Export limit exceeded: 363079 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (8131 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-40323 1 Linux 1 Linux Kernel 2026-04-20 7.0 High
In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: <TASK> dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.
CVE-2025-62472 1 Microsoft 23 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 20 more 2026-04-20 7.8 High
Use of uninitialized resource in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
CVE-2025-62573 1 Microsoft 18 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 15 more 2026-04-20 7 High
Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.
CVE-2025-62553 1 Microsoft 10 365 Apps, Excel, Excel 2016 and 7 more 2026-04-20 7.8 High
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62563 1 Microsoft 11 365 Apps, Excel, Excel 2016 and 8 more 2026-04-20 7.8 High
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2025-62555 1 Microsoft 13 365 Apps, Office, Office 2019 and 10 more 2026-04-20 7 High
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2025-37778 2 Debian, Linux 2 Debian Linux, Linux Kernel 2026-04-20 7.8 High
In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix dangling pointer in krb_authenticate krb_authenticate frees sess->user and does not set the pointer to NULL. It calls ksmbd_krb5_authenticate to reinitialise sess->user but that function may return without doing so. If that happens then smb2_sess_setup, which calls krb_authenticate, will be accessing free'd memory when it later uses sess->user.
CVE-2025-62558 1 Microsoft 13 365 Apps, Office, Office 2019 and 10 more 2026-04-20 7.8 High
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2025-62559 1 Microsoft 13 365 Apps, Office, Office 2019 and 10 more 2026-04-20 7.8 High
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2025-62569 1 Microsoft 7 Windows 11 24h2, Windows 11 24h2, Windows 11 25h2 and 4 more 2026-04-20 7 High
Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.
CVE-2026-24678 1 Freerdp 1 Freerdp 2026-04-18 7.5 High
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0.
CVE-2026-20971 1 Samsung 3 Android, Mobile, Mobile Devices 2026-04-18 7.8 High
Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code.
CVE-2026-22856 1 Freerdp 1 Freerdp 2026-04-18 8.1 High
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1.
CVE-2026-21921 2 Juniper, Juniper Networks 4 Junos, Junos Os Evolved, Junos Os and 1 more 2026-04-18 6.5 Medium
A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered. This issue affects:  Junos OS:  * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-EVO.
CVE-2026-23048 1 Linux 1 Linux Kernel 2026-04-18 7.0 High
In the Linux kernel, the following vulnerability has been resolved: udp: call skb_orphan() before skb_attempt_defer_free() Standard UDP receive path does not use skb->destructor. But skmsg layer does use it, since it calls skb_set_owner_sk_safe() from udp_read_skb(). This then triggers this warning in skb_attempt_defer_free(): DEBUG_NET_WARN_ON_ONCE(skb->destructor); We must call skb_orphan() to fix this issue.
CVE-2026-22857 1 Freerdp 1 Freerdp 2026-04-18 9.8 Critical
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1.
CVE-2026-1144 1 Quickjs-ng 1 Quickjs 2026-04-18 6.3 Medium
A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.
CVE-2026-24676 1 Freerdp 1 Freerdp 2026-04-18 7.5 High
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in 3.22.0.
CVE-2026-24680 1 Freerdp 1 Freerdp 2026-04-18 7.5 High
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, sdl_Pointer_New frees data on failure, then pointer_free calls sdl_Pointer_Free and frees it again, triggering ASan UAF. This vulnerability is fixed in 3.22.0.
CVE-2026-2313 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-18 8.8 High
Use after free in CSS in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)