5e93 SQL \u6267\u884c\u6743\u9650\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u6784\u9020\u7279\u5b9a to_timestamp(..., ..., nlsparam) \u67e5\u8be2\u89e6\u53d1 heap-use-after-free\u3002\u5728 ASan/Memcheck \u73af\u5883\u4e0b\u8868\u73b0\u4e3a\u6570\u636e\u5e93\u670d\u52a1\u9000\u51fa\uff1b\u5728\u5b9e\u9645\u8fd0\u884c\u73af\u5883\u4e2d\u53ef\u80fd\u9020\u6210\u540e\u7aef\u8fdb\u7a0b\u5f02\u5e38\u9000\u51fa\uff0c\u5f71\u54cd\u6570\u636e\u5e93\u670d\u52a1\u53ef\u7528\u6027\uff0c\u5f62\u6210\u62d2\u7edd\u670d\u52a1\u98ce\u9669\u3002\u8be5\u95ee\u9898\u5728openGauss-server-7.0.0-RC1\u7248\u672c\u548copenGauss-server-7.0.0-RC2\u7248\u672c\u5b58\u5728\uff0c\u76ee\u524d\u5df2\u5728openGauss-server-7.0.0-RC3\u7248\u672c\u4fee\u590d\u3002\u7531\u4e8e\nopenGauss-server-7.0.0-RC1\u7248\u672c\u548copenGauss-server-7.0.0-RC2\u5747\u4e3a\u521b\u65b0\u7248\u672c\uff0c\u4e0d\u4f1a\u53d1\u5e03\u9488\u5bf9\u6027\u8865\u4e01\u5305\uff0c\u6d89\u53ca\u7248\u672c\u5347\u7ea7\u81f3\nopenGauss-server-7.0.0-RC3\u6216\u66f4\u65b0\u7248\u672c\u5373\u53ef\u3002"
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use after free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T13:56:16.846Z",
"orgId": "a1a479f7-907b-4ae8-a999-9148cadc9224",
"shortName": "openGauss"
},
"references": [
{
"url": "https://gitcode.com/opengauss/openGauss-server/pull/8877"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "openGauss\u5b58\u5728\u975e\u6cd5\u5185\u5b58\u8bbf\u95ee\u5bfc\u81f4DoS\u6f0f\u6d1e",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "a1a479f7-907b-4ae8-a999-9148cadc9224",
"assignerShortName": "openGauss",
"cveId": "CVE-2026-14178",
"datePublished": "2026-06-30T13:56:16.846Z",
"dateReserved": "2026-06-30T07:37:54.949Z",
"dateUpdated": "2026-06-30T14:40:10.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14760 (GCVE-0-2026-14760)
Vulnerability from cvelistv5 – Published: 2026-07-05 15:30 – Updated: 2026-07-06 15:40 X_Open Source
VLAI
EPSS
VEX
Title
radareorg radare2 regprofile disasm.c r_core_seek_arch_bits use after free
Summary
A weakness has been identified in radareorg radare2 up to 6.1.6. Impacted is the function r_core_seek_arch_bits of the file libr/core/disasm.c of the component regprofile Handler. Executing a manipulation can lead to use after free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8b25c773785d85cb0103410a0905089d286921c2. It is advisable to implement a patch to correct this issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376349 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376349/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14760 | third-party-advisory |
| https://vuldb.com/submit/850384 | third-party-advisory |
| https://github.com/radareorg/radare2/issues/26044 | exploitissue-tracking |
| https://github.com/radareorg/radare2/commit/8b25c… | patch |
| https://github.com/radareorg/radare2/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14760",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T15:40:53.795645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T15:40:58.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/850384"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:radareorg:radare2:*:*:*:*:*:*:*:*"
],
"modules": [
"regprofile Handler"
],
"product": "radare2",
"vendor": "radareorg",
"versions": [
{
"status": "affected",
"version": "6.1.0"
},
{
"status": "affected",
"version": "6.1.1"
},
{
"status": "affected",
"version": "6.1.2"
},
{
"status": "affected",
"version": "6.1.3"
},
{
"status": "affected",
"version": "6.1.4"
},
{
"status": "affected",
"version": "6.1.5"
},
{
"status": "affected",
"version": "6.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kery Qi (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in radareorg radare2 up to 6.1.6. Impacted is the function r_core_seek_arch_bits of the file libr/core/disasm.c of the component regprofile Handler. Executing a manipulation can lead to use after free. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8b25c773785d85cb0103410a0905089d286921c2. It is advisable to implement a patch to correct this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T15:30:08.954Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376349 | radareorg radare2 regprofile disasm.c r_core_seek_arch_bits use after free",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376349"
},
{
"name": "VDB-376349 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376349/cti"
},
{
"name": "CVE-2026-14760 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14760"
},
{
"name": "Submit #850384 | radareorg radare2 6.1.6 Use After Free",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/850384"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/radareorg/radare2/issues/26044"
},
{
"tags": [
"patch"
],
"url": "https://github.com/radareorg/radare2/commit/8b25c773785d85cb0103410a0905089d286921c2"
},
{
"tags": [
"product"
],
"url": "https://github.com/radareorg/radare2/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-04T18:24:53.000Z",
"value": "VulDB entry last update"
}
],
"title": "radareorg radare2 regprofile disasm.c r_core_seek_arch_bits use after free"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14760",
"datePublished": "2026-07-05T15:30:08.954Z",
"dateReserved": "2026-07-04T16:19:36.825Z",
"dateUpdated": "2026-07-06T15:40:58.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14788 (GCVE-0-2026-14788)
Vulnerability from cvelistv5 – Published: 2026-07-06 01:45 – Updated: 2026-07-06 13:05 X_Open Source
VLAI
EPSS
VEX
Title
radareorg radare2 cfile.c r_core_bin_load use after free
Summary
A security vulnerability has been detected in radareorg radare2 up to 6.1.6. Affected by this vulnerability is the function r_core_bin_load of the file libr/core/cfile.c. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 635ab1eeb30340c26076722a90cb91fb2272130b. Applying a patch is advised to resolve this issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376377 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376377/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14788 | third-party-advisory |
| https://vuldb.com/submit/850388 | third-party-advisory |
| https://github.com/radareorg/radare2/issues/26049 | exploitissue-tracking |
| https://github.com/oldzhu/radare2/commit/635ab1ee… | patch |
| https://github.com/radareorg/radare2/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14788",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T13:05:40.644106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T13:05:50.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:radareorg:radare2:*:*:*:*:*:*:*:*"
],
"product": "radare2",
"vendor": "radareorg",
"versions": [
{
"status": "affected",
"version": "6.1.0"
},
{
"status": "affected",
"version": "6.1.1"
},
{
"status": "affected",
"version": "6.1.2"
},
{
"status": "affected",
"version": "6.1.3"
},
{
"status": "affected",
"version": "6.1.4"
},
{
"status": "affected",
"version": "6.1.5"
},
{
"status": "affected",
"version": "6.1.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kery Qi (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in radareorg radare2 up to 6.1.6. Affected by this vulnerability is the function r_core_bin_load of the file libr/core/cfile.c. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 635ab1eeb30340c26076722a90cb91fb2272130b. Applying a patch is advised to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T01:45:08.467Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376377 | radareorg radare2 cfile.c r_core_bin_load use after free",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376377"
},
{
"name": "VDB-376377 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376377/cti"
},
{
"name": "CVE-2026-14788 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14788"
},
{
"name": "Submit #850388 | radareorg radare2 6.1.6 Use After Free",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/850388"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/radareorg/radare2/issues/26049"
},
{
"tags": [
"patch"
],
"url": "https://github.com/oldzhu/radare2/commit/635ab1eeb30340c26076722a90cb91fb2272130b"
},
{
"tags": [
"product"
],
"url": "https://github.com/radareorg/radare2/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-05T18:08:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "radareorg radare2 cfile.c r_core_bin_load use after free"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14788",
"datePublished": "2026-07-06T01:45:08.467Z",
"dateReserved": "2026-07-05T16:03:19.139Z",
"dateUpdated": "2026-07-06T13:05:50.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15194 (GCVE-0-2026-15194)
Vulnerability from cvelistv5 – Published: 2026-07-09 17:00 – Updated: 2026-07-09 17:31
VLAI
EPSS
VEX
Title
Open5GS AMF context.c amf_context_final use after free
Summary
A security flaw has been discovered in Open5GS 2.7.7. This affects the function amf_context_final of the file src/amf/context.c of the component AMF. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377122 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377122/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15194 | third-party-advisory |
| https://vuldb.com/submit/851630 | third-party-advisory |
| https://github.com/open5gs/open5gs/security/advis… | exploit |
| https://github.com/open5gs/open5gs/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15194",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:31:33.228711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:31:40.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*"
],
"modules": [
"AMF"
],
"product": "Open5GS",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.7.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Buggweb (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Open5GS 2.7.7. This affects the function amf_context_final of the file src/amf/context.c of the component AMF. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:00:07.483Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377122 | Open5GS AMF context.c amf_context_final use after free",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377122"
},
{
"name": "VDB-377122 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377122/cti"
},
{
"name": "CVE-2026-15194 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15194"
},
{
"name": "Submit #851630 | Open5GS Project Open5GS 2.7.7 Use After Free",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/851630"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/open5gs/open5gs/security/advisories/GHSA-88pq-hpwv-2vjw"
},
{
"tags": [
"product"
],
"url": "https://github.com/open5gs/open5gs/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T07:59:10.000Z",
"value": "VulDB entry last update"
}
],
"title": "Open5GS AMF context.c amf_context_final use after free"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15194",
"datePublished": "2026-07-09T17:00:07.483Z",
"dateReserved": "2026-07-09T05:54:06.487Z",
"dateUpdated": "2026-07-09T17:31:40.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1979 (GCVE-0-2026-1979)
Vulnerability from cvelistv5 – Published: 2026-02-06 04:32 – Updated: 2026-02-23 09:21 X_Open Source
VLAI
EPSS
VEX
Title
mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free
Summary
A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.344501 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.344501 | signaturepermissions-required |
| https://vuldb.com/?submit.743377 | third-party-advisory |
| https://github.com/mruby/mruby/issues/6701 | issue-tracking |
| https://github.com/mruby/mruby/issues/6701#issue-… | exploitissue-tracking |
| https://github.com/sysfce2/mruby/commit/e50f15c1c… | patch |
| https://github.com/mruby/mruby/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1979",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:26:13.479778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:26:21.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mruby:mruby:*:*:*:*:*:*:*:*"
],
"modules": [
"JMPNOT-to-JMPIF Optimization"
],
"product": "mruby",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
},
{
"status": "affected",
"version": "3.3"
},
{
"status": "affected",
"version": "3.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Oneafter (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T09:21:06.088Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-344501 | mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.344501"
},
{
"name": "VDB-344501 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.344501"
},
{
"name": "Submit #743377 | mruby cda2567 Use After Free",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.743377"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mruby/mruby/issues/6701"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mruby/mruby/issues/6701#issue-3802609843"
},
{
"tags": [
"patch"
],
"url": "https://github.com/sysfce2/mruby/commit/e50f15c1c6e131fa7934355eb02b8173b13df415"
},
{
"tags": [
"product"
],
"url": "https://github.com/mruby/mruby/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-05T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-07T13:18:56.000Z",
"value": "VulDB entry last update"
}
],
"title": "mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1979",
"datePublished": "2026-02-06T04:32:09.200Z",
"dateReserved": "2026-02-05T13:44:19.662Z",
"dateUpdated": "2026-02-23T09:21:06.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20411 (GCVE-0-2026-20411)
Vulnerability from cvelistv5 – Published: 2026-02-02 08:15 – Updated: 2026-03-30 13:03
VLAI
EPSS
VEX
Summary
In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT6878
Affected: MT6879 Affected: MT6881 Affected: MT6886 Affected: MT6895 Affected: MT6897 Affected: MT6899 Affected: MT6983 Affected: MT6985 Affected: MT6989 Affected: MT6991 Affected: MT6993 Affected: MT8168 Affected: MT8188 Affected: MT8195 Affected: MT8365 Affected: MT8370 Affected: MT8390 Affected: MT8395 Affected: MT8666 Affected: MT8667 Affected: MT8673 Affected: MT8676 Affected: MT8793 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T04:55:53.751584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:38.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT6878"
},
{
"status": "affected",
"version": "MT6879"
},
{
"status": "affected",
"version": "MT6881"
},
{
"status": "affected",
"version": "MT6886"
},
{
"status": "affected",
"version": "MT6895"
},
{
"status": "affected",
"version": "MT6897"
},
{
"status": "affected",
"version": "MT6899"
},
{
"status": "affected",
"version": "MT6983"
},
{
"status": "affected",
"version": "MT6985"
},
{
"status": "affected",
"version": "MT6989"
},
{
"status": "affected",
"version": "MT6991"
},
{
"status": "affected",
"version": "MT6993"
},
{
"status": "affected",
"version": "MT8168"
},
{
"status": "affected",
"version": "MT8188"
},
{
"status": "affected",
"version": "MT8195"
},
{
"status": "affected",
"version": "MT8365"
},
{
"status": "affected",
"version": "MT8370"
},
{
"status": "affected",
"version": "MT8390"
},
{
"status": "affected",
"version": "MT8395"
},
{
"status": "affected",
"version": "MT8666"
},
{
"status": "affected",
"version": "MT8667"
},
{
"status": "affected",
"version": "MT8673"
},
{
"status": "affected",
"version": "MT8676"
},
{
"status": "affected",
"version": "MT8793"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:03:06.262Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20411",
"datePublished": "2026-02-02T08:15:03.859Z",
"dateReserved": "2025-11-03T01:30:59.008Z",
"dateUpdated": "2026-03-30T13:03:06.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20414 (GCVE-0-2026-20414)
Vulnerability from cvelistv5 – Published: 2026-02-02 08:15 – Updated: 2026-03-30 13:03
VLAI
EPSS
VEX
Summary
In imgsys, there is a possible escalation of privilege due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362999; Issue ID: MSV-5625.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MediaTek chipset |
Affected:
MT6897
Affected: MT6989 Affected: MT8196 Affected: MT8678 Affected: MT8766 Affected: MT8768 Affected: MT8786 Affected: MT8796 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-20414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T04:55:36.127693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:37.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MediaTek chipset",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "MT6897"
},
{
"status": "affected",
"version": "MT6989"
},
{
"status": "affected",
"version": "MT8196"
},
{
"status": "affected",
"version": "MT8678"
},
{
"status": "affected",
"version": "MT8766"
},
{
"status": "affected",
"version": "MT8768"
},
{
"status": "affected",
"version": "MT8786"
},
{
"status": "affected",
"version": "MT8796"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In imgsys, there is a possible escalation of privilege due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362999; Issue ID: MSV-5625."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T13:03:14.355Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/February-2026"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2026-20414",
"datePublished": "2026-02-02T08:15:09.845Z",
"dateReserved": "2025-11-03T01:30:59.009Z",
"dateUpdated": "2026-03-30T13:03:14.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Strategy: Language Selection
Description:
- Choose a language that provides automatic memory management.
Mitigation
Phase: Implementation
Strategy: Attack Surface Reduction
Description:
- When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy.
No CAPEC attack patterns related to this CWE.